Getting Data In

Splunk API threat intelligence integration - Item Argument Missing

tisme
Engager

Hi, 

I'm trying to integrate an API feed into our threat intelligence collections via powershell, however I can't seem to get the syntax correctly to update records. I know the API and authentication is working as GET and DELETE requests are successful, but when attempting to execute a PUT request i receive the error "item argument missing".

I've tested below successfully, however I'd like to run this via powershell to encrypt credentials during authentication.

curl -k -u admin:changeme https://localhost:8089/services/data/threat_intel/item/ip_intel/e83fa2c5036d4c85bd5669a48ca134c5 -d item='{"ip":"0.0.0.0"}' -X PUT

I've attempted several different JSON formats, hoping the one below would work:

{  
"item": {
       "ip": "0.0.0.0"
         }
}

Or even 

item='[{"ip":"0.0.0.0"}]'

 from the initial curl format, however it won't seem to work. I am still receiving the following error Invoke-WebRequest : {"status": false, "message": "item argument missing."}.

Any suggestions?

Labels (2)
0 Karma
1 Solution

tisme
Engager

Thank you! Apologies, I meant to update I worked it out. Here is the below syntax I used for powershell to build the JSON and POST. 

$text = 'item=[{"'+ $IOCType + '":"' + $IOCInput + '","description":"' + $Description + '","threat_key":"<Company>_ThreatIntel"}]'

Try {Invoke-WebRequest -Method Post -Uri $URL -Timeout 3600 -Credential $credentials -ContentType application/x-www-form-urlencoded -Body $text -ErrorAction Stop}
Catch {PopUpBox -MessageBody "Could not post $IOC to Threat Intel Collection, exiting now" -MessageTitle "Sorry"; Exit}
}

If you are doing running via powershell, you'll have to add a function to specify TLS certificate as powershell defaults to something else.

View solution in original post

0 Karma

tisme
Engager

Thank you! Apologies, I meant to update I worked it out. Here is the below syntax I used for powershell to build the JSON and POST. 

$text = 'item=[{"'+ $IOCType + '":"' + $IOCInput + '","description":"' + $Description + '","threat_key":"<Company>_ThreatIntel"}]'

Try {Invoke-WebRequest -Method Post -Uri $URL -Timeout 3600 -Credential $credentials -ContentType application/x-www-form-urlencoded -Body $text -ErrorAction Stop}
Catch {PopUpBox -MessageBody "Could not post $IOC to Threat Intel Collection, exiting now" -MessageTitle "Sorry"; Exit}
}

If you are doing running via powershell, you'll have to add a function to specify TLS certificate as powershell defaults to something else.

0 Karma

feedaloodum
Splunk Employee
Splunk Employee

Working on something similar in Python and got past this.

Try this....

data = { 'item': '{"ip": "1.1.1.1"}' }

The value of item is the dictionary.

Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...