Incomplete output of the command 'az sentinel threat-indicator list'

[winnie008]

Describe the bug

We are trying to use an experimental extension: az sentinel threat-indicator list.

There's a parameter --skip-token for large datasets but the output of the extension does not provide the nextLink. e.g. --top 500 to list the threat indicators in batches of 500 (have 7122 in total).

Is this a bug?It would be helpful to provide an example of: 1) How to use the az sentinel threat-indicator list extension? 2) What is the expected output (what does this nextLink look like in the output)? 3) Check if the extension is working as intended.

Related command

az sentinel threat-indicator list --resource-group $resourceGroupName --workspace-name $workspaceName --top "1" --output json

Errors

Output (no nextLink element?): This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus [ { "created": "2024-08-28T02:15:01.9277641Z", "description": "xxx", "displayName": "xxx", "etag": "\"xxx\"", "externalId": "xxx", "externalLastUpdatedTimeUtc": "2024-08-28T02:15:01.9277641Z", "id": "xxx", "kind": "indicator", "labels": [ "xxx", "xxx" ], "lastUpdatedTimeUtc": "2024-08-28T02:15:01.9281699Z", "name": "xxx", "parsedPattern": [ { "patternTypeKey": "file", "patternTypeValues": [ { "value": "xxx", "valueType": "hashes.'MD5'" } ] } ], "pattern": "[file:hashes.'MD5' = 'xxx']", "patternType": "xxx", "resourceGroup": "xxx", "source": "xxx", "threatIntelligenceTags": [ "xxx", "xxx" ], "type": "Microsoft.SecurityInsights/threatIntelligence/main/indicators", "validFrom": "2024-08-27T00:00:00+00:00" } ]

Issue script & Debug output

Output (no nextLink element?): This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus [ { "created": "2024-08-28T02:15:01.9277641Z", "description": "xxx", "displayName": "xxx", "etag": "\"xxx\"", "externalId": "xxx", "externalLastUpdatedTimeUtc": "2024-08-28T02:15:01.9277641Z", "id": "xxx", "kind": "indicator", "labels": [ "xxx", "xxx" ], "lastUpdatedTimeUtc": "2024-08-28T02:15:01.9281699Z", "name": "xxx", "parsedPattern": [ { "patternTypeKey": "file", "patternTypeValues": [ { "value": "xxx", "valueType": "hashes.'MD5'" } ] } ], "pattern": "[file:hashes.'MD5' = 'xxx']", "patternType": "xxx", "resourceGroup": "xxx", "source": "xxx", "threatIntelligenceTags": [ "xxx", "xxx" ], "type": "Microsoft.SecurityInsights/threatIntelligence/main/indicators", "validFrom": "2024-08-27T00:00:00+00:00" } ]

Expected behavior

There's a parameter --skip-token for large datasets and the output of the extension can provide the nextLink. e.g. --top 500 to list the threat indicators in batches of 500 (have 7122 in total).

It would be helpful to provide an example of: 1) How to use the az sentinel threat-indicator list extension? 2) What is the expected output (what does this nextLink look like in the output)? 3) Check if the extension is working as intended.

Environment Summary

Azure CLI (version 2.37.0 or higher)

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.

[winnie008]

@yonzhan @ReaNAiveD Are there any updates? I appreciate your attention to this matter.

[ReaNAiveD]

Hi @winnie008 Sorry for the late response.

The output meets the expectation.

The command in question was generated using an older version of the aaz codegen tool, which does not support pagination. As a result, the command should output all results without a nextLink.

Please note that the parameters --top and --skip-token are limited in functionality and can only be used to view the top n results.

[winnie008]

@ReaNAiveD Thanks for your help. May I know the newer version of the aaz codegen tool that can support pagination.

For the newer version, it would be helpful to provide an example of:

How to use the az sentinel threat-indicator list extension? What is the expected output (what does this nextLink look like in the output)? Check if the extension is working as intended.

[winnie008]

@ReaNAiveD Could you please check the query above? Thank you.

[ReaNAiveD]

The aaz-dev-tools link: https://github.com/Azure/aaz-dev-tools/ The current codegen tool could support pagination. https://azure.github.io/aaz-dev-tools/pages/faq/#does-aazdev-support-pagination

The extension works as expected. You could use the command without --top and skip-token to list all results.

[winnie008]

@ReaNAiveD Thank you for the update. When you referred to aaz-dev-tools, is it related to the Azure CLI version? We are currently using version 2.64.0, and I would like to understand how we can upgrade aaz-dev-tools.

[winnie008]

@ReaNAiveD Thanks for clarifying that the extension is working. I went to try Threat Intelligence Indicators – List API Call and I was able to get the nextLink value, however when I tried to go through each page, the nextLink value produced keeps directing me to the same point. I have attached the nextLink value below for your reference, the skipCount for each link is 0 meaning that the pagination is not going on to the next page? Do you know how I can resolve this issue?

"nextLink": https://management.azure.com:443/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.OperationalInsights/workspaces/xxx/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators?api-version=2024-03-01&$skipToken=[{\compositeToken\":{\"token\":\"xxx\"}},\"resumeValues\":[\"2024-09-10T07:38:22.9964422Z\"],\"rid\":\"HakeAJwzl3ztJgAAAAAAAA==\",\"skipCount\":0}]"

[jsntcy]

Add @necusjz for awareness.