Update azuredeploy.json for RecordedFuture-ThreatIntelligenceImport to conform with request body required #9947
Conversation
The current API spec expects an array of indicators and sourcesystem params, currently this is passing the value of STIX indicators as a named array "indicators" but needs to be "value" as per the spec - https://learn.microsoft.com/en-us/azure/sentinel/upload-indicators-api#sample-request-body
v-atulyadav
added
Playbook
|
Thanks for raising the PR, We will investigate this PR and update you about the same before 15 February, 2024. |
|
Hello @jusso-dev, Please accept license agreement |
|
@microsoft-github-policy-service agree |
|
@jusso-dev @v-prasadboke @v-atulyadav JSON body - { "sourcesystem":"AnySource", "indicators": [] }
This is the error message we get when using value. I guess there are logic in the logic app that converts indicators -> value behind the scenes. I reached out to one of the logic apps devs whom I had contacts with before about this confusion. {
"error": {
"code": "UploadIndicatorsValidationErrors",
"message": "Indicators array is required and cannot be empty. ",
"target": null,
"additionalInfo": null
},
"debugInfo": "clientRequestId: 73a8a8fc-cb6f-418f-9def-46955751190e"
} |
|
@RecordedFutureOskbo is it possible the connector versions are different targeting a different API version under the covers? I have this deployed in my clients tenant and I'm getting the opposite of that error when I try and use "indicators" as the named array. Secondly, the current api spec suggest "value" is the current accepted named array parameter, which makes me further believe there is an API version mismatch happening somewhere. |
We have seen differences using different datacenters? I'm testing this in west-europe and east-us. |
|
@jusso-dev are you using the deprecated version? Also, the documentation on the logic app does not specify the data format at all |
|
@RecordedFutureOskbo no I was using the latest version available at - Solutions/Recorded Future/Playbooks/IndicatorImport/RecordedFuture-ThreatIntelligenceImport/azuredeploy.json Here's the current working, deployed Logic App:
The API doco I was referring to specifies that the "value" named array parameter is the required named array parameter to be passed - https://learn.microsoft.com/en-us/azure/sentinel/upload-indicators-api#sample-request-body Edit - and when I try using "indicators" as the named array, and the latest plugin by manually selecting the latest "Action" task in the Logic App I get the following error:
|
We are using Australia East and it's working with "value" as a named array parameter. |
|
This is all very strange, I reached out to Microsoft and this is the response I got back.
I also created a logic app in Australia East and it requested indicators
Are you using standard or consumption logic apps? I run consumption when testing. |
|
That is strange, I'm definitely using the current connector action and it's a consumption Logic App in Australia East, I get the above error if I change it to "indicators" so I'm at a loss what's causing this. The target LAW is in Aus Central I don't know if that is related to this issue? |
|
Message from Microsoft Sentinel team: I found the bug, it was an api endpoint mismatch only in the Australia regions. The fix is checked in, and it should be deployed on Monday! You should be able to use the logic app actions as expected in all other regions. Still working on updating the api spec. |
|
@RecordedFutureOskbo excellent! Thank you for following up on this and finding a fix 😊 I'll revert this PR in another PR EDIT - PR to revert this raised - #10037 |
|
Great, thanks @jusso-dev I'm afk until Tuesday. |
|
Hi @v-prasadboke and @v-atulyadav, any ETA on getting the API spec updated? This is causing a lot of confusion. |
|
I got the following message about the spec @jusso-dev. Some confusion can depend on we are not using the API directly. We are using the logic-app provided in power platform -> https://learn.microsoft.com/en-us/connectors/azuresentinel/#threat-intelligence---upload-indicators-of-compromise-(v2)-(preview) where the spec is lacking format. So the API spec is probably correct if you use the API directly via CURL or other request libs. // Oskar |
|
Thanks Oskar that makes sense, I think some clarification even if it's a sentence or two would greatly improve the documentation. |
|
updated the upload indicators api doc to reflect the different endpoint and array name depending on the logic app. |
The current API spec expects an array of "indicators" and string of "sourcesystem" params, currently this is passing the value of STIX indicators as a named array "indicators" but needs to be "value" as per the spec - https://learn.microsoft.com/en-us/azure/sentinel/upload-indicators-api#sample-request-body
Required items, please complete
Change(s):
Reason for Change(s):
Version Updated:
Testing Completed:
Checked that the validations are passing and have addressed any issues that are present: