Update to correct template input button and major revision to the logic app

Adding paging to allow 1000+ record collection and historic lookback

Playbooks/Get-AlienVault_OTX/readme.md

@@ -1,38 +1,58 @@
-# Get-AlienVault_OTX
-author: Andrew Blumhardt
-
-This playbook will copy AlienVault OTX IOC data using the Security Graph API into Azure Sentinel. Requires an AlienVault API Key and registered Azure AD app. Update the AlienVault, tenant ID, client ID (app ID), and secret. Refer to MS Docs and Sentinel Threat Intelligence blogs for more information.
-
-Activation:
-Obtain an API Key (authentication to OTX data)
-Create an App Registration in Azure AD (authentication to Microsoft Graph Security API)
-Deploy Logic App
-Update Get-AlienVault_OTX with your IDs and Keys
-Activate the Threat Intelligence Platforms connector in Sentinel
-Manually run Get-AlienVault_OTX to seed the table (wait 15 min)
-Activate the related Analytic Rules in Sentinel
-Verify that your TI data is flowing and formatted correctly:
-
-ThreatIntelligenceIndicator
-|where TimeGenerated >= ago(1h) | summarize count() by Description
-
-Logic App template based on and inspired by Jason Wescott’s article on OTX-Sentinel integration: 
-
-Documentation references:
-
-<li>Azure Management groups as containers of subscriptions to monitor
-<ul>
-<li><a href="https://techcommunity.microsoft.com/t5/azure-sentinel/bring-your-threat-intelligence-to-azure-sentinel/ba-p/1167546" target="_blank" rel="noopener">Bring your threat intelligence to Azure Sentinel</a></li>
-</ul>
-</li>
-<li>Azure Active Directory registered application, assigned with RBAC roles
-<ul>
-<li><a href="https://docs.microsoft.com/graph/api/resources/security-api-overview" target="_blank" rel="noopener">Use the Microsoft Graph Security API</a></li>
-</ul>
-</li>
-</li>
-<li>Logic App alternative that Combines Sentinel and Defender TI collection
-<ul>
-<li><a href="https://github.com/richlilly2004/Azure-Sentinel/tree/master/Playbooks/Get-TIfromOTX" target="_blank" rel="noopener">Get-TIfromOTX by Rich Lilly</a></li>
-</ul>
-</li>
+# Get-AlienValut_OTX_V2
+author: Andrew Blumhardt
+
+This is a Logic App to import threat indicators from AlienVault into Azure Sentinel using the Graph Security API.
+
+Refer to the following link for a more detailed description: https://azurecloudai.blog/2020/11/19/how-to-connect-alienvault-otx-to-azure-sentinel/ 
+
+**Summary:**
+
+Designed to exceed the 1000 workflow limit for large datasets by breaking the results into pages. Set the Lookback to gather historic IOC data. Prevents failed collections when results exceed 1000 records. Tested using 200k records (5 years).
+
+**Instructions:**
+1.	Get an API key from AlienVault: https://otx.alienvault.com/
+2.	Create an App  Registration in Azure AD: http://thewindowsupdate.com/2020/02/11/bring-your-threat-intelligence-to-azure-sentinel/
+3.	Import the Logic App (disabled by default)
+4.	Set the run variables (Tennant ID, Client ID, App Secret, and OTX API Key).
+5.	Enable and run.
+
+**Historic Data Lookback (RUN ONCE):**
+1.	Set the lookback days to a desired value (example 365)
+2.	Enable and run the Logic App (estimate 10 minutes processing time for every 10k records)
+3.	Set the Lookback days to the default 1 day
+
+**Notes:**
+1.	API sets a record lookup URL for the profile page on AlienVault in “additionalInformation”
+2.	API uses the “FileCreatedDateTime” column to log the time ingested
+
+**App Registration Troubleshooting:**
+1. Make sure to Grant Admin Consent on the API Permission page
+2. Your App Registration can be assigned to roles at the workspace or RG. You may need to assign additional credentials.
+
+During testing the provider returned some incorrectly formatted records. This was only observed in large collections. The app does not have error checking. Incorrectly formatted records will fail if encountered but the overall app will complete. This will cause the log to show the parent app as failed.
+
+**Documentation references:**
+
+<li>Azure Management groups as containers of subscriptions to monitor
+<ul>
+<li><a href="https://techcommunity.microsoft.com/t5/azure-sentinel/bring-your-threat-intelligence-to-azure-sentinel/ba-p/1167546" target="_blank" rel="noopener">Bring your threat intelligence to Azure Sentinel</a></li>
+</ul>
+</li>
+<li>Azure Active Directory registered application, assigned with RBAC roles
+<ul>
+<li><a href="https://docs.microsoft.com/graph/api/resources/security-api-overview" target="_blank" rel="noopener">Use the Microsoft Graph Security API</a></li>
+</ul>
+</li>
+</li>
+<li>Logic App alternative that Combines Sentinel and Defender TI collection
+<ul>
+<li><a href="https://github.com/richlilly2004/Azure-Sentinel/tree/master/Playbooks/Get-TIfromOTX" target="_blank" rel="noopener">Get-TIfromOTX by Rich Lilly</a></li>
+</ul>
+</li>
+
+<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAndrewBlumhardt%2FLogic-Apps%2Fmain%2Fazuredeploy.json" target="_blank">
+    <img src="https://aka.ms/deploytoazurebutton""/>
+</a>
+<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAndrewBlumhardt%2FLogic-Apps%2Fmain%2Fazuredeploy.json" target="_blank">
+<img src="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png"/>
+</a>