2

I am trying to use Microsoft graph API threat Indicators API based on Azure sentinel recommended way of integrating threat intelligence sources for IOC ingestion to Sentinel Instance. I perform the following steps in linux curl to test the functionality :

Get the OAuth token from Microsoft using : 

curl -X POST -d 'grant_type=client_credentials&client_id=[myClientId]&client_secret=[myAppSecret]&scope=openid profile ThreatIndicators.ReadWrite.OwnedBy' https://login.microsoftonline.com/[myTenantId]/oauth2/token

Using the received bearer token calling the following API: curl -X GET -H "Authorization: Bearer [access token]" https://graph.microsoft.com/beta/security/tiIndicators

I am receiving below mentioned error: 

{
  "error": {
    "code": "InvalidAuthenticationToken",
    "message": "Access token validation failure. Invalid audience.",
    "innerError": {
      "request-id": "########################",
      "date": "2019-12-19T07:41:51"
    }
  }

Anybody has Idea how to use this ? Main motive is to use graph API POST query to insert threat indicators in Azure Sentinel

DEEPANSHU MARWAH
  • 35
  • 1
  • 2
  • 8
  • If my answer is helpful for you, you can accept it as answer( click on the check mark beside the answer to toggle it from greyed out to filled in.). This can be beneficial to other community members. Thank you. – Allen Wu Dec 20 '19 at 04:26

1 Answers1

4

Use resource rather than scope in request body for V1.0 token endpoint.

curl -X POST -d 'grant_type=client_credentials&client_id=[myClientId]&client_secret=[myAppSecret]&resource=https://graph.microsoft.com' https://login.microsoftonline.com/[myTenantId]/oauth2/token

OR (V2.0 token endpoint as below)

curl -X POST -d 'grant_type=client_credentials&client_id=[myClientId]&client_secret=[myAppSecret]&scope=https://graph.microsoft.com/.default' https://login.microsoftonline.com/[myTenantId]/oauth2/v2.0/token
Allen Wu
  • 11,831
  • 1
  • 4
  • 15