Merge pull request Azure#12903 from VirusTotal/feat/update-upload-indicators

Google Threat Intelligence: Using UploadSTIXObjects action

Author: v-dvedak

Solutions/Google Threat Intelligence/Package/3.2.2.zip

@@ -1569,15 +1569,11 @@
                             "schema": {
                               "type": "object",
                               "properties": {
-                                "type": {
-                                  "type": "string",
-                                  "description": "type"
-                                },
-                                "id": {
+                                "sourcesystem": {
                                   "type": "string",
-                                  "description": "id"
+                                  "description": "sourcesystem"
                                 },
-                                "objects": {
+                                "stixobjects": {
                                   "type": "array",
                                   "items": {
                                     "type": "object",
@@ -3881,9 +3877,9 @@
                     },
                     "For_each": {
                       "type": "Foreach",
-                      "foreach": "@chunk(body('get_threat_list')?['indicators'],100)",
+                      "foreach": "@chunk(coalesce(body('get_threat_list')?['indicators'],body('get_threat_list')?['stixobjects']),100)",
                       "actions": {
-                        "Threat_Intelligence_-_Upload_Indicators_of_Compromise_(V2)_(Preview)": {
+                        "Threat_Intelligence_-_Upload_STIX_Objects_(Preview)": {
                           "type": "ApiConnection",
                           "inputs": {
                             "host": {
@@ -3894,9 +3890,9 @@
                             "method": "post",
                             "body": {
                               "sourcesystem": "Google Threat Intelligence",
-                              "indicators": "@items('For_each')"
+                              "stixobjects": "@items('For_each')"
                             },
-                            "path": "/V2/ThreatIntelligence/@{encodeURIComponent('')}/UploadIndicators/"
+                            "path": "/ThreatIntelligence/@{encodeURIComponent('')}/UploadStixObjects/"
                           }
                         }
                       },
@@ -4131,7 +4127,7 @@
                             }
                           }
                         },
-                        "Threat_Intelligence_-_Upload_Indicators_of_Compromise_(V2)_(Preview)": {
+                        "Threat_Intelligence_-_Upload_STIX_Objects_(Preview)": {
                           "type": "ApiConnection",
                           "inputs": {
                             "host": {
@@ -4142,9 +4138,9 @@
                             "method": "post",
                             "body": {
                               "sourcesystem": "Google Threat Intelligence",
-                              "indicators": "@body('Get_IoC_Stream_list')?['objects']"
+                              "stixobjects": "@coalesce(body('Get_IoC_Stream_list')?['objects'], body('Get_IoC_Stream_list')?['stixobjects'])"
                             },
-                            "path": "/V2/ThreatIntelligence/@{encodeURIComponent('')}/UploadIndicators/"
+                            "path": "/ThreatIntelligence/@{encodeURIComponent('')}/UploadStixObjects/"
                           },
                           "runAfter": {
                             "Get_IoC_Stream_list": [
@@ -4159,7 +4155,7 @@
                             "value": "@body('Get_IoC_Stream_list')?['extensions']?['extension-definition--e0e2bd88-8e87-52d5-b822-3fdd60918598']?['meta']?['cursor']"
                           },
                           "runAfter": {
-                            "Threat_Intelligence_-_Upload_Indicators_of_Compromise_(V2)_(Preview)": [
+                            "Threat_Intelligence_-_Upload_STIX_Objects_(Preview)": [
                               "Succeeded"
                             ]
                           }

Solutions/Google Threat Intelligence/Package/mainTemplate.json

@@ -1411,15 +1411,11 @@
                                         "schema": {
                                             "type": "object",
                                             "properties": {
-                                                "type": {
-                                                    "type": "string",
-                                                    "description": "type"
-                                                },
-                                                "id": {
+                                                "sourcesystem": {
                                                     "type": "string",
-                                                    "description": "id"
+                                                    "description": "sourcesystem"
                                                 },
-                                                "objects": {
+                                                "stixobjects": {
                                                     "type": "array",
                                                     "items": {
                                                         "type": "object",

Solutions/Google Threat Intelligence/Playbooks/CustomConnector/GTICustomConnector/azuredeploy.json

@@ -104,7 +104,7 @@
                                         }
                                     }
                                 },
-                                "Threat_Intelligence_-_Upload_Indicators_of_Compromise_(V2)_(Preview)": {
+                                "Threat_Intelligence_-_Upload_STIX_Objects_(Preview)": {
                                     "type": "ApiConnection",
                                     "inputs": {
                                         "host": {
@@ -115,9 +115,9 @@
                                         "method": "post",
                                         "body": {
                                             "sourcesystem": "Google Threat Intelligence",
-                                            "indicators": "@body('Get_IoC_Stream_list')?['objects']"
+                                            "stixobjects": "@coalesce(body('Get_IoC_Stream_list')?['objects'], body('Get_IoC_Stream_list')?['stixobjects'])"
                                         },
-                                        "path": "/V2/ThreatIntelligence/@{encodeURIComponent('')}/UploadIndicators/"
+                                        "path": "/ThreatIntelligence/@{encodeURIComponent('')}/UploadStixObjects/"
                                     },
                                     "runAfter": {
                                         "Get_IoC_Stream_list": [
@@ -132,7 +132,7 @@
                                         "value": "@body('Get_IoC_Stream_list')?['extensions']?['extension-definition--e0e2bd88-8e87-52d5-b822-3fdd60918598']?['meta']?['cursor']"
                                     },
                                     "runAfter": {
-                                        "Threat_Intelligence_-_Upload_Indicators_of_Compromise_(V2)_(Preview)": [
+                                        "Threat_Intelligence_-_Upload_STIX_Objects_(Preview)": [
                                             "Succeeded"
                                         ]
                                     }

Solutions/Google Threat Intelligence/Playbooks/GTIIocStream/azuredeploy.json

@@ -95,9 +95,9 @@
                         },
                         "For_each": {
                             "type": "Foreach",
-                            "foreach": "@chunk(body('get_threat_list')?['indicators'],100)",
+                            "foreach": "@chunk(coalesce(body('get_threat_list')?['indicators'],body('get_threat_list')?['stixobjects']),100)",
                             "actions": {
-                                "Threat_Intelligence_-_Upload_Indicators_of_Compromise_(V2)_(Preview)": {
+                                "Threat_Intelligence_-_Upload_STIX_Objects_(Preview)": {
                                     "type": "ApiConnection",
                                     "inputs": {
                                         "host": {
@@ -108,9 +108,9 @@
                                         "method": "post",
                                         "body": {
                                             "sourcesystem": "Google Threat Intelligence",
-                                            "indicators": "@items('For_each')"
+                                            "stixobjects": "@items('For_each')"
                                         },
-                                        "path": "/V2/ThreatIntelligence/@{encodeURIComponent('')}/UploadIndicators/"
+                                        "path": "/ThreatIntelligence/@{encodeURIComponent('')}/UploadStixObjects/"
                                     }
                                 }
                             },

Solutions/Google Threat Intelligence/Playbooks/GTIThreatList/azuredeploy.json

@@ -1,7 +1,7 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                             |
 |-------------|--------------------------------|------------------------------------------------|
-| 3.2.2       | 23-09-2025                     | Filter Threat Lists
+| 3.2.2       | 29-08-2025                     | Filtering threat lists and migrating to Upload STIX Objects |
 | 3.2.1       | 25-08-2025                     | Fix IocStream ingestion bug.                   |
-| 3.2.0       | 20-05-2025                     | New **Playbook** added *IoC Stream Threat Intelligence*.<br/> Added x-tool header in **Playbook** Customer Connector.                  |
-| 3.1.0       | 29-01-2025                     | New *Threat Intelligence Ingestion* **Playbook** added.                  |
+| 3.2.0       | 20-05-2025                     | New **Playbook** added *IoC Stream Threat Intelligence*.<br/> Added x-tool header in **Playbook** Customer Connector. |
+| 3.1.0       | 29-01-2025                     | New *Threat Intelligence Ingestion* **Playbook** added. |
 | 3.0.0       | 05-12-2024                     | Initial Solution Release.                       |