Microsoft Security | Microsoft Sentinel
A cloud-native SIEM solution that provides intelligent security analytics and threat detection across systems
Unable to parse $skipToken for Microsoft sentinel - Threat Intelligence Indicators - List
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 38%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDB%3C/text%3E%3C/svg%3E)
Dora babu
0
Reputation points
For Microsoft sentinel Incident -List we are getting $skipToken value in such format which is working fine.
$skipToken=H4sIAAAAAAAACjWP3WqDQBCF32X3Mi0xxp_sghfrrhZDRqMVCy29sEG2tVWhrVU3JM_ebWwGDnycGebMPB3Rd_detYiiRRYJeobbMGDJI98Hrw-QArtU6nk4y-kK5xmntqFZ0N1Ub7aqGLiy2vhO9qwshZ_DCCrtoY56UGEBuXRBHdxYyJ-4jqZYgBl_fDEc3RfUxFGQUMe2HRenPKQbHO45ZVLu_kO1hgv5WnzGYFZFDha7HqcHOlZ1iWoWlWisrV4WMn_gI-vFEgyxfJm4JAPz0A36LFtZIXpEzdvfz4bNVwHhwnHXa2LoflOOV3s2CTfR6fT8C7JkzigoAQAA
However for ThreatIntelligence Indicators list we are getting nextLink in Json String format such as
$skipToken=[{"compositeToken":{"token":"+RID:~AkoXAN+MMQ8Wvx4AAAAAAA==#RT:1#TRC:100#RTD:eXTCpa71Yy1sqZIRoXXABTMxMzQuMjIuMjhVMjo7NTQ7NDMvMzQzNjQ0N1sA#ISV:2#IEO:65567#QCF:8#FPC:AYGEHgAAAAAA2qkfAAAAAAA=","range":{"min":"","max":"FF"}},"orderByItems":[{"item":"2023-11-17T19:43:32.2325336Z"}],"rid":"AkoXAN+MMQ8Wvx4AAAAAAA==","skipCount":0,"filter":"true"}].
We tried replacing (""") with ("") as well as passing token value as $skipToken since we are getting only the first 100 Threat indicators.
Microsoft Security | Microsoft Sentinel
{count} votes
-
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,541 Reputation points Moderator2023-11-27T17:32:51.0766667+00:00 Hello @Dora babu , what are the expected and actual results you are getting when passing the 2nd skipToken as it is?
-
Dora babu 0 Reputation points
2023-11-28T14:24:48.14+00:00 Hi @Alfredo Revilla - Upwork Top Talent | IAM SWE SWA When i passed 2nd skiptoken as it is , I'm getting same response with same token again .I tried passing only the token value as skiptoken as well as entire token value as it is .I'm getting same response with first 100 threat indicators with same token in nextLink.
-
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,541 Reputation points Moderator
2023-11-28T23:40:27.8366667+00:00 Ok thanks. What version of the api are you using? Can you provide the complete request?
-
Dora babu 0 Reputation points
2023-12-04T04:05:02.75+00:00 Hi @Alfredo Revilla - Upwork Top Talent | IAM SWE SWA
- This is request for Threat indicators curl --location 'https://management.azure.com/subscriptions/c7892ac7-3d6b-44d1-8139-72737879eb9d/resourceGroups/test-resource-group-sentinel/providers/Microsoft.OperationalInsights/workspaces/test-intsance/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators?api-version=2023-02-01' \
--header 'Authorization: Bearer Token
- I'm getting skipToken like this in nextLink field
"nextLink": "https://management.azure.com:443/subscriptions/c7892ac7-3d6b-44d1-8139-72737879eb9d/resourceGroups/test-resource-group-sentinel/providers/Microsoft.OperationalInsights/workspaces/test-intsance/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators?api-version=2023-02-01&$skipToken=[{\"compositeToken\":{\"token\":\"+RID:~AkoXAN+MMQ8Wvx4AAAAAAA==#RT:1#TRC:100#RTD:eXTCpa71Yy1sqZIRoXXABTMxMzQuMjIuMjhVMjo7NTQ7NDMvMzQzNjQ0N1sA#ISV:2#IEO:65567#QCF:8#FPC:AYGEHgAAAAAA2qkfAAAAAAA=\",\"range\":{\"min\":\"\",\"max\":\"FF\"}},\"orderByItems\":[{\"item\":\"2023-11-17T19:43:32.2325336Z\"}],\"rid\":\"AkoXAN+MMQ8Wvx4AAAAAAA==\",\"skipCount\":0,\"filter\":\"true\"}]"
Sign in to comment
Sign in to answer