I am having some trouble with the threat intel API and the syntax for the indicator object. I have even tried copying examples from various forums and google searches, but nothing has worked yet.

Right now, I am trying the minimal amount of settings I possible can:

tiBody = {
"kind": "indicator",
"properties": {
"name": "File hash for malware variant",
"pattern": "[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e']",
"pattern_type" : "stix",
}
}

But i always get this error:

{'error': {'code': 'BadRequest',
'message': "STIX Object of type 'indicator' must provide a value for the required property 'pattern_type'"}}

Clearly, I have pattern_type in the body and I have tried variations such as "stix", "file", "file:hashes", etc..

Any suggestions? 

Python Notebook:

requests.post(tiURL,json=tiBody,headers=headers2)

headers2= {
"Content-Type":"application/json",
"Authorization": bearer
}

tiURL = f'https://management.azure.com/subscriptions/{subscription}/resourceGroups/{resourceGroup}/providers/M...'

Any help is appreciated. 

Thanks,

Matt