Why am I getting error 400 with message while creating TI indicators

Copper Contributor

Why am I getting error 400 with message Error:{'error': {'code': 'BadRequest', 'message': 'Failed to write indicator to backend. Please try again'}}. while creating Threat Intelligence indicators in Microsoft Sentinel.

 

I am trying to create Threat Intelligence indicators in Microsoft Sentinel, but as I am having lots of data, I am using asyncio to make the http calls asynchronously. But some indicators are failing with status code 400 and the error as {'error': {'code': 'BadRequest', 'message': 'Failed to write indicator to backend. Please try again'}}. Please provide a solution.

4 Replies
Are you using the latest api (Stable or preview) https://learn.microsoft.com/en-us/rest/api/securityinsights/stable/threat-intelligence-indicator/cre...

If some are working, I'd be suspecting some timeout, can you add a pause or reduce the count of updates?

@Clive_Watson 

Yes I am using the latest preview version. Some indicators are working, but some fail like out of 100, 3 or 4 will fail, which will generally be the indicators with pattern type and pattern values same as some indicator already in Threat Intelligence, so is this some limitation of the api??

Furthermore can you let me know the limit of concurrent requests allowed on the api??
Hello Deepak,

I have same query, have you got any resolution for this error,

I used while loop until it show status 200 and it is working, but is there any other solution.

Also have you got anything on limit part, and does it count auth request and create indicator request.