Activate the appropriate TI Map rules to enable alerting.Set the run variables (Tennant ID, Client ID, App Secret, and OTX API Key).Import the Logic App (disabled by default).
#Alienvault otx api group registration
Create an App Registration in Azure AD.This date0time value was not previously being used. I also use the “FileCreatedDateTime” column to log the time ingested. I added a lookup URL to the additionalInformation column that links back the AlienVault lookup for each IOC. To improve usability and data enrichment, I added more setup variables and made some minor adjustments. Despite being a rather complex logic app, each record counts as only 2 action executions (200k records costs around $10). This is intended to be a one time lookback followed by a daily maintenance update. This runs for about 10 minutes for every 10,000 records. I pulled in 5 years of IOC data (roughly 200,000 records) in testing. The updated playbook overcomes this limitation by breaking the request into pages (1000 indicators each). This is to support the 14 day lookback limit on analytic rules. The TimeGenerated value in the threat intelligence table gets updated periodically for records older than 14 days. Working with a large dataset it would be useful to have a date ingested value.When using a single For-Loop I was unable to pull in large numbers of IOCs. There is a 1000 workflow limit per logic app execution.My secondary goal was to look for additional ways to further enrich the data stored in Sentinel. I wanted to ingest months or years of IOC information. My next goal was to provide a historic IOC collection option. Side Note: When sending IOCs to MDE using the Graph Security API, there is a limit of 15,000 custom indicators per tenant and only Files, IP addresses, URLs, domains, and Certificates are allowed. These are good examples of a daily OTX feed. I was introduced to a great example by Rich Lilly that includes a Defender ATP (Defender Endpoint Protection) feed.
My goal was to expand on Matt’s example to create an easy-to-use template.
0 kommentar(er)
