Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Playbooks/Guardicore-ThreatIntel
История
dicolanl 525d001024 Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
..
Images Add files via upload 2020-09-23 11:47:02 -07:00
README.md Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
azuredeploy.json Minor fixes for nullable fields from Guardicore ThreatIntel feed 2021-02-02 09:46:42 +11:00

README.md

Integrating Guardicore Threat Intelligence into Azure Sentinel

Author: Arbala Security

For any technical questions, please contact info@arbalasystems.com.

This playbook will pull the domain names and IPs from the threat intelligence that Guardicore shares every Sunday. It will create Azure Sentinel Threat Intelligence Indicators with the information gathered and send it to the tiIndicators API. This playbook is configured to run every Monday morning at 6:00 AM EST.

The Guardicore Cyber Threat Intelligence Service Feed is part of the their Cyber Threat Intelligence Platform.

Deploy to Azure Deploy to Azure Gov

Open your browser and ensure you are logged into your Azure Sentinel workspace. In a separate tab, open the link to our playbook on the Arbala Security GitHub Repository:

https://github.com/Arbala-Security/Guardicore-ThreatIntel

From there, click the “Deploy to Azure” button at the bottom and it will bring you to the Custom Deployment Template.

Deploy

In the BASICS section:

  • Select the “Subscription” and “Resource Group” from the dropdown boxes you would like the playbook deployed to.

In the SETTINGS section:

  • Playbook Name: This can be left as “Guardicore-ThreatIntel” or you may change it.

Towards the bottom ensure you check the box accepting the terms and conditions and then click on “Purchase”.

template

The playbook should take less than a minute to deploy. Return to your Azure Sentinel workspace and click on “Playbooks.” Next, click on your newly deployed playbook. Dont be alarmed to see that the status of the playbook shows failed. We still need to edit the playbook to set up a valid connection on our Microsoft Graph Security connectors.

playbookclick

Click on the “Edit” button. This will bring us into the Logic Apps Designer.

editbutton

Click on the bottom left bar labeled “For Each - GC Data: Malicious Domains 1”.

logicapp1

Click on the bar labeled “Condition - Check Valid Data 1”.

logicapp2

Click on “Connections”.

logicapp3

Click on the circled exclamation point under the word "Invalid".

logicapp4

This will prompt you to sign in with your credentials.

logicapp5

You should see the that the “Create tiIndicator 2” box has updated and displays “Connected to GCTI.” Click the X to close the Logic App Designer. There is no need to click a save button.

logicapp6

This process will not need to be repeated for the right hand branch.

Developer's Note:

The branching for the same outer loops is necessary because not all Guardicore domains and IP addresses are in a format Microsoft Graph will accept as valid. The branching allows a domain name and its associated IP addresses to be ingested separately. This way, an invalid domain name will not negate its associated valid IP addresses, or vice versa.

For any technical questions, please contact info@arbalasystems.com.