<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Splunk API threat intelligence integration - Item Argument Missing in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Splunk-API-threat-intelligence-integration-Item-Argument-Missing/m-p/532279#M89495</link>
    <description>&lt;P&gt;Thank you! Apologies, I meant to update I worked it out. Here is the below syntax I used for powershell to build the JSON and POST.&amp;nbsp;&lt;/P&gt;&lt;P&gt;$text = 'item=[{"'+ $IOCType + '":"' + $IOCInput + '","description":"' + $Description + '","threat_key":"&amp;lt;Company&amp;gt;_ThreatIntel"}]'&lt;/P&gt;&lt;P&gt;Try {Invoke-WebRequest -Method Post -Uri $URL -Timeout 3600 -Credential $credentials -ContentType application/x-www-form-urlencoded -Body $text -ErrorAction Stop}&lt;BR /&gt;Catch {PopUpBox -MessageBody "Could not post $IOC to Threat Intel Collection, exiting now" -MessageTitle "Sorry"; Exit}&lt;BR /&gt;}&lt;/P&gt;&lt;P&gt;If you are doing running via powershell, you'll have to add a function to specify TLS certificate as powershell defaults to something else.&lt;/P&gt;</description>
    <pubDate>Tue, 08 Dec 2020 06:03:42 GMT</pubDate>
    <dc:creator>tisme</dc:creator>
    <dc:date>2020-12-08T06:03:42Z</dc:date>
    <item>
      <title>Splunk API threat intelligence integration - Item Argument Missing</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Splunk-API-threat-intelligence-integration-Item-Argument-Missing/m-p/531659#M89428</link>
      <description>&lt;P&gt;Hi,&amp;nbsp;&lt;/P&gt;&lt;P&gt;I'm trying to integrate an API feed into our threat intelligence collections via powershell, however I can't seem to get the syntax correctly to update records. I know the API and authentication is working as GET and DELETE requests are successful, but when attempting to execute a PUT request i receive the error "item argument missing".&lt;/P&gt;&lt;P&gt;I've tested below successfully, however I'd like to run this via powershell to encrypt credentials during authentication.&lt;/P&gt;&lt;PRE&gt;curl -k -u admin:changeme https://localhost:8089/services/data/threat_intel/item/ip_intel/e83fa2c5036d4c85bd5669a48ca134c5 -d item='{&lt;SPAN&gt;"ip":"0.0.0.0"&lt;/SPAN&gt;}' -X PUT&lt;/PRE&gt;&lt;P&gt;I've attempted several different JSON formats, hoping the one below would work:&lt;/P&gt;&lt;PRE&gt;{ &amp;nbsp;&lt;BR /&gt;    "item": {&lt;BR /&gt;&amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp;"ip": "0.0.0.0"&lt;BR /&gt;&amp;nbsp; &amp;nbsp; &amp;nbsp;   &amp;nbsp; &amp;nbsp;}&lt;BR /&gt;}&lt;/PRE&gt;&lt;P&gt;Or even&amp;nbsp;&lt;/P&gt;&lt;PRE&gt;item='[{"ip":"0.0.0.0"}]'&lt;/PRE&gt;&lt;P&gt;&amp;nbsp;from the initial curl format, however it won't seem to work. I am still receiving the following error&amp;nbsp;&lt;EM&gt;Invoke-WebRequest : {"status": false, "message": "item argument missing."}&lt;/EM&gt;.&lt;/P&gt;&lt;P&gt;Any suggestions?&lt;/P&gt;</description>
      <pubDate>Wed, 02 Dec 2020 08:39:49 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Splunk-API-threat-intelligence-integration-Item-Argument-Missing/m-p/531659#M89428</guid>
      <dc:creator>tisme</dc:creator>
      <dc:date>2020-12-02T08:39:49Z</dc:date>
    </item>
    <item>
      <title>Re: Splunk API threat intelligence integration - Item Argument Missing</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Splunk-API-threat-intelligence-integration-Item-Argument-Missing/m-p/532278#M89494</link>
      <description>&lt;P&gt;Working on something similar in Python and got past this.&lt;/P&gt;&lt;P&gt;Try this....&lt;/P&gt;&lt;P&gt;data = { 'item': '{"ip": "1.1.1.1"}' }&lt;/P&gt;&lt;P&gt;The value of item is the dictionary.&lt;/P&gt;</description>
      <pubDate>Tue, 08 Dec 2020 04:16:34 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Splunk-API-threat-intelligence-integration-Item-Argument-Missing/m-p/532278#M89494</guid>
      <dc:creator>feedaloodum</dc:creator>
      <dc:date>2020-12-08T04:16:34Z</dc:date>
    </item>
    <item>
      <title>Re: Splunk API threat intelligence integration - Item Argument Missing</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Splunk-API-threat-intelligence-integration-Item-Argument-Missing/m-p/532279#M89495</link>
      <description>&lt;P&gt;Thank you! Apologies, I meant to update I worked it out. Here is the below syntax I used for powershell to build the JSON and POST.&amp;nbsp;&lt;/P&gt;&lt;P&gt;$text = 'item=[{"'+ $IOCType + '":"' + $IOCInput + '","description":"' + $Description + '","threat_key":"&amp;lt;Company&amp;gt;_ThreatIntel"}]'&lt;/P&gt;&lt;P&gt;Try {Invoke-WebRequest -Method Post -Uri $URL -Timeout 3600 -Credential $credentials -ContentType application/x-www-form-urlencoded -Body $text -ErrorAction Stop}&lt;BR /&gt;Catch {PopUpBox -MessageBody "Could not post $IOC to Threat Intel Collection, exiting now" -MessageTitle "Sorry"; Exit}&lt;BR /&gt;}&lt;/P&gt;&lt;P&gt;If you are doing running via powershell, you'll have to add a function to specify TLS certificate as powershell defaults to something else.&lt;/P&gt;</description>
      <pubDate>Tue, 08 Dec 2020 06:03:42 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Splunk-API-threat-intelligence-integration-Item-Argument-Missing/m-p/532279#M89495</guid>
      <dc:creator>tisme</dc:creator>
      <dc:date>2020-12-08T06:03:42Z</dc:date>
    </item>
  </channel>
</rss>

