azure-powershell
azure-powershell copied to clipboard
Published
20 hours ago •
Azure
Azure
Get-AzSentinelThreatIntelligenceIndicator does not return NextLink property
Description
When there is more then 100 TI indicators in Microsoft Sentinel, Get-AzSentinelThreatIntelligenceIndicator returns only 100 and does not return NextLink property, so we cannot use SkipToken parameter to gather more TI indicators.
Issue script & Debug output
PS>Get-AzSentinelThreatIntelligenceIndicator -ResourceGroupName $sourceResourceGroup -SubscriptionId $sourceSubscriptionId -WorkspaceName $sourceWorkspace
DEBUG: [CmdletBeginProcessing]: Starting command
DEBUG: CmdletBeginProcessing:
DEBUG: CmdletProcessRecordStart:
DEBUG: CmdletGetPipeline:
DEBUG: CmdletBeforeAPICall:
DEBUG: URLCreated: /subscriptions/d5eccfc3-103a-487c-93ff-680e10fa7f88/resourceGroups/rg_test_sentinel/providers/Microsoft.OperationalInsights/workspaces/test-sentinel/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators?api-version=2021-09-01-preview
DEBUG: RequestCreated: /subscriptions/d5eccfc3-103a-487c-93ff-680e10fa7f88/resourceGroups/rg_test_sentinel/providers/Microsoft.OperationalInsights/workspaces/test-sentinel/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators?api-version=2021-09-01-preview
DEBUG: HeaderParametersAdded:
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
GET
Absolute Uri:
https://management.azure.com/subscriptions/d5eccfc3-103a-487c-93ff-680e10fa7f88/resourceGroups/rg_test_sentinel/providers/Microsoft.OperationalInsights/workspaces/test-sentinel/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators?api-version=2021-09-01-preview
Headers:
x-ms-unique-id : 50
x-ms-client-request-id : 2a9e6d2e-7b62-49c8-8138-5555c3041f4c
CommandName : Get-AzSentinelThreatIntelligenceIndicator
FullCommandName : Get-AzSentinelThreatIntelligenceIndicator_List
ParameterSetName : __AllParameterSets
User-Agent : AzurePowershell/v0.0.0,PSVersion/v7.3.2,Az.SecurityInsights/3.0.1
Body:
DEBUG: BeforeCall:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
OK
Headers:
Cache-Control : no-cache
Pragma : no-cache
Server : Kestrel
x-ms-ratelimit-remaining-subscription-reads: 11972
x-ms-request-id : 3e46536e-1ac3-4e2d-a592-b281fb58eaaa
x-ms-correlation-request-id : 3e46536e-1ac3-4e2d-a592-b281fb58eaaa
x-ms-routing-request-id : GERMANYNORTH:20230205T132841Z:3e46536e-1ac3-4e2d-a592-b281fb58eaaa
Strict-Transport-Security : max-age=31536000; includeSubDomains
X-Content-Type-Options : nosniff
Date : Sun, 05 Feb 2023 13:28:41 GMT
Body:
{
"value": [
{
"id": "/subscriptions/d5eccfc3-103a-487c-93ff-680e10fa7f88/resourceGroups/rg_test_sentinel/providers/Microsoft.OperationalInsights/workspaces/test-sentinel/providers/Microsoft.SecurityInsights/threatIntelligence/eeb178a0-f3e9-e4eb-a4c0-187f88da6a75",
"name": "eeb178a0-f3e9-e4eb-a4c0-187f88da6a75",
"etag": "\"1c006792-0000-0e00-0000-63dd36580000\"",
"type": "Microsoft.SecurityInsights/threatIntelligence",
"kind": "indicator",
"properties": {
"created": "2023-01-19T11:46:38Z",
"createdByRef": "[email protected]",
"extensions": {
"sentinel-ext": {
"severity": null
}
},
"externalId": "indicator--5da02424-7fe1-f90f-f540-6759867fb2f0",
"externalReferences": [],
"granularMarkings": [],
"labels": [],
"lastUpdatedTimeUtc": "2023-02-03T16:29:12.018177Z",
"revoked": false,
"source": "Microsoft Sentinel",
"threatIntelligenceTags": [],
"displayName": "fakeBNxK2kZ4fuYWHUw6FAM7",
"description": "",
"threatTypes": [],
"killChainPhases": [],
"parsedPattern": [
{
"patternTypeKey": "domain-name",
"patternTypeValues": [
{
"valueType": "domain-name",
"value": "BNxK2kZ4fuYWHUw6FAM7.domain.com"
}
]
}
],
"pattern": "[domain-name:value = 'BNxK2kZ4fuYWHUw6FAM7.domain.com']",
"patternType": "domain-name",
"validFrom": "2023-01-19T23:00:00Z"
}
},
<.... some content removed as it was too long for github...>
{
"id": "/subscriptions/d5eccfc3-103a-487c-93ff-680e10fa7f88/resourceGroups/rg_test_sentinel/providers/Microsoft.OperationalInsights/workspaces/test-sentinel/providers/Microsoft.SecurityInsights/threatIntelligence/9350ca38-4647-9a01-46c7-dcb76e6c85f9",
"name": "9350ca38-4647-9a01-46c7-dcb76e6c85f9",
"etag": "\"1c00d190-0000-0e00-0000-63dd35ee0000\"",
"type": "Microsoft.SecurityInsights/threatIntelligence",
"kind": "indicator",
"properties": {
"created": "2023-01-19T11:46:38Z",
"createdByRef": "[email protected]",
"extensions": {
"sentinel-ext": {
"severity": null
}
},
"externalId": "indicator--8656a5f1-5734-72db-5596-2bb383bb9d44",
"externalReferences": [],
"granularMarkings": [],
"labels": [],
"lastUpdatedTimeUtc": "2023-02-03T16:27:25.9800499Z",
"revoked": false,
"source": "Microsoft Sentinel",
"threatIntelligenceTags": [],
"displayName": "fakebKGnuUyAzrPvHfWCk6Mm",
"description": "",
"threatTypes": [],
"killChainPhases": [],
"parsedPattern": [
{
"patternTypeKey": "domain-name",
"patternTypeValues": [
{
"valueType": "domain-name",
"value": "bKGnuUyAzrPvHfWCk6Mm.domain.com"
}
]
}
],
"pattern": "[domain-name:value = 'bKGnuUyAzrPvHfWCk6Mm.domain.com']",
"patternType": "domain-name",
"validFrom": "2023-01-19T23:00:00Z"
}
}
],
"nextLink": "https://management.azure.com:443/subscriptions/d5eccfc3-103a-487c-93ff-680e10fa7f88/resourceGroups/rg_test_sentinel/providers/Microsoft.OperationalInsights/workspaces/test-sentinel/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators?api-version=2021-09-01-preview&$skipToken=[{\"compositeToken\":{\"token\":\"+RID:~rgwxAIsg0Mhwlx4AAAAAAA==#RT:1#TRC:100#RTD:eXTCpa71Yy1sqZIRoXXABTMxMzQuMTMuMTRVMjc7Mzg7MzYvOjkxMTU6OlsA#ISV:2#IEO:65567#QCF:8#FPC:AgF6enoOAIEE/v9CQB8A/3/hUg8A\",\"range\":{\"min\":\"\",\"max\":\"FF\"}},\"orderByItems\":[{\"item\":\"2023-02-03T16:27:25.9800499Z\"}],\"rid\":\"rgwxAIsg0Mhwlx4AAAAAAA==\",\"skipCount\":0,\"filter\":\"true\"}]"
}
DEBUG: ResponseCreated:
DEBUG: BeforeResponseDispatch:
DEBUG: FollowingNextLink:
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
GET
Absolute Uri:
https://management.azure.com/subscriptions/d5eccfc3-103a-487c-93ff-680e10fa7f88/resourceGroups/rg_test_sentinel/providers/Microsoft.OperationalInsights/workspaces/test-sentinel/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators?api-version=2021-09-01-preview&$skipToken=[{"compositeToken":{"token":"+RID:~rgwxAIsg0Mhwlx4AAAAAAA==#RT:1%23TRC:100%23RTD:eXTCpa71Yy1sqZIRoXXABTMxMzQuMTMuMTRVMjc7Mzg7MzYvOjkxMTU6OlsA%23ISV:2%23IEO:65567%23QCF:8%23FPC:AgF6enoOAIEE/v9CQB8A/3/hUg8A","range":{"min":"","max":"FF"}},"orderByItems":[{"item":"2023-02-03T16:27:25.9800499Z"}],"rid":"rgwxAIsg0Mhwlx4AAAAAAA==","skipCount":0,"filter":"true"}]
Headers:
x-ms-unique-id : 51
x-ms-client-request-id : 2a9e6d2e-7b62-49c8-8138-5555c3041f4c
CommandName : Get-AzSentinelThreatIntelligenceIndicator
FullCommandName : Get-AzSentinelThreatIntelligenceIndicator_List
ParameterSetName : __AllParameterSets
User-Agent : AzurePowershell/v0.0.0,PSVersion/v7.3.2,Az.SecurityInsights/3.0.1
Body:
DEBUG: BeforeCall:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
OK
Headers:
Cache-Control : no-cache
Pragma : no-cache
Server : Kestrel
x-ms-ratelimit-remaining-subscription-reads: 11971
x-ms-request-id : 25d367a5-727e-418d-99fe-2637067d2171
x-ms-correlation-request-id : 25d367a5-727e-418d-99fe-2637067d2171
x-ms-routing-request-id : GERMANYNORTH:20230205T132846Z:25d367a5-727e-418d-99fe-2637067d2171
Strict-Transport-Security : max-age=31536000; includeSubDomains
X-Content-Type-Options : nosniff
Date : Sun, 05 Feb 2023 13:28:45 GMT
Body:
{
"value": []
}
DEBUG: ResponseCreated:
DEBUG: BeforeResponseDispatch:
DEBUG: Finally:
DEBUG: Finally:
DEBUG: CmdletAfterAPICall:
DEBUG: [CmdletProcessRecordAsyncEnd]: Finish HTTP process
DEBUG: CmdletProcessRecordAsyncEnd:
DEBUG: CmdletProcessRecordEnd:
DEBUG: AzureQoSEvent: Module: Az.SecurityInsights:3.0.1; CommandName: Get-AzSentinelThreatIntelligenceIndicator; PSVersion: 7.3.2; IsSuccess: True; Duration: 00:00:04.9364176
Etag Kind Name SystemDataCreatedAt SystemDataCreatedBy SystemDataCreatedByType SystemDataLastModifiedAt SystemDataLastModifiedBy SystemDataLastModifiedByType
---- ---- ---- ------------------- ------------------- ----------------------- ------------------------ ------------------------ ----------------------------
"1c006792-0000-0e00-0000-63dd36580000" indicator eeb178a0-f3e9-e4eb-a4c0-187f88da6a75
"1c006292-0000-0e00-0000-63dd36570000" indicator 160939e4-a748-715b-d710-bdf94d5b70d4
"1c005e92-0000-0e00-0000-63dd36560000" indicator 50841713-69a1-fbd9-f9c1-6eba3750756a
"1c005892-0000-0e00-0000-63dd36550000" indicator da54b4bb-0774-21eb-5813-d06e66c111aa
"00006629-0000-4800-0000-63dd36540000" indicator 2f62d843-1272-4ee2-3bfd-6468fa797dce
"00006429-0000-4800-0000-63dd36530000" indicator be1c6f74-7a32-557d-bdc4-3ecd97740c7c
"1c004c92-0000-0e00-0000-63dd36520000" indicator 49188842-2903-a1e0-43d8-b58703d74666
"00006029-0000-4800-0000-63dd36510000" indicator f0797dcc-f724-d451-ccc2-096f17a41a04
"1c004692-0000-0e00-0000-63dd36500000" indicator 70e35a64-670e-e45a-dafd-8adb8ecb96f0
"00005c29-0000-4800-0000-63dd364f0000" indicator 14dcc786-6562-905c-8210-39f5c2ef025e
"1c004392-0000-0e00-0000-63dd364e0000" indicator f52a5ddb-f57f-b225-ef2a-e26558ad4e96
"1c003e92-0000-0e00-0000-63dd364d0000" indicator 4711f169-88cd-7d1d-6fd4-ad1d66d0fcfd
"1c003c92-0000-0e00-0000-63dd364c0000" indicator d0bd2511-2ce1-4eb4-5578-85b5128a7930
"1c003892-0000-0e00-0000-63dd364b0000" indicator c2dd8f7f-adc6-d61e-1cc5-c75c2bfaa623
"1c003492-0000-0e00-0000-63dd364a0000" indicator e140d08c-aee8-e239-0940-e23d20a170ff
"1c003292-0000-0e00-0000-63dd36490000" indicator 22c66e2d-6475-602a-d46b-431a39ec326e
"1c002c92-0000-0e00-0000-63dd36470000" indicator e9a387b2-aa3e-a4c3-2ae8-02a1755e7f89
"1c002192-0000-0e00-0000-63dd36460000" indicator 465d3127-5f04-239c-8e58-f6cae8f49c45
"1c001a92-0000-0e00-0000-63dd36450000" indicator 677a51ce-73db-6631-90b8-a2861e122ab5
"1c001392-0000-0e00-0000-63dd36430000" indicator 866619d6-e670-aa62-196e-9ad24661af79
"00004629-0000-4800-0000-63dd36420000" indicator 587c361f-cbde-4e70-49ce-010e4f955146
"1c000b92-0000-0e00-0000-63dd36410000" indicator 81f9b5f5-e0f4-9037-b55e-cd68ae8db991
"1c000392-0000-0e00-0000-63dd36400000" indicator 1c9d5b50-b013-365c-2e29-a7046824f9b3
"00004029-0000-4800-0000-63dd363f0000" indicator a4e4a99c-59eb-42c3-2432-85581f77ea92
"1c00f591-0000-0e00-0000-63dd363e0000" indicator d3d72ed4-9171-f747-2cc7-2b9fa554e538
"00003c29-0000-4800-0000-63dd363d0000" indicator 0c68678d-89c0-7f6e-a453-5e6c5744593c
"1c00eb91-0000-0e00-0000-63dd363c0000" indicator 0bc9eda5-9ff9-a19b-d45d-084cc31b8b14
"1c00e191-0000-0e00-0000-63dd363a0000" indicator 8661e2d4-19e5-954c-96dd-c6a2c8ee63d6
"00003629-0000-4800-0000-63dd36390000" indicator 04b75d48-854b-002a-5f7d-2ddea5c827e6
"1c00d491-0000-0e00-0000-63dd36380000" indicator 6c4e65b9-db1c-d4c1-79c1-b266b2349c9a
"1c00cf91-0000-0e00-0000-63dd36370000" indicator ef4f8dd6-c127-76a1-43f5-fde1fbe577df
"00003029-0000-4800-0000-63dd36360000" indicator 23642e0b-0c78-016a-47db-34529a4651f1
"00002e29-0000-4800-0000-63dd36350000" indicator f0b5ddff-5c68-092f-9e59-a4078aa10ba1
"1c00c391-0000-0e00-0000-63dd36340000" indicator d7a74dc1-6505-c8dd-bede-7db0018778d2
"1c00bd91-0000-0e00-0000-63dd36330000" indicator 7f3b393e-3940-dc78-b156-fa43ed66b17d
"1c00b491-0000-0e00-0000-63dd36320000" indicator 36b73c4b-9b9f-185d-dd89-5ab969370723
"1c00af91-0000-0e00-0000-63dd36310000" indicator 696f3c3d-bdce-b28c-39cf-b5b9a123cb79
"00002429-0000-4800-0000-63dd362f0000" indicator f127ecac-db35-c4ff-b17b-aba1b819b6e3
"1c00a291-0000-0e00-0000-63dd362f0000" indicator 486b9744-7bf2-60ce-c5c3-b8e7c4f0b6ea
"00002029-0000-4800-0000-63dd362d0000" indicator 8c34b9a4-c89d-8e80-54b4-7642d0367ec4
"00001e29-0000-4800-0000-63dd362c0000" indicator 1efc6ad0-9ebe-77c3-4607-81cc855a3f8e
"1c009591-0000-0e00-0000-63dd362b0000" indicator c5c9afe7-456d-8d2d-06a8-9328a9264a48
"1c009191-0000-0e00-0000-63dd362a0000" indicator 0d20c386-ad00-b25a-cd79-fa7e5bfb456e
"1c008f91-0000-0e00-0000-63dd36290000" indicator e4df40e9-1ca3-0853-5bf3-2d111663e1c0
"1c008d91-0000-0e00-0000-63dd36280000" indicator 01c7518e-1211-8c61-2644-ef0712746822
"1c008991-0000-0e00-0000-63dd36270000" indicator 4ac31e40-2e65-de5e-7622-9bc4a1cef386
"1c008591-0000-0e00-0000-63dd36260000" indicator e2b3aebc-2ce6-ee9a-f7f0-1f55e5875402
"1c008391-0000-0e00-0000-63dd36250000" indicator 715d4e80-d6ec-b2a9-9401-e725f2f9007f
"1c008191-0000-0e00-0000-63dd36240000" indicator 61c4fc2b-266d-c0d8-d8b3-f8b0c83fddad
"1c007f91-0000-0e00-0000-63dd36230000" indicator 29407fd2-63e7-2d1c-468b-f865b19d4761
"1c007c91-0000-0e00-0000-63dd36220000" indicator 8b62ed7b-480c-ff67-c828-8074a39b2ea0
"1c007991-0000-0e00-0000-63dd36210000" indicator fe94057f-b0ee-52b1-d8f3-60dda8232d2a
"1c007791-0000-0e00-0000-63dd36200000" indicator e65ff2b5-0ec1-fa44-1e59-253b839cceda
"1c007491-0000-0e00-0000-63dd361f0000" indicator 02cc620f-10e3-7d8f-77d1-83aed3996a3c
"1c006f91-0000-0e00-0000-63dd361e0000" indicator 5438a23d-fefe-2b3d-e374-44485a326a93
"1c006c91-0000-0e00-0000-63dd361c0000" indicator 3d26f4b6-066d-b3fb-fa5a-e36dcbe3184e
"1c006a91-0000-0e00-0000-63dd361b0000" indicator 34c44534-211e-9e68-3c66-09451281d0c1
"1c006691-0000-0e00-0000-63dd361a0000" indicator f8daa02f-097c-0a54-cdc6-e2f9e082a546
"1c006191-0000-0e00-0000-63dd36190000" indicator 39bd729c-9f05-ebad-8ffb-76e2a58bfa51
"1c005e91-0000-0e00-0000-63dd36180000" indicator 64e58032-c5d8-c3c1-1bb3-23a7b92264c3
"1c005c91-0000-0e00-0000-63dd36170000" indicator 2327d955-46ad-0dbc-18c6-c133f0e16fb8
"1c005a91-0000-0e00-0000-63dd36160000" indicator b984b8c5-9e5e-1cc1-b34d-8bee3d739638
"0000f228-0000-4800-0000-63dd36150000" indicator c93234d7-048b-7d51-cbbc-754e303af1ee
"1c005791-0000-0e00-0000-63dd36140000" indicator 7571fc41-b1d8-f20a-6bd2-fd91a5468573
"1c005491-0000-0e00-0000-63dd36130000" indicator 9e8c12bd-ae4a-eafd-65c9-59c40a5fb487
"0000ec28-0000-4800-0000-63dd36120000" indicator 5997e65e-1d04-35d6-2757-a53f5fa79c98
"0000ea28-0000-4800-0000-63dd36110000" indicator 404b16f5-2782-28bd-2400-7412aed364d0
"0000e828-0000-4800-0000-63dd36100000" indicator c46192a6-45bc-5305-a594-7171292dbf32
"1c004291-0000-0e00-0000-63dd360f0000" indicator 91148f3f-6f17-b753-4c42-db78022221a2
"1c003f91-0000-0e00-0000-63dd360e0000" indicator 5abeaa76-12c1-349c-e9b0-8f302de7f499
"1c003491-0000-0e00-0000-63dd360c0000" indicator 39e98336-8762-4974-8c7e-b0b29bdd76c2
"1c003091-0000-0e00-0000-63dd360b0000" indicator e17671be-716d-9ae7-bf83-66439637b5fc
"1c002d91-0000-0e00-0000-63dd360a0000" indicator 12ea385d-6e7f-5395-4ffa-1ed51feca509
"1c002b91-0000-0e00-0000-63dd36090000" indicator 3d464296-8eeb-95c3-96cf-1c81079b74ec
"1c002891-0000-0e00-0000-63dd36080000" indicator 8fbd3928-f96f-cca6-c63e-e0e96dea9b7e
"1c002391-0000-0e00-0000-63dd36070000" indicator 3910f2ce-e4f2-3e22-a597-b41229d71401
"1c002191-0000-0e00-0000-63dd36060000" indicator 63408fd2-026e-495a-d4ed-bb26eaddd92e
"1c001d91-0000-0e00-0000-63dd36050000" indicator 9d114070-df59-d5a8-4601-4459dfa0a928
"1c001991-0000-0e00-0000-63dd36040000" indicator 9496b29a-a178-6ca0-b745-1392c6d88dea
"0000d028-0000-4800-0000-63dd36030000" indicator bcce7911-8bbe-2580-9c2a-cee064b62ba8
"1c001591-0000-0e00-0000-63dd36020000" indicator 3d16383f-b277-58dd-79f1-44e44155db45
"0000cc28-0000-4800-0000-63dd36010000" indicator 7c88ccbe-d630-ab7d-95bf-aca8635b6214
"1c001191-0000-0e00-0000-63dd36000000" indicator fd6bd66b-4478-2c3a-9809-17394ec82836
"1c000e91-0000-0e00-0000-63dd35ff0000" indicator 9345b051-a728-0b0f-b59c-4de3186e7c52
"0000c628-0000-4800-0000-63dd35fe0000" indicator b7082127-e7a8-6acb-7b9b-46a4e8e79597
"1c000891-0000-0e00-0000-63dd35fd0000" indicator 00a9788e-314c-9591-a6bb-fee244836c1b
"1c000591-0000-0e00-0000-63dd35fc0000" indicator 70af3ebf-509d-d053-d78a-66f692f43f2c
"1c000291-0000-0e00-0000-63dd35fa0000" indicator 367d8397-379d-5a71-0d9e-5ca7ab3f4635
"0000be28-0000-4800-0000-63dd35f90000" indicator 04fab3c1-2251-b659-5d07-7ae10cd6c9c4
"0000bc28-0000-4800-0000-63dd35f80000" indicator 7625a66f-3a42-46bd-e5c0-4db0d8194377
"0000ba28-0000-4800-0000-63dd35f70000" indicator 20491254-3ed6-5ab7-b1df-90ad03673f61
"1c00f490-0000-0e00-0000-63dd35f60000" indicator fcd9565a-d4a3-df17-6c23-a2f540dab32b
"1c00f290-0000-0e00-0000-63dd35f50000" indicator 08c9f05b-0e9f-7d28-6a06-510dd8c49674
"1c00ef90-0000-0e00-0000-63dd35f40000" indicator 5033cd84-0f08-5f41-598d-2d821d0d6abf
"1c00eb90-0000-0e00-0000-63dd35f30000" indicator 116950a8-e27d-bef9-e348-d77c4fb25a1e
"1c00e890-0000-0e00-0000-63dd35f20000" indicator f3bf0f8a-6aa5-1ea2-34fa-94ecad060d27
"0000ae28-0000-4800-0000-63dd35f10000" indicator 52673f58-2cf8-4c53-83e3-046b5d37abb6
"0000ac28-0000-4800-0000-63dd35f00000" indicator 2c26b156-62a3-ad20-26ab-819761e42a10
"0000aa28-0000-4800-0000-63dd35ef0000" indicator 493ba19a-02e5-1d73-2e21-874d075370c3
"1c00d190-0000-0e00-0000-63dd35ee0000" indicator 9350ca38-4647-9a01-46c7-dcb76e6c85f9
Environment data
Name Value
---- -----
PSVersion 7.3.2
PSEdition Core
GitCommitId 7.3.2
OS Microsoft Windows 10.0.22621
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Module versions
ModuleType Version PreRelease Name ExportedCommands
---------- ------- ---------- ---- ----------------
Script 2.10.4 Az.Accounts {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault…}
Script 3.0.1 Az.SecurityInsights {Get-AzSentinelAlertRule, Get-AzSentinelAlertRuleAction, Get-AzSentinelAlertRuleTemplate, Get-AzSentinelAutomationRule…}
Error output
WARNING: Upcoming breaking changes in the cmdlet 'Resolve-AzError' :
The `Resolve-Error` alias will be removed in a future release. Please change any scripts that use this alias to use `Resolve-AzError` instead.
Note : Go to https://aka.ms/azps-changewarnings for steps to suppress this breaking change warning, and other information on breaking changes in Azure PowerShell.
Thank you for your feedback. This has been routed to the support team for assistance.
The command automatically followed on "NextLink" until there was no data, as the debug log showed.
The question is why the second request returned an empty array while there was still data. I suspect this is a bug of the service.
I have tested the REST API directly with skipToken taken from nextLink and it returns empty array as well. It looks like an issue in REST API.
Any update on this please? I have tried very hard to get it working directly over REST API (using this and this) but with no luck. Thank you.
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @amirke.
Issue Details
Description
When there is more then 100 TI indicators in Microsoft Sentinel, Get-AzSentinelThreatIntelligenceIndicator returns only 100 and does not return NextLink property, so we cannot use SkipToken parameter to gather more TI indicators.
Issue script & Debug output
PS>Get-AzSentinelThreatIntelligenceIndicator -ResourceGroupName $sourceResourceGroup -SubscriptionId $sourceSubscriptionId -WorkspaceName $sourceWorkspace
DEBUG: [CmdletBeginProcessing]: Starting command
DEBUG: CmdletBeginProcessing:
DEBUG: CmdletProcessRecordStart:
DEBUG: CmdletGetPipeline:
DEBUG: CmdletBeforeAPICall:
DEBUG: URLCreated: /subscriptions/d5eccfc3-103a-487c-93ff-680e10fa7f88/resourceGroups/rg_test_sentinel/providers/Microsoft.OperationalInsights/workspaces/test-sentinel/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators?api-version=2021-09-01-preview
DEBUG: RequestCreated: /subscriptions/d5eccfc3-103a-487c-93ff-680e10fa7f88/resourceGroups/rg_test_sentinel/providers/Microsoft.OperationalInsights/workspaces/test-sentinel/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators?api-version=2021-09-01-preview
DEBUG: HeaderParametersAdded:
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
GET
Absolute Uri:
https://management.azure.com/subscriptions/d5eccfc3-103a-487c-93ff-680e10fa7f88/resourceGroups/rg_test_sentinel/providers/Microsoft.OperationalInsights/workspaces/test-sentinel/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators?api-version=2021-09-01-preview
Headers:
x-ms-unique-id : 50
x-ms-client-request-id : 2a9e6d2e-7b62-49c8-8138-5555c3041f4c
CommandName : Get-AzSentinelThreatIntelligenceIndicator
FullCommandName : Get-AzSentinelThreatIntelligenceIndicator_List
ParameterSetName : __AllParameterSets
User-Agent : AzurePowershell/v0.0.0,PSVersion/v7.3.2,Az.SecurityInsights/3.0.1
Body:
DEBUG: BeforeCall:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
OK
Headers:
Cache-Control : no-cache
Pragma : no-cache
Server : Kestrel
x-ms-ratelimit-remaining-subscription-reads: 11972
x-ms-request-id : 3e46536e-1ac3-4e2d-a592-b281fb58eaaa
x-ms-correlation-request-id : 3e46536e-1ac3-4e2d-a592-b281fb58eaaa
x-ms-routing-request-id : GERMANYNORTH:20230205T132841Z:3e46536e-1ac3-4e2d-a592-b281fb58eaaa
Strict-Transport-Security : max-age=31536000; includeSubDomains
X-Content-Type-Options : nosniff
Date : Sun, 05 Feb 2023 13:28:41 GMT
Body:
{
"value": [
{
"id": "/subscriptions/d5eccfc3-103a-487c-93ff-680e10fa7f88/resourceGroups/rg_test_sentinel/providers/Microsoft.OperationalInsights/workspaces/test-sentinel/providers/Microsoft.SecurityInsights/threatIntelligence/eeb178a0-f3e9-e4eb-a4c0-187f88da6a75",
"name": "eeb178a0-f3e9-e4eb-a4c0-187f88da6a75",
"etag": "\"1c006792-0000-0e00-0000-63dd36580000\"",
"type": "Microsoft.SecurityInsights/threatIntelligence",
"kind": "indicator",
"properties": {
"created": "2023-01-19T11:46:38Z",
"createdByRef": "[email protected]",
"extensions": {
"sentinel-ext": {
"severity": null
}
},
"externalId": "indicator--5da02424-7fe1-f90f-f540-6759867fb2f0",
"externalReferences": [],
"granularMarkings": [],
"labels": [],
"lastUpdatedTimeUtc": "2023-02-03T16:29:12.018177Z",
"revoked": false,
"source": "Microsoft Sentinel",
"threatIntelligenceTags": [],
"displayName": "fakeBNxK2kZ4fuYWHUw6FAM7",
"description": "",
"threatTypes": [],
"killChainPhases": [],
"parsedPattern": [
{
"patternTypeKey": "domain-name",
"patternTypeValues": [
{
"valueType": "domain-name",
"value": "BNxK2kZ4fuYWHUw6FAM7.domain.com"
}
]
}
],
"pattern": "[domain-name:value = 'BNxK2kZ4fuYWHUw6FAM7.domain.com']",
"patternType": "domain-name",
"validFrom": "2023-01-19T23:00:00Z"
}
},
<.... some content removed as it was too long for github...>
{
"id": "/subscriptions/d5eccfc3-103a-487c-93ff-680e10fa7f88/resourceGroups/rg_test_sentinel/providers/Microsoft.OperationalInsights/workspaces/test-sentinel/providers/Microsoft.SecurityInsights/threatIntelligence/9350ca38-4647-9a01-46c7-dcb76e6c85f9",
"name": "9350ca38-4647-9a01-46c7-dcb76e6c85f9",
"etag": "\"1c00d190-0000-0e00-0000-63dd35ee0000\"",
"type": "Microsoft.SecurityInsights/threatIntelligence",
"kind": "indicator",
"properties": {
"created": "2023-01-19T11:46:38Z",
"createdByRef": "[email protected]",
"extensions": {
"sentinel-ext": {
"severity": null
}
},
"externalId": "indicator--8656a5f1-5734-72db-5596-2bb383bb9d44",
"externalReferences": [],
"granularMarkings": [],
"labels": [],
"lastUpdatedTimeUtc": "2023-02-03T16:27:25.9800499Z",
"revoked": false,
"source": "Microsoft Sentinel",
"threatIntelligenceTags": [],
"displayName": "fakebKGnuUyAzrPvHfWCk6Mm",
"description": "",
"threatTypes": [],
"killChainPhases": [],
"parsedPattern": [
{
"patternTypeKey": "domain-name",
"patternTypeValues": [
{
"valueType": "domain-name",
"value": "bKGnuUyAzrPvHfWCk6Mm.domain.com"
}
]
}
],
"pattern": "[domain-name:value = 'bKGnuUyAzrPvHfWCk6Mm.domain.com']",
"patternType": "domain-name",
"validFrom": "2023-01-19T23:00:00Z"
}
}
],
"nextLink": "https://management.azure.com:443/subscriptions/d5eccfc3-103a-487c-93ff-680e10fa7f88/resourceGroups/rg_test_sentinel/providers/Microsoft.OperationalInsights/workspaces/test-sentinel/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators?api-version=2021-09-01-preview&$skipToken=[{\"compositeToken\":{\"token\":\"+RID:~rgwxAIsg0Mhwlx4AAAAAAA==#RT:1#TRC:100#RTD:eXTCpa71Yy1sqZIRoXXABTMxMzQuMTMuMTRVMjc7Mzg7MzYvOjkxMTU6OlsA#ISV:2#IEO:65567#QCF:8#FPC:AgF6enoOAIEE/v9CQB8A/3/hUg8A\",\"range\":{\"min\":\"\",\"max\":\"FF\"}},\"orderByItems\":[{\"item\":\"2023-02-03T16:27:25.9800499Z\"}],\"rid\":\"rgwxAIsg0Mhwlx4AAAAAAA==\",\"skipCount\":0,\"filter\":\"true\"}]"
}
DEBUG: ResponseCreated:
DEBUG: BeforeResponseDispatch:
DEBUG: FollowingNextLink:
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
GET
Absolute Uri:
https://management.azure.com/subscriptions/d5eccfc3-103a-487c-93ff-680e10fa7f88/resourceGroups/rg_test_sentinel/providers/Microsoft.OperationalInsights/workspaces/test-sentinel/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators?api-version=2021-09-01-preview&$skipToken=[{"compositeToken":{"token":"+RID:~rgwxAIsg0Mhwlx4AAAAAAA==#RT:1%23TRC:100%23RTD:eXTCpa71Yy1sqZIRoXXABTMxMzQuMTMuMTRVMjc7Mzg7MzYvOjkxMTU6OlsA%23ISV:2%23IEO:65567%23QCF:8%23FPC:AgF6enoOAIEE/v9CQB8A/3/hUg8A","range":{"min":"","max":"FF"}},"orderByItems":[{"item":"2023-02-03T16:27:25.9800499Z"}],"rid":"rgwxAIsg0Mhwlx4AAAAAAA==","skipCount":0,"filter":"true"}]
Headers:
x-ms-unique-id : 51
x-ms-client-request-id : 2a9e6d2e-7b62-49c8-8138-5555c3041f4c
CommandName : Get-AzSentinelThreatIntelligenceIndicator
FullCommandName : Get-AzSentinelThreatIntelligenceIndicator_List
ParameterSetName : __AllParameterSets
User-Agent : AzurePowershell/v0.0.0,PSVersion/v7.3.2,Az.SecurityInsights/3.0.1
Body:
DEBUG: BeforeCall:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
OK
Headers:
Cache-Control : no-cache
Pragma : no-cache
Server : Kestrel
x-ms-ratelimit-remaining-subscription-reads: 11971
x-ms-request-id : 25d367a5-727e-418d-99fe-2637067d2171
x-ms-correlation-request-id : 25d367a5-727e-418d-99fe-2637067d2171
x-ms-routing-request-id : GERMANYNORTH:20230205T132846Z:25d367a5-727e-418d-99fe-2637067d2171
Strict-Transport-Security : max-age=31536000; includeSubDomains
X-Content-Type-Options : nosniff
Date : Sun, 05 Feb 2023 13:28:45 GMT
Body:
{
"value": []
}
DEBUG: ResponseCreated:
DEBUG: BeforeResponseDispatch:
DEBUG: Finally:
DEBUG: Finally:
DEBUG: CmdletAfterAPICall:
DEBUG: [CmdletProcessRecordAsyncEnd]: Finish HTTP process
DEBUG: CmdletProcessRecordAsyncEnd:
DEBUG: CmdletProcessRecordEnd:
DEBUG: AzureQoSEvent: Module: Az.SecurityInsights:3.0.1; CommandName: Get-AzSentinelThreatIntelligenceIndicator; PSVersion: 7.3.2; IsSuccess: True; Duration: 00:00:04.9364176
Etag Kind Name SystemDataCreatedAt SystemDataCreatedBy SystemDataCreatedByType SystemDataLastModifiedAt SystemDataLastModifiedBy SystemDataLastModifiedByType
---- ---- ---- ------------------- ------------------- ----------------------- ------------------------ ------------------------ ----------------------------
"1c006792-0000-0e00-0000-63dd36580000" indicator eeb178a0-f3e9-e4eb-a4c0-187f88da6a75
"1c006292-0000-0e00-0000-63dd36570000" indicator 160939e4-a748-715b-d710-bdf94d5b70d4
"1c005e92-0000-0e00-0000-63dd36560000" indicator 50841713-69a1-fbd9-f9c1-6eba3750756a
"1c005892-0000-0e00-0000-63dd36550000" indicator da54b4bb-0774-21eb-5813-d06e66c111aa
"00006629-0000-4800-0000-63dd36540000" indicator 2f62d843-1272-4ee2-3bfd-6468fa797dce
"00006429-0000-4800-0000-63dd36530000" indicator be1c6f74-7a32-557d-bdc4-3ecd97740c7c
"1c004c92-0000-0e00-0000-63dd36520000" indicator 49188842-2903-a1e0-43d8-b58703d74666
"00006029-0000-4800-0000-63dd36510000" indicator f0797dcc-f724-d451-ccc2-096f17a41a04
"1c004692-0000-0e00-0000-63dd36500000" indicator 70e35a64-670e-e45a-dafd-8adb8ecb96f0
"00005c29-0000-4800-0000-63dd364f0000" indicator 14dcc786-6562-905c-8210-39f5c2ef025e
"1c004392-0000-0e00-0000-63dd364e0000" indicator f52a5ddb-f57f-b225-ef2a-e26558ad4e96
"1c003e92-0000-0e00-0000-63dd364d0000" indicator 4711f169-88cd-7d1d-6fd4-ad1d66d0fcfd
"1c003c92-0000-0e00-0000-63dd364c0000" indicator d0bd2511-2ce1-4eb4-5578-85b5128a7930
"1c003892-0000-0e00-0000-63dd364b0000" indicator c2dd8f7f-adc6-d61e-1cc5-c75c2bfaa623
"1c003492-0000-0e00-0000-63dd364a0000" indicator e140d08c-aee8-e239-0940-e23d20a170ff
"1c003292-0000-0e00-0000-63dd36490000" indicator 22c66e2d-6475-602a-d46b-431a39ec326e
"1c002c92-0000-0e00-0000-63dd36470000" indicator e9a387b2-aa3e-a4c3-2ae8-02a1755e7f89
"1c002192-0000-0e00-0000-63dd36460000" indicator 465d3127-5f04-239c-8e58-f6cae8f49c45
"1c001a92-0000-0e00-0000-63dd36450000" indicator 677a51ce-73db-6631-90b8-a2861e122ab5
"1c001392-0000-0e00-0000-63dd36430000" indicator 866619d6-e670-aa62-196e-9ad24661af79
"00004629-0000-4800-0000-63dd36420000" indicator 587c361f-cbde-4e70-49ce-010e4f955146
"1c000b92-0000-0e00-0000-63dd36410000" indicator 81f9b5f5-e0f4-9037-b55e-cd68ae8db991
"1c000392-0000-0e00-0000-63dd36400000" indicator 1c9d5b50-b013-365c-2e29-a7046824f9b3
"00004029-0000-4800-0000-63dd363f0000" indicator a4e4a99c-59eb-42c3-2432-85581f77ea92
"1c00f591-0000-0e00-0000-63dd363e0000" indicator d3d72ed4-9171-f747-2cc7-2b9fa554e538
"00003c29-0000-4800-0000-63dd363d0000" indicator 0c68678d-89c0-7f6e-a453-5e6c5744593c
"1c00eb91-0000-0e00-0000-63dd363c0000" indicator 0bc9eda5-9ff9-a19b-d45d-084cc31b8b14
"1c00e191-0000-0e00-0000-63dd363a0000" indicator 8661e2d4-19e5-954c-96dd-c6a2c8ee63d6
"00003629-0000-4800-0000-63dd36390000" indicator 04b75d48-854b-002a-5f7d-2ddea5c827e6
"1c00d491-0000-0e00-0000-63dd36380000" indicator 6c4e65b9-db1c-d4c1-79c1-b266b2349c9a
"1c00cf91-0000-0e00-0000-63dd36370000" indicator ef4f8dd6-c127-76a1-43f5-fde1fbe577df
"00003029-0000-4800-0000-63dd36360000" indicator 23642e0b-0c78-016a-47db-34529a4651f1
"00002e29-0000-4800-0000-63dd36350000" indicator f0b5ddff-5c68-092f-9e59-a4078aa10ba1
"1c00c391-0000-0e00-0000-63dd36340000" indicator d7a74dc1-6505-c8dd-bede-7db0018778d2
"1c00bd91-0000-0e00-0000-63dd36330000" indicator 7f3b393e-3940-dc78-b156-fa43ed66b17d
"1c00b491-0000-0e00-0000-63dd36320000" indicator 36b73c4b-9b9f-185d-dd89-5ab969370723
"1c00af91-0000-0e00-0000-63dd36310000" indicator 696f3c3d-bdce-b28c-39cf-b5b9a123cb79
"00002429-0000-4800-0000-63dd362f0000" indicator f127ecac-db35-c4ff-b17b-aba1b819b6e3
"1c00a291-0000-0e00-0000-63dd362f0000" indicator 486b9744-7bf2-60ce-c5c3-b8e7c4f0b6ea
"00002029-0000-4800-0000-63dd362d0000" indicator 8c34b9a4-c89d-8e80-54b4-7642d0367ec4
"00001e29-0000-4800-0000-63dd362c0000" indicator 1efc6ad0-9ebe-77c3-4607-81cc855a3f8e
"1c009591-0000-0e00-0000-63dd362b0000" indicator c5c9afe7-456d-8d2d-06a8-9328a9264a48
"1c009191-0000-0e00-0000-63dd362a0000" indicator 0d20c386-ad00-b25a-cd79-fa7e5bfb456e
"1c008f91-0000-0e00-0000-63dd36290000" indicator e4df40e9-1ca3-0853-5bf3-2d111663e1c0
"1c008d91-0000-0e00-0000-63dd36280000" indicator 01c7518e-1211-8c61-2644-ef0712746822
"1c008991-0000-0e00-0000-63dd36270000" indicator 4ac31e40-2e65-de5e-7622-9bc4a1cef386
"1c008591-0000-0e00-0000-63dd36260000" indicator e2b3aebc-2ce6-ee9a-f7f0-1f55e5875402
"1c008391-0000-0e00-0000-63dd36250000" indicator 715d4e80-d6ec-b2a9-9401-e725f2f9007f
"1c008191-0000-0e00-0000-63dd36240000" indicator 61c4fc2b-266d-c0d8-d8b3-f8b0c83fddad
"1c007f91-0000-0e00-0000-63dd36230000" indicator 29407fd2-63e7-2d1c-468b-f865b19d4761
"1c007c91-0000-0e00-0000-63dd36220000" indicator 8b62ed7b-480c-ff67-c828-8074a39b2ea0
"1c007991-0000-0e00-0000-63dd36210000" indicator fe94057f-b0ee-52b1-d8f3-60dda8232d2a
"1c007791-0000-0e00-0000-63dd36200000" indicator e65ff2b5-0ec1-fa44-1e59-253b839cceda
"1c007491-0000-0e00-0000-63dd361f0000" indicator 02cc620f-10e3-7d8f-77d1-83aed3996a3c
"1c006f91-0000-0e00-0000-63dd361e0000" indicator 5438a23d-fefe-2b3d-e374-44485a326a93
"1c006c91-0000-0e00-0000-63dd361c0000" indicator 3d26f4b6-066d-b3fb-fa5a-e36dcbe3184e
"1c006a91-0000-0e00-0000-63dd361b0000" indicator 34c44534-211e-9e68-3c66-09451281d0c1
"1c006691-0000-0e00-0000-63dd361a0000" indicator f8daa02f-097c-0a54-cdc6-e2f9e082a546
"1c006191-0000-0e00-0000-63dd36190000" indicator 39bd729c-9f05-ebad-8ffb-76e2a58bfa51
"1c005e91-0000-0e00-0000-63dd36180000" indicator 64e58032-c5d8-c3c1-1bb3-23a7b92264c3
"1c005c91-0000-0e00-0000-63dd36170000" indicator 2327d955-46ad-0dbc-18c6-c133f0e16fb8
"1c005a91-0000-0e00-0000-63dd36160000" indicator b984b8c5-9e5e-1cc1-b34d-8bee3d739638
"0000f228-0000-4800-0000-63dd36150000" indicator c93234d7-048b-7d51-cbbc-754e303af1ee
"1c005791-0000-0e00-0000-63dd36140000" indicator 7571fc41-b1d8-f20a-6bd2-fd91a5468573
"1c005491-0000-0e00-0000-63dd36130000" indicator 9e8c12bd-ae4a-eafd-65c9-59c40a5fb487
"0000ec28-0000-4800-0000-63dd36120000" indicator 5997e65e-1d04-35d6-2757-a53f5fa79c98
"0000ea28-0000-4800-0000-63dd36110000" indicator 404b16f5-2782-28bd-2400-7412aed364d0
"0000e828-0000-4800-0000-63dd36100000" indicator c46192a6-45bc-5305-a594-7171292dbf32
"1c004291-0000-0e00-0000-63dd360f0000" indicator 91148f3f-6f17-b753-4c42-db78022221a2
"1c003f91-0000-0e00-0000-63dd360e0000" indicator 5abeaa76-12c1-349c-e9b0-8f302de7f499
"1c003491-0000-0e00-0000-63dd360c0000" indicator 39e98336-8762-4974-8c7e-b0b29bdd76c2
"1c003091-0000-0e00-0000-63dd360b0000" indicator e17671be-716d-9ae7-bf83-66439637b5fc
"1c002d91-0000-0e00-0000-63dd360a0000" indicator 12ea385d-6e7f-5395-4ffa-1ed51feca509
"1c002b91-0000-0e00-0000-63dd36090000" indicator 3d464296-8eeb-95c3-96cf-1c81079b74ec
"1c002891-0000-0e00-0000-63dd36080000" indicator 8fbd3928-f96f-cca6-c63e-e0e96dea9b7e
"1c002391-0000-0e00-0000-63dd36070000" indicator 3910f2ce-e4f2-3e22-a597-b41229d71401
"1c002191-0000-0e00-0000-63dd36060000" indicator 63408fd2-026e-495a-d4ed-bb26eaddd92e
"1c001d91-0000-0e00-0000-63dd36050000" indicator 9d114070-df59-d5a8-4601-4459dfa0a928
"1c001991-0000-0e00-0000-63dd36040000" indicator 9496b29a-a178-6ca0-b745-1392c6d88dea
"0000d028-0000-4800-0000-63dd36030000" indicator bcce7911-8bbe-2580-9c2a-cee064b62ba8
"1c001591-0000-0e00-0000-63dd36020000" indicator 3d16383f-b277-58dd-79f1-44e44155db45
"0000cc28-0000-4800-0000-63dd36010000" indicator 7c88ccbe-d630-ab7d-95bf-aca8635b6214
"1c001191-0000-0e00-0000-63dd36000000" indicator fd6bd66b-4478-2c3a-9809-17394ec82836
"1c000e91-0000-0e00-0000-63dd35ff0000" indicator 9345b051-a728-0b0f-b59c-4de3186e7c52
"0000c628-0000-4800-0000-63dd35fe0000" indicator b7082127-e7a8-6acb-7b9b-46a4e8e79597
"1c000891-0000-0e00-0000-63dd35fd0000" indicator 00a9788e-314c-9591-a6bb-fee244836c1b
"1c000591-0000-0e00-0000-63dd35fc0000" indicator 70af3ebf-509d-d053-d78a-66f692f43f2c
"1c000291-0000-0e00-0000-63dd35fa0000" indicator 367d8397-379d-5a71-0d9e-5ca7ab3f4635
"0000be28-0000-4800-0000-63dd35f90000" indicator 04fab3c1-2251-b659-5d07-7ae10cd6c9c4
"0000bc28-0000-4800-0000-63dd35f80000" indicator 7625a66f-3a42-46bd-e5c0-4db0d8194377
"0000ba28-0000-4800-0000-63dd35f70000" indicator 20491254-3ed6-5ab7-b1df-90ad03673f61
"1c00f490-0000-0e00-0000-63dd35f60000" indicator fcd9565a-d4a3-df17-6c23-a2f540dab32b
"1c00f290-0000-0e00-0000-63dd35f50000" indicator 08c9f05b-0e9f-7d28-6a06-510dd8c49674
"1c00ef90-0000-0e00-0000-63dd35f40000" indicator 5033cd84-0f08-5f41-598d-2d821d0d6abf
"1c00eb90-0000-0e00-0000-63dd35f30000" indicator 116950a8-e27d-bef9-e348-d77c4fb25a1e
"1c00e890-0000-0e00-0000-63dd35f20000" indicator f3bf0f8a-6aa5-1ea2-34fa-94ecad060d27
"0000ae28-0000-4800-0000-63dd35f10000" indicator 52673f58-2cf8-4c53-83e3-046b5d37abb6
"0000ac28-0000-4800-0000-63dd35f00000" indicator 2c26b156-62a3-ad20-26ab-819761e42a10
"0000aa28-0000-4800-0000-63dd35ef0000" indicator 493ba19a-02e5-1d73-2e21-874d075370c3
"1c00d190-0000-0e00-0000-63dd35ee0000" indicator 9350ca38-4647-9a01-46c7-dcb76e6c85f9
Environment data
Name Value
---- -----
PSVersion 7.3.2
PSEdition Core
GitCommitId 7.3.2
OS Microsoft Windows 10.0.22621
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Module versions
ModuleType Version PreRelease Name ExportedCommands
---------- ------- ---------- ---- ----------------
Script 2.10.4 Az.Accounts {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault…}
Script 3.0.1 Az.SecurityInsights {Get-AzSentinelAlertRule, Get-AzSentinelAlertRuleAction, Get-AzSentinelAlertRuleTemplate, Get-AzSentinelAutomationRule…}
Error output
WARNING: Upcoming breaking changes in the cmdlet 'Resolve-AzError' :
The `Resolve-Error` alias will be removed in a future release. Please change any scripts that use this alias to use `Resolve-AzError` instead.
Note : Go to https://aka.ms/azps-changewarnings for steps to suppress this breaking change warning, and other information on breaking changes in Azure PowerShell.
| Author: | n0isegat3 |
|---|---|
| Assignees: | - |
| Labels: |
|
| Milestone: | - |
I'll try to reach out to security insights team through internal channels.
Service team reviewed the issue and opened a bug - service team start investigating and work on the fix.
Hi @n0isegat3, We investigated the issue and it appears that there’s indeed a bug with the getList Indicators API. We will work on fixing it. We do, however, have an alternative API that you could use. That API doesn’t have this bug and it returns the exact same result: https://learn.microsoft.com/en-us/rest/api/securityinsights/stable/threat-intelligence-indicator/query-indicators?tabs=HTTP
Hi @n0isegat3, We investigated the issue and it appears that there’s indeed a bug with the getList Indicators API. We will work on fixing it. We do, however, have an alternative API that you could use. That API doesn’t have this bug and it returns the exact same result: https://learn.microsoft.com/en-us/rest/api/securityinsights/stable/threat-intelligence-indicator/query-indicators?tabs=HTTP
Hi @moranraz , any update on this? And what is more important - the "queryIndicators" API method does not work as well. It's not returning any objects after calling the nextlink. So currently I don't have any working way how to get TI from Microsoft Sentinel programmatically.
Was this ever resolved? I'm still getting an identical "nextLink" response and the same result set each time I use nextLink, including the nextLink response.
We investigated the issue and it appears that there’s indeed a bug with the getList Indicators API. We will work on fixing it. We do, however, have an alternative API that you could use. That API doesn’t have this bug and it returns the exact same result: https://learn.microsoft.com/en-us/rest/api/securityinsights/stable/threat-intelligence-indicator/query-indicators?tabs=HTTP
Any progress on this issue?
Hi, please use the following API instead: https://learn.microsoft.com/en-us/rest/api/securityinsights/threat-intelligence/query?view=rest-securityinsights-2024-04-01-preview&tabs=HTTP the previous API will soon be deprecated.
thank you @moranraz, I'm able to get Indicators with the nextLink using that new method.
However, the nextLink is always returned even when all of the indicators have been queried, resulting in an endless loop.
example: I have 799 indicators - it grabs the first 500, then also returns a nextLink to query the next set, it grabs the next 299, but then it gives me a nextLink and keeps going even past the 799 indicators mark. It loops back around
should the nextLink property not return once all the indicators have been queried?