…
|
||
---|---|---|
.. | ||
azuredeploy.json | ||
readme.md |
readme.md
Get-AlienVault_OTX_V2
author: Andrew Blumhardt
This is a Logic App to import threat indicators from AlienVault into Azure Sentinel using the Graph Security API.
Refer to the following link for a more detailed description: https://azurecloudai.blog/2020/11/19/how-to-connect-alienvault-otx-to-azure-sentinel/
The connector "Threat Intelligence Platforms (Preview)" is needed to activate the integration with Microsoft Graph Security API.
Summary:
Designed to exceed the 1000 workflow limit for large datasets by breaking the results into pages. Set the Lookback to gather historic IOC data. Prevents failed collections when results exceed 1000 records. Tested using 200k records (5 years).
Instructions:
- Get an API key from AlienVault: https://otx.alienvault.com/
- Create an App Registration in Azure AD: http://thewindowsupdate.com/2020/02/11/bring-your-threat-intelligence-to-azure-sentinel/
- Import the Logic App (disabled by default)
- Set the run variables (Tennant ID, Client ID, App Secret, and OTX API Key).
- Enable and run.
- Enable the "Threat Intelligence Platforms (Preview)" connector in the Sentinel workspace.
Historic Data Lookback (RUN ONCE):
- Set the lookback days to a desired value (example 365)
- Enable and run the Logic App (estimate 10 minutes processing time for every 10k records)
- Set the Lookback days to the default 1 day
Notes:
- API sets a record lookup URL for the profile page on AlienVault in “additionalInformation”
- API uses the “FileCreatedDateTime” column to log the time ingested
App Registration Troubleshooting:
- Make sure to Grant Admin Consent on the API Permission page
- Your App Registration can be assigned to roles at the workspace or RG. You may need to assign additional credentials.
During testing the provider returned some incorrectly formatted records. This was only observed in large collections. The app does not have error checking. Incorrectly formatted records will fail if encountered but the overall app will complete. This will cause the log to show the parent app as failed.
Documentation references: