Microsoft Azure

Microsoft Azure Microsoft Sentinel Upload Indicators API

The Microsoft Azure Microsoft Sentinel Upload Indicators API is a tool designed to allow users to quickly and easily upload indicators of compromise (IOCs) into their Azure Sentinel workspace. This API streamlines the process of sharing threat intelligence data, enabling organizations to better identify and respond to security threats in real-time.

GitHub OpenAPI

Documentation

📖
Documentation
https://learn.microsoft.com/en-us/azure/sentinel/upload-indicators-api

Specifications

OpenAPI
https://raw.githubusercontent.com/api-evangelist/microsoft-azure/refs/heads/main/openapi/microsoft-sentinel-upload-indicators-api-openapi-original.yml

OpenAPI Specification

microsoft-sentinel-upload-indicators-api-openapi-original.yml Raw ↑ 
swagger: '2.0'
info:
  title: Microsoft Azure Microsoft Sentinel Upload Indicators API
  description: Spec for Microsoft Sentinel Upload Indicators API.
  version: 2022-12-01-preview
host: sentinelus.azure-api.net
schemes:
  - https
paths:
  /workspaces/{workspaceId}/threatintelligenceindicators:upload:
    post:
      x-ms-examples:
        Upload Threat Intelligence indicators:
          $ref: ./examples/threatintelligence/UploadThreatIntelligence.json
      summary: Microsoft Azure Upload The Indicators To The Workspace
      description: Upload the list of indicators to the workspace specified
      operationId: microsoftAzureThreatintelligenceindicatorsUpload
      consumes:
        - application/json
      produces:
        - application/json
      parameters:
        - $ref: '#/parameters/ApiVersionParameter'
        - in: path
          name: workspaceId
          description: The workspace ID for the indicators to be uploaded.
          required: true
          type: string
        - in: body
          name: body
          description: Body of the request with an array of indicators and other properties
          required: true
          schema:
            $ref: '#/definitions/UploadIndicatorsRequest'
      responses:
        '200':
          description: >-
            The API returns 200 when at least one indicator is successfully
            validated and published.
          schema:
            $ref: '#/definitions/UploadIndicatorsResponse'
        default:
          description: Upload Indicators API service error response.
          schema:
            $ref: '#/definitions/ErrorResponseBody'
          x-ms-error-response: true
      security:
        - azure_auth:
            - user_impersonation
      tags:
        - Workspaces
definitions:
  JsonPropertyBag:
    description: An object that stores a list of JSON properties from a given JObject.
    type: object
  UploadIndicatorsRequest:
    description: Schema for request body.
    type: object
    properties:
      sourcesystem:
        description: >-
          Source of the indicators to be uploaded. Source system name cannot be
          Microsoft Sentinel.
        type: string
      indicators:
        description: >-
          The indicators param is an array of STIX indictors. Indicators need to
          be in STIX format (STIX Indicator documentation). Indicators need to
          contain the “ID” field. We only support Stix 2.0 and 2.1 format.
        type: array
        items:
          $ref: '#/definitions/JsonPropertyBag'
  UploadIndicatorsResponse:
    description: Response object containing more details about the operation.
    type: object
    properties:
      errors:
        description: Details of the error. Contains a list of indicator validation errors
        type: array
        items:
          $ref: '#/definitions/IndicatorValidationError'
  IndicatorValidationError:
    description: >-
      Object that stores a list of errors encountered when executing the Upload
      Indicators operation.
    type: object
    properties:
      recordIndex:
        format: int64
        description: Index of the indicator in indicators array from request.
        type: integer
      validationErrorMessages:
        description: List of validation errors for a single indicator.
        type: array
        items:
          type: string
  ErrorResponseBody:
    description: The definition of an error object.
    required:
      - error
    type: object
    properties:
      error:
        $ref: '#/definitions/ErrorData'
  ErrorData:
    description: Detailed information about the errors from the operation.
    type: object
    required:
      - code
      - message
    properties:
      code:
        description: Server defined code for the error
        type: string
      message:
        description: Error message
        type: string
parameters:
  ApiVersionParameter:
    in: query
    name: api-version
    description: The api-version for operation
    required: true
    type: string
    x-ms-parameter-location: method
securityDefinitions:
  azure_auth:
    type: oauth2
    flow: implicit
    authorizationUrl: https://login.microsoftonline.com/common/oauth2/authorize
    scopes:
      user_impersonation: impersonate your user account
    description: Azure Active Directory OAuth2 Flow
tags:
  - name: Workspaces