Blog Post

Microsoft Sentinel Blog
11 MIN READ

Ingesting Alien Vault OTX Threat Indicators into Azure Sentinel

Matt Egen's avatar
Matt Egen
Icon for Microsoft rankMicrosoft
Jan 03, 2020
**UPDATE** 11/4/2022:  Please note, to enable this capability in Sentinel, you will need to ensure that you've enabled the "Threat Intelligence Platforms" data connector. One of the key capabiliti...
Updated Nov 04, 2022
Version 4.0
Matt Egen's avatar
Icon for Microsoft rankMicrosoft
Joined September 30, 2016
View Profile
Microsoft Sentinel Blog

Microsoft Sentinel is a cloud-native SIEM, enriched with AI and automation to provide expansive visibility across your digital environment.

AnandRMenon's avatar
AnandRMenon
Copper Contributor
Nov 12, 2021

Hi Matt Egen,

 

Thanks for the awesome writeup. I am trying to set this up and while running the playbook, it is erroring out at the stage of sending the retrieved indicator data to Microsoft Graph Security API. I'm able to view different retrieved indicators(domains, IPv4, hostnames etc.) as the output of the GET request and as the input to the final POST request to the Graph API, but the output of POST request shows the error message: 

Http request failed with statusCode=BadRequest : {\"error\":{\"code\":\"ValidationFailed\",\"message\":\"Validation of indicator content failed.\",\"target\":\"body\",\"details\":[{\"code\":\"ValidationFailed\",\"message\":\"At least one Observable must be set (e.g. IP or URL).\",\"target\":\"Any Observables (e.g. IP or URL).\"}]}}; "
 
Here is the body of the POST request for your reference:
 

 

Please help out on this issue. Thank you.
 
Regards,
Anand R Menon