Open hazcod opened 1 year ago
@hazcod, could you help to share what the package name and package location you are using?
Hi @hazcod. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.
@lirenhe I am currently using this API for uploading indicator per indicator:
import (
"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
insights "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/securityinsights/armsecurityinsights/v2"
)
...
cred, err := azidentity.NewClientSecretCredential(s.creds.TenantID, s.creds.ClientID, s.creds.ClientSecret, nil)
if err != nil {
return fmt.Errorf("could not authenticate to MS Sentinel: %v", err)
}
tiClient, err := insights.NewThreatIntelligenceIndicatorClient(s.creds.SubscriptionID, cred, nil)
if err != nil {
return fmt.Errorf("could not create TI client: %v", err)
}
....
if _, err = tiClient.CreateIndicator(ctx, s.creds.ResourceGroup, s.creds.WorkspaceName, insights.ThreatIntelligenceIndicatorModel{
Kind: nil,
Properties: &insights.ThreatIntelligenceIndicatorProperties{
...
},
}, nil); err != nil {
attrLogger.WithError(err).Error("could not create attribute")
return fmt.Errorf("could not create attribute %s: %v", attribute.ID, err)
}
@hazcod, as you are using API of mgmt SDK, based on the spec, it currently only supports create one indicator: https://github.com/Azure/azure-rest-api-specs/blob/3d0673c515c429019fdaf95f383aaae5992b7f4d/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2023-02-01/ThreatIntelligence.json#L37
I found there is an API of dataplane that meets your need: https://github.com/Azure/azure-rest-api-specs/blob/3d0673c515c429019fdaf95f383aaae5992b7f4d/specification/securityinsights/data-plane/Microsoft.SecurityInsights/preview/2022-12-01-preview/ThreatIntelligence.json#L13
But we haven't released the SDK for dataplane now. @jhendrixMSFT to comment.
Hi @hazcod. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.
Feature Request
Hi, as per https://learn.microsoft.com/en-us/azure/sentinel/upload-indicators-api, it is now possible to upload multiple threat indicators. Would be nice to be able to use the SDK for this.