Azure-Sentinel/Playbooks/Guardicore-ThreatIntel
AcceleryntSecurityDev 05ef58c4f0
Update azuredeploy.json
2022-03-16 18:01:03 -07:00
..
Images Add files via upload 2020-09-23 11:47:02 -07:00
README.md Update README.md 2022-03-09 21:33:30 -08:00
azuredeploy.json Update azuredeploy.json 2022-03-16 18:01:03 -07:00

README.md

Integrating Guardicore Threat Intelligence into Azure Sentinel

Author: Accelerynt

For any technical questions, please contact info@accelerynt.com

This playbook will pull the domain names and IPs from the threat intelligence that Guardicore shares every Sunday. It will create Azure Sentinel Threat Intelligence Indicators with the information gathered and send it to the tiIndicators API. This playbook is configured to run every Monday morning at 6:00 AM EST.

The Guardicore Cyber Threat Intelligence Service Feed is part of the their Cyber Threat Intelligence Platform.

Click the “Deploy to Azure” button and this will bring you to the Custom Deployment Template.

In the BASICS section:

  • Select the “Subscription” and “Resource Group” from the dropdown boxes you would like the playbook deployed to.

In the SETTINGS section:

  • Playbook Name: This can be left as “Guardicore-ThreatIntel” or you may change it.

Towards the bottom ensure you check the box accepting the terms and conditions and then click on “Purchase”.

template

The playbook should take less than a minute to deploy. Return to your Azure Sentinel workspace and click on “Playbooks.” Next, click on your newly deployed playbook. Dont be alarmed to see that the status of the playbook shows failed. We still need to edit the playbook to set up a valid connection on our Microsoft Graph Security connectors.

playbookclick

Click on the “Edit” button. This will bring us into the Logic Apps Designer.

editbutton

Click on the bottom left bar labeled “For Each - GC Data: Malicious Domains 1”.

logicapp1

Click on the bar labeled “Condition - Check Valid Data 1”.

logicapp2

Click on “Connections”.

logicapp3

Click on the circled exclamation point under the word "Invalid".

logicapp4

This will prompt you to sign in with your credentials.

logicapp5

You should see the that the “Create tiIndicator 2” box has updated and displays “Connected to GCTI.” Click the X to close the Logic App Designer. There is no need to click a save button.

logicapp6

This process will not need to be repeated for the right hand branch.

Developer's Note:

The branching for the same outer loops is necessary because not all Guardicore domains and IP addresses are in a format Microsoft Graph will accept as valid. The branching allows a domain name and its associated IP addresses to be ingested separately. This way, an invalid domain name will not negate its associated valid IP addresses, or vice versa.