Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Microsoft Sentinel Threat Intel API - IOC Syntax

Copper Contributor

I am having some trouble with the threat intel API and the syntax for the indicator object. I have even tried copying examples from various forums and google searches, but nothing has worked yet.


Right now, I am trying the minimal amount of settings I possible can:


tiBody = {
"kind": "indicator",
"properties": {
"name": "File hash for malware variant",
"pattern": "[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e']",
"pattern_type" : "stix",


But i always get this error:


{'error': {'code': 'BadRequest',
'message': "STIX Object of type 'indicator' must provide a value for the required property 'pattern_type'"}}


Clearly, I have pattern_type in the body and I have tried variations such as "stix", "file", "file:hashes", etc..


Any suggestions? 


Python Notebook:,json=tiBody,headers=headers2)


headers2= {
"Authorization": bearer

tiURL = f'{subscription}/resourceGroups/{resourceGroup}/providers/M...'


Any help is appreciated. 




0 Replies