Incomplete output of the command 'az sentinel threat-indicator list'

[winnie008]

Describe the bug

We are trying to use an experimental extension: az sentinel threat-indicator list.

There's a parameter --skip-token for large datasets but the output of the extension does not provide the nextLink.
e.g. --top 500 to list the threat indicators in batches of 500 (have 7122 in total).

Is this a bug?It would be helpful to provide an example of:

1. How to use the az sentinel threat-indicator list extension?
2. What is the expected output (what does this nextLink look like in the output)?
3. Check if the extension is working as intended.

Related command

az sentinel threat-indicator list --resource-group $resourceGroupName
--workspace-name $workspaceName --top "1"
--output json

Errors

Output (no nextLink element?):
This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus
[
{
"created": "2024-08-28T02:15:01.9277641Z",
"description": "xxx",
"displayName": "xxx",
"etag": ""xxx"",
"externalId": "xxx",
"externalLastUpdatedTimeUtc": "2024-08-28T02:15:01.9277641Z",
"id": "xxx",
"kind": "indicator",
"labels": [
"xxx",
"xxx"
],
"lastUpdatedTimeUtc": "2024-08-28T02:15:01.9281699Z",
"name": "xxx",
"parsedPattern": [
{
"patternTypeKey": "file",
"patternTypeValues": [
{
"value": "xxx",
"valueType": "hashes.'MD5'"
}
]
}
],
"pattern": "[file:hashes.'MD5' = 'xxx']",
"patternType": "xxx",
"resourceGroup": "xxx",
"source": "xxx",
"threatIntelligenceTags": [
"xxx",
"xxx"
],
"type": "Microsoft.SecurityInsights/threatIntelligence/main/indicators",
"validFrom": "2024-08-27T00:00:00+00:00"
}
]

Issue script & Debug output

Output (no nextLink element?):
This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus
[
{
"created": "2024-08-28T02:15:01.9277641Z",
"description": "xxx",
"displayName": "xxx",
"etag": ""xxx"",
"externalId": "xxx",
"externalLastUpdatedTimeUtc": "2024-08-28T02:15:01.9277641Z",
"id": "xxx",
"kind": "indicator",
"labels": [
"xxx",
"xxx"
],
"lastUpdatedTimeUtc": "2024-08-28T02:15:01.9281699Z",
"name": "xxx",
"parsedPattern": [
{
"patternTypeKey": "file",
"patternTypeValues": [
{
"value": "xxx",
"valueType": "hashes.'MD5'"
}
]
}
],
"pattern": "[file:hashes.'MD5' = 'xxx']",
"patternType": "xxx",
"resourceGroup": "xxx",
"source": "xxx",
"threatIntelligenceTags": [
"xxx",
"xxx"
],
"type": "Microsoft.SecurityInsights/threatIntelligence/main/indicators",
"validFrom": "2024-08-27T00:00:00+00:00"
}
]

Expected behavior

There's a parameter --skip-token for large datasets and the output of the extension can provide the nextLink.
e.g. --top 500 to list the threat indicators in batches of 500 (have 7122 in total).

It would be helpful to provide an example of:

1. How to use the az sentinel threat-indicator list extension?
2. What is the expected output (what does this nextLink look like in the output)?
3. Check if the extension is working as intended.

Environment Summary

Azure CLI (version 2.37.0 or higher)

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.

[winnie008]

@yonzhan @ReaNAiveD Are there any updates? I appreciate your attention to this matter.

[ReaNAiveD]

Hi @winnie008 Sorry for the late response.

The output meets the expectation.

The command in question was generated using an older version of the aaz codegen tool, which does not support pagination. As a result, the command should output all results without a nextLink.

Please note that the parameters --top and --skip-token are limited in functionality and can only be used to view the top n results.

[winnie008]

@ReaNAiveD Thanks for your help. May I know the newer version of the aaz codegen tool that can support pagination.

For the newer version, it would be helpful to provide an example of:

How to use the az sentinel threat-indicator list extension?
What is the expected output (what does this nextLink look like in the output)?
Check if the extension is working as intended.