cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Updating existing ThreatIndicator

sirkillnotalot
Copper Contributor

‎May 25 2022 06:29 AM

‎May 25 2022 06:29 AM

Updating existing ThreatIndicator

Hi all,

 

Has anyone had any success with updating an existing ThreatIndicator via REST?

Threat Intelligence Indicator - Create - REST API (Azure Sentinel) | Microsoft Docs

 

Creating an indicator is fine:

sirkillnotalot_1-1653484724915.png

 

But when I try to update it using the same name/id and the example RequestBody in the docs:

 

sirkillnotalot_2-1653484979536.png

 

From what I understand data.id is the ARM id for the indicator

 

 

https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/{name}

 

 

but neither id, nor data.id are required parameters in the request.body

 

I get the feeling I've been looking at this so long I've missed something obvious...any ideas?

785 Views
0 Likes
2 Replies
Reply
2 Replies
Gary Bushey

‎May 25 2022 07:05 AM

‎May 25 2022 07:05 AM

Re: Updating existing ThreatIndicator

Unless you are using the wrong parameters for sub, workspace and/or resource group, it looks correct. You should be using the "name" value as the ID.
2 Likes
Reply
sirkillnotalot

‎May 25 2022 07:46 AM

‎May 25 2022 07:46 AM

Re: Updating existing ThreatIndicator

@Gary Bushey 

I wish that was the case!

 

I store the baseUri, sub, rg, and workspace as an Environment variable in Postman and the requests have a pre-request script run that concats these and populates the {{apiEndpoint}} variable:

 

let baseUri = pm.environment.get("baseUri");
let subscriptionId = pm.environment.get("subscriptionId") ;
let resourceGroupName = pm.environment.get("resourceGroupName");
let workspaceName = pm.environment.get("workspaceName");
uri = baseUri+"/subscriptions/"+subscriptionId+"/resourceGroups/"+resourceGroupName+"/providers/Microsoft.OperationalInsights/workspaces/"+workspaceName+"/providers/Microsoft.SecurityInsights";
pm.environment.set("apiEndpoint", uri);

 

So the {{apiEndpoint}} that was used for the POST request to create the indicator is the same as the one being used to PUT the update, as well as in other calls to Sentinel.

 

To sanity check it though I can confirm that it's being populated as:

https://management.azure.com/subscriptions/[redacted]/resourceGroups/[redacted]/providers/Microsoft....

 

So in the example the request really should just be a

PUT request to {{apiEndpoint}}/threatIntelligence/main/indicators/3a2525cd-35f5-48e7-fbb7-e3df8f6a6a95?api-version=2021-10-01 with my request.body

 

Sentinel allows indicators to use values/patterns it already knows about, and there's lots of overlap between various OSINT feeds, so I was hoping to create my own input validation using something like

the externalId or externalRef bound to the UUID in MISP or whatever to prevent duplication and just update/refresh existing.

 

Thinking a workaround for this is to just POST to /queryIndicators?api-version=2021-10-01-preview with keyword then delete and re-create the matching IOC as use case here is to prevent duplicates from systems like MISP, whereby a modified attribute in MISP would update the timestamp so an interval based restSearch on timestamp would pick up a pre-ingested IOC.

 

More than open to suggestions if there's a better method though.

 

0 Likes
Reply