Share via

MS Security Graph - List tiindicators limit

Šimon Říha 1 Reputation point
2022-09-06T08:56:17.293+00:00

Hello community,

Have you encountered a limit of items that are returned by List endpoint of TI Indicators in MS SecGraph API (https://learn.microsoft.com/en-us/graph/api/tiindicators-list)? For some reason I am only returned with 200 results although my Sentinel GUI on TI blade shows the exact number of TIs (which is actually 272). There is no mention of any response limit on this API endpoint.

My Python code that is fetching the list is as follows: 

def ms_get_indicators(ms_header, ms_ioc_single):  
    return requests.get(ms_ioc_single, headers=ms_header).json()['value']

Thank you in advance

Microsoft Security Microsoft Graph
Microsoft Security Microsoft Sentinel
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Givary-MSFT 35,621 Reputation points Microsoft Employee Moderator
    2022-09-07T08:41:03.977+00:00

    @Šimon Říha Thank you for reaching out to us. As I understand you are trying to get the complete list of TI indicators using MS Security Graph API.

    Would request you to try to add ConsistencyLevel: eventual in the request headers section and verify the output if it helps or not.

    238420-image.png

    Reference: https://learn.microsoft.com/en-us/graph/aad-advanced-queries?tabs=http

    Let me know if you have any further questions, if required we can connect offline and troubleshoot further.

    Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

    0 comments
  2. Šimon Říha 1 Reputation point
    2022-09-07T11:43:52.523+00:00

    Hello @Givary-MSFT ,

    Unfortunately, this did hot help. To be honest, I found the answer by myself when digging deeper into the general MS Graph API docs. It was the pagination that reduced the output on 200 values and provided ODATA value (@odata.nextLink) for next API call to retrieve additional "batch" of values. I solved this programmatically via recursive functions and tested on 272 IOCs (listing was successful and with correct numbers).

    However, I still do not yield the correct output. Currently, I saved via "create" API call 428 indicators and I am able to retrieve only 410, although Sentinel GUI TI blade shows 428 indicators. I am not sure what could be wrong since I am able to find them based on "externalId" value in LogAnalytics table ThreatIntelligenceIndicator.

    Can you think of any constraints/limitations on MS API side that could cause this?

    Has anyone dealt with similar issue/use-case, i.e. retrieving all IOCs from Security Graph via Python?

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.