Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk API threat intelligence integration - Item Argument Missing

tisme
Engager
‎12-02-2020 12:39 AM

Hi, 

I'm trying to integrate an API feed into our threat intelligence collections via powershell, however I can't seem to get the syntax correctly to update records. I know the API and authentication is working as GET and DELETE requests are successful, but when attempting to execute a PUT request i receive the error "item argument missing".

I've tested below successfully, however I'd like to run this via powershell to encrypt credentials during authentication.

curl -k -u admin:changeme https://localhost:8089/services/data/threat_intel/item/ip_intel/e83fa2c5036d4c85bd5669a48ca134c5 -d item='{"ip":"0.0.0.0"}' -X PUT

I've attempted several different JSON formats, hoping the one below would work:

{  
    "item": {
       "ip": "0.0.0.0"
           }
}

Or even 

item='[{"ip":"0.0.0.0"}]'

 from the initial curl format, however it won't seem to work. I am still receiving the following error Invoke-WebRequest : {"status": false, "message": "item argument missing."}.

Any suggestions?

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tisme
Engager
‎12-07-2020 10:03 PM

Thank you! Apologies, I meant to update I worked it out. Here is the below syntax I used for powershell to build the JSON and POST. 

$text = 'item=[{"'+ $IOCType + '":"' + $IOCInput + '","description":"' + $Description + '","threat_key":"<Company>_ThreatIntel"}]'

Try {Invoke-WebRequest -Method Post -Uri $URL -Timeout 3600 -Credential $credentials -ContentType application/x-www-form-urlencoded -Body $text -ErrorAction Stop}
Catch {PopUpBox -MessageBody "Could not post $IOC to Threat Intel Collection, exiting now" -MessageTitle "Sorry"; Exit}
}

If you are doing running via powershell, you'll have to add a function to specify TLS certificate as powershell defaults to something else.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

tisme
Engager
‎12-07-2020 10:03 PM

Thank you! Apologies, I meant to update I worked it out. Here is the below syntax I used for powershell to build the JSON and POST. 

$text = 'item=[{"'+ $IOCType + '":"' + $IOCInput + '","description":"' + $Description + '","threat_key":"<Company>_ThreatIntel"}]'

Try {Invoke-WebRequest -Method Post -Uri $URL -Timeout 3600 -Credential $credentials -ContentType application/x-www-form-urlencoded -Body $text -ErrorAction Stop}
Catch {PopUpBox -MessageBody "Could not post $IOC to Threat Intel Collection, exiting now" -MessageTitle "Sorry"; Exit}
}

If you are doing running via powershell, you'll have to add a function to specify TLS certificate as powershell defaults to something else.

0 Karma
Reply
Solved! Jump to solution

feedaloodum
Splunk Employee
Splunk Employee
‎12-07-2020 08:16 PM

Working on something similar in Python and got past this.

Try this....

data = { 'item': '{"ip": "1.1.1.1"}' }

The value of item is the dictionary.

Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...