labsnero.blogg.se - Alienvault otx

#Alienvault otx registration#

#Alienvault otx registration#

If your granted App Registration fails, add your application identity to Log Analytics Reader or Contributor on the workspace.Threat intelligence integration in Microsoft Sentinel You may need to assign additional credentials.

Your App Registration can be assigned to roles at the workspace or RG.

You must be a Global Administrator, an Application Administrator, or a Cloud Application Administrator to activate (look for the Green check mark).

Make sure to Grant Admin Consent on the API Permission page.

Some of the examples do not demonstrate the correct permissions.

Make sure the correct API permissions are assigned to your app registration.

I found in testing and working with customers that the App Registration setup used to authenticate the API is a common cause for issues. This will cause the log to show the parent app as failed.

Incorrectly formatted records will fail if encountered but the overall app will complete. This was only observed in large collections. Note: During testing the provider returned some incorrectly formatted records. Make sure to reset the Lookback days to the default 1 day when complete.Enable and run the Logic App (estimate 10 minutes processing time for every 10k records).Set the lookback days to a desired value (example 365).

Note: Consider running a one-time historic lookback (described below). Activate the appropriate TI Map rules to enable alerting.Set the run variables (Tennant ID, Client ID, App Secret, and OTX API Key).Import the Logic App (disabled by default).Create an App Registration in Azure AD.This date0time value was not previously being used. I also use the “FileCreatedDateTime” column to log the time ingested. I added a lookup URL to the additionalInformation column that links back the AlienVault lookup for each IOC. To improve usability and data enrichment, I added more setup variables and made some minor adjustments. Despite being a rather complex logic app, each record counts as only 2 action executions (200k records costs around $10). This is intended to be a one time lookback followed by a daily maintenance update. This runs for about 10 minutes for every 10,000 records. I pulled in 5 years of IOC data (roughly 200,000 records) in testing. The updated playbook overcomes this limitation by breaking the request into pages (1000 indicators each).

This is to support the 14 day lookback limit on analytic rules. The TimeGenerated value in the threat intelligence table gets updated periodically for records older than 14 days.

Working with a large dataset it would be useful to have a date ingested value.

When using a single For-Loop I was unable to pull in large numbers of IOCs.

There is a 1000 workflow limit per logic app execution.

My secondary goal was to look for additional ways to further enrich the data stored in Sentinel. I wanted to ingest months or years of IOC information. My next goal was to provide a historic IOC collection option. Side Note: When sending IOCs to MDE using the Graph Security API, there is a limit of 15,000 custom indicators per tenant and only Files, IP addresses, URLs, domains, and Certificates are allowed. These are good examples of a daily OTX feed. I was introduced to a great example by Rich Lilly that includes a Defender ATP (Defender Endpoint Protection) feed. My goal was to expand on Matt’s example to create an easy-to-use template.