Share via

Pagination in MS Sentinel Threat Indicators API

JB 0 Reputation points
2024-09-30T16:48:50.29+00:00

I am using the below endpoint to list Azure Sentinel Threat Indicators. I have about 350~ in the MS Sentinel instance, and when I query the endpoint it gives me the first 100 and also a nextLink value. I query the next set using the nextlink value and get another 100, which gives me another next:ink value. However, that nextLink value returns no values and no nextLink value. Can I not go above 200 records? I'm missing the other ~150

Using the below endpoint:
https://learn.microsoft.com/en-us/rest/api/securityinsights/threat-intelligence-indicators/list?view=rest-securityinsights-2024-03-01&tabs=HTTP

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,294 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pauline Mbabu 840 Reputation points Microsoft Employee
    2024-11-05T09:26:16.4433333+00:00

    Hello JB,
    Thank you for your question.
    I did some research on this and the Threat Intelligence Indicators - List - REST API (Azure Sentinel) | Microsoft Learn has known issues, including a pagination problem. The recommendation on this is to use the Threat Intelligence - Query - REST API (Azure Sentinel) | Microsoft Learn to fetch the indicators.

    Kindly try using this API and I hope it will resolve the issue.

    If you find the answer above helpful, please Accept the answer to help anyone in the community who might have a similar question to quickly find the solution.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.