search

Azure / azure-sdk-for-go

This repository is for active development of the Azure SDK for Go. For consumers of the SDK we recommend visiting our public developer docs at:
https://docs.microsoft.com/azure/developer/go/
MIT License
1.59k stars 821 forks source link

Support for the upload threat indicators API #20907

Open hazcod opened 1 year ago

hazcod commented 1 year ago

Feature Request

Hi, as per https://learn.microsoft.com/en-us/azure/sentinel/upload-indicators-api, it is now possible to upload multiple threat indicators. Would be nice to be able to use the SDK for this.

lirenhe commented 1 year ago

@hazcod, could you help to share what the package name and package location you are using?

github-actions[bot] commented 1 year ago

Hi @hazcod. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

hazcod commented 1 year ago

@lirenhe I am currently using this API for uploading indicator per indicator:

import (
    "github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
    "github.com/Azure/azure-sdk-for-go/sdk/azidentity"
    insights "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/securityinsights/armsecurityinsights/v2"
)

...

    cred, err := azidentity.NewClientSecretCredential(s.creds.TenantID, s.creds.ClientID, s.creds.ClientSecret, nil)
    if err != nil {
        return fmt.Errorf("could not authenticate to MS Sentinel: %v", err)
    }

    tiClient, err := insights.NewThreatIntelligenceIndicatorClient(s.creds.SubscriptionID, cred, nil)
    if err != nil {
        return fmt.Errorf("could not create TI client: %v", err)
    }

       ....

        if _, err = tiClient.CreateIndicator(ctx, s.creds.ResourceGroup, s.creds.WorkspaceName, insights.ThreatIntelligenceIndicatorModel{
            Kind: nil,
            Properties: &insights.ThreatIntelligenceIndicatorProperties{
                ...
            },
        }, nil); err != nil {
            attrLogger.WithError(err).Error("could not create attribute")
            return fmt.Errorf("could not create attribute %s: %v", attribute.ID, err)
        }
lirenhe commented 1 year ago

@hazcod, as you are using API of mgmt SDK, based on the spec, it currently only supports create one indicator: https://github.com/Azure/azure-rest-api-specs/blob/3d0673c515c429019fdaf95f383aaae5992b7f4d/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2023-02-01/ThreatIntelligence.json#L37

I found there is an API of dataplane that meets your need: https://github.com/Azure/azure-rest-api-specs/blob/3d0673c515c429019fdaf95f383aaae5992b7f4d/specification/securityinsights/data-plane/Microsoft.SecurityInsights/preview/2022-12-01-preview/ThreatIntelligence.json#L13

But we haven't released the SDK for dataplane now. @jhendrixMSFT to comment.

github-actions[bot] commented 1 year ago

Hi @hazcod. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.