Get list of all tiIndicators using Graph API

mikhailf 1 Reputation point
2022-06-17T13:46:45.1+00:00

Hello Community,

I have a Microsoft Sentinel system with about 30K of TI indicators, that were ingested from Alien Vault using this playbook: https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Get-AlienVault_OTX.

Now I would like to get a list of all indicators using Graph API. I tried to do it using Graph Explorer with the following query: GET https://graph.microsoft.com/beta/security/tiIndicators

And I got the following response:
212450-1.png

After that, I tried to add a new indicator using Graph API: POST https://graph.microsoft.com/beta/security/tiIndicators and a request body from this example: https://learn.microsoft.com/en-us/graph/api/tiindicators-post?view=graph-rest-beta&tabs=http

Then I did the first step of getting the list of existing indicators and I did see the indicator that was added manually. I went to Sentinel TI to check whether I see this manually added indicator or not there and I did see it.

So my question is the following: Has anyone tried GraphAPI for TI indicators? What am I missing? Why don't I see all my indicators?

It is in beta now, but It seems weird that the GET request shows nothing.

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
974 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bill Clarkson-Antill 5 Reputation points MVP
    2023-03-14T20:54:06+00:00

    @mikhailf

    Are you still experiencing issues?

    Regards

    Bill

    0 comments