Ingesting Alien Vault OTX Threat Indicators into Azure Sentinel

dbanyong

Copper Contributor

Jul 13, 2023

@Cyb3rDino https://www.twitter.com/flyingbluemonki

Please help.

I have a failed "run" with the failure coming from the "switch" component of the logic app.

ActionFailed. An action failed. No dependent actions succeeded.

Note: the first HTTP section is the "GET" request. This succeeds.

You can tell from below that the "Parse JSON" module also succeeds.

The "failures" and "skips" statuses occur in the various "switch cases". I collected diagnostics and got the following from the Azure Diagnostics.

"ActionBranchingConditionNotSatisfied - The execution of template action 'HTTP_2' skipped: the branching condition for this action is not satisfied."

Complete code (with masked sensitive info)

{

"definition": {

"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",

"contentVersion": "1.0.0.0",

"triggers": {

"Recurrence": {

"type": "Recurrence",

"recurrence": {

"frequency": "Day",

"interval": 1

}

"actions": {

"For_each": {

"type": "Foreach",

"foreach": "@body('Parse_JSON')?['results']",

"actions": {

"Switch": {

"type": "Switch",

"expression": "@items('For_each')?['type']",

"default": {

"actions": {}

"cases": {

"Case_10": {

"actions": {

"HTTP_10": {

"type": "Http",

"inputs": {

"uri": "https://graph.microsoft.com/beta/security/tiIndicators",

"method": "POST",

"headers": {

"content-type": "application/json"

"body": {

"action": "alert",

"activityGroupNames": [],

"confidence": 0,

"description": "OTX Threat Indicator - @{items('For_each')?['type']}",

"expirationDateTime": "@{addDays(utcNow(),7)}",

"externalId": "@{items('For_each')?['id']}",

"killChain": [],

"malwareFamilyNames": [],

"severity": 0,

"tags": [],

"targetProduct": "Azure Sentinel",

"threatType": "WatchList",

"tlpLevel": "white"

"authentication": {

"audience": "https://graph.microsoft.com",

"clientId": "d31fc*****",

"secret": "zIN8Q~*****",

"tenant": "****",

"type": "ActiveDirectoryOAuth"

}

"runtimeConfiguration": {

"contentTransfer": {

"transferMode": "Chunked"

}

"case": "YARA"

"Case_11": {

"actions": {

"HTTP_11": {

"type": "Http",

"inputs": {

"uri": "https://graph.microsoft.com/beta/security/tiIndicators",

"method": "POST",

"headers": {

"content-type": "application/json"

"body": {

"action": "alert",

"activityGroupNames": [],

"confidence": 0,

"description": "OTX Threat Indicator - @{items('For_each')?['type']}",

"expirationDateTime": "@{addDays(utcNow(),7)}",

"externalId": "@{items('For_each')?['id']}",

"killChain": [],

"malwareFamilyNames": [],

"severity": 0,

"tags": [],

"targetProduct": "Azure Sentinel",

"threatType": "WatchList",

"tlpLevel": "white"

"authentication": {

"audience": "https://graph.microsoft.com",

"clientId": "d31fc*****",

"secret": "zIN8Q~*****",

"tenant": "****",

"type": "ActiveDirectoryOAuth"

}

"runtimeConfiguration": {

"contentTransfer": {

"transferMode": "Chunked"

}

"case": "IPv6"

"Case_12": {

"actions": {

"HTTP_12": {

"type": "Http",

"inputs": {

"uri": "https://graph.microsoft.com/beta/security/tiIndicators",

"method": "POST",

"headers": {

"content-type": "application/json"

"body": {

"action": "alert",

"activityGroupNames": [],

"confidence": 0,

"description": "OTX Threat Indicator - @{items('For_each')?['type']}",

"expirationDateTime": "@{addDays(utcNow(),7)}",

"externalId": "@{items('For_each')?['id']}",

"killChain": [],

"malwareFamilyNames": [],

"severity": 0,

"tags": [],

"targetProduct": "Azure Sentinel",

"threatType": "WatchList",

"tlpLevel": "white"

"authentication": {

"audience": "https://graph.microsoft.com",

"clientId": "d31fc*****",

"secret": "zIN8Q~*****",

"tenant": "****",

"type": "ActiveDirectoryOAuth"

}

"runtimeConfiguration": {

"contentTransfer": {

"transferMode": "Chunked"

}

"case": "JA3"

"Case_13": {

"actions": {

"HTTP_13": {

"type": "Http",

"inputs": {

"uri": "https://graph.microsoft.com/beta/security/tiIndicators",

"method": "POST",

"headers": {

"content-type": "application/json"

"body": {

"action": "alert",

"activityGroupNames": [],

"confidence": 0,

"description": "OTX Threat Indicator - @{items('For_each')?['type']}",

"expirationDateTime": "@{addDays(utcNow(),7)}",

"externalId": "@{items('For_each')?['id']}",

"killChain": [],

"malwareFamilyNames": [],

"severity": 0,

"tags": [],

"targetProduct": "Azure Sentinel",

"threatType": "WatchList",

"tlpLevel": "white"

"authentication": {

"audience": "https://graph.microsoft.com",

"clientId": "d31fc*****",

"secret": "zIN8Q~*****",

"tenant": "****",

"type": "ActiveDirectoryOAuth"

}

"runtimeConfiguration": {

"contentTransfer": {

"transferMode": "Chunked"

}

"case": "BitcoinAddress"

"Case_14": {

"actions": {

"HTTP_14": {

"type": "Http",

"inputs": {

"uri": "https://graph.microsoft.com/beta/security/tiIndicators",

"method": "POST",

"headers": {

"content-type": "application/json"

"body": {

"action": "alert",

"activityGroupNames": [],

"confidence": 0,

"description": "OTX Threat Indicator - @{items('For_each')?['type']}",

"expirationDateTime": "@{addDays(utcNow(),7)}",

"externalId": "@{items('For_each')?['id']}",

"fileMutexName": "@{items('For_each')?['indicator']}",

"killChain": [],

"malwareFamilyNames": [],

"severity": 0,

"tags": [],

"targetProduct": "Azure Sentinel",

"threatType": "WatchList",

"tlpLevel": "white"

"authentication": {

"audience": "https://graph.microsoft.com",

"clientId": "d31fc*****",

"secret": "zIN8Q~*****",

"tenant": "****",

"type": "ActiveDirectoryOAuth"

}

"runtimeConfiguration": {

"contentTransfer": {

"transferMode": "Chunked"

}

"case": "Mutex"

"Case_15": {

"actions": {

"HTTP_15": {

"type": "Http",

"inputs": {

"uri": "https://graph.microsoft.com/beta/security/tiIndicators",

"method": "POST",

"headers": {

"content-type": "application/json"

"body": {

"action": "alert",

"activityGroupNames": [],

"confidence": 0,

"description": "OTX Threat Indicator - @{items('For_each')?['type']}",

"expirationDateTime": "@{addDays(utcNow(),7)}",

"externalId": "@{items('For_each')?['id']}",

"killChain": [],

"malwareFamilyNames": [],

"severity": 0,

"tags": [],

"targetProduct": "Azure Sentinel",

"threatType": "WatchList",

"tlpLevel": "white"

"authentication": {

"audience": "https://graph.microsoft.com",

"clientId": "d31fc*****",

"secret": "zIN8Q~*****",

"tenant": "****",

"type": "ActiveDirectoryOAuth"

}

"runtimeConfiguration": {

"contentTransfer": {

"transferMode": "Chunked"

}

"case": "FileHash-SHA1"

"Case_16": {

"actions": {

"HTTP_16": {

"type": "Http",

"inputs": {

"uri": "https://graph.microsoft.com/beta/security/tiIndicators",

"method": "POST",

"headers": {

"content-type": "application/json"

"body": {

"FileHashType": "MD5",

"FileHashValue": "@{items('For_each')?['indicator']}",

"action": "alert",

"activityGroupNames": [],

"confidence": 0,

"description": "OTX Threat Indicator - @{items('For_each')?['type']}",

"expirationDateTime": "@{addDays(utcNow(),7)}",

"externalId": "@{items('For_each')?['id']}",

"killChain": [],

"malwareFamilyNames": [],

"severity": 0,

"tags": [],

"targetProduct": "Azure Sentinel",

"threatType": "WatchList",

"tlpLevel": "white"

"authentication": {

"audience": "https://graph.microsoft.com",

"clientId": "d31fc*****",

"secret": "zIN8Q~*****",

"tenant": "****",

"type": "ActiveDirectoryOAuth"

}

"runtimeConfiguration": {

"contentTransfer": {

"transferMode": "Chunked"

}

"case": "FileHash-MD5"

"Case_17": {

"actions": {

"HTTP_17": {

"type": "Http",

"inputs": {

"uri": "https://graph.microsoft.com/beta/security/tiIndicators",

"method": "POST",

"headers": {

"content-type": "application/json"

"body": {

"action": "alert",

"activityGroupNames": [],

"confidence": 0,

"description": "OTX Threat Indicator - @{items('For_each')?['type']}",

"expirationDateTime": "@{addDays(utcNow(),7)}",

"externalId": "@{items('For_each')?['id']}",

"killChain": [],

"malwareFamilyNames": [],

"severity": 0,

"tags": [],

"targetProduct": "Azure Sentinel",

"threatType": "WatchList",

"tlpLevel": "white"

"authentication": {

"audience": "https://graph.microsoft.com",

"clientId": "d31fc*****",

"secret": "zIN8Q~*****",

"tenant": "****",

"type": "ActiveDirectoryOAuth"

}

"runtimeConfiguration": {

"contentTransfer": {

"transferMode": "Chunked"

}

"case": "FileHash-PEHASH"

"Case_18": {

"actions": {

"HTTP_18": {

"type": "Http",

"inputs": {

"uri": "https://graph.microsoft.com/beta/security/tiIndicators",

"method": "POST",

"headers": {

"content-type": "application/json"

"body": {

"action": "alert",

"activityGroupNames": [],

"confidence": 0,

"description": "OTX Threat Indicator - @{items('For_each')?['type']}",

"expirationDateTime": "@{addDays(utcNow(),7)}",

"externalId": "@{items('For_each')?['id']}",

"killChain": [],

"malwareFamilyNames": [],

"severity": 0,

"tags": [],

"targetProduct": "Azure Sentinel",

"threatType": "WatchList"

"tlpLevel": "white"

"authentication": {

"audience": "https://graph.microsoft.com",

"clientId": "d31fc*****",

"secret": "zIN8Q~*****",

"tenant": "****",

"type": "ActiveDirectoryOAuth"

}

"runtimeConfiguration": {

"contentTransfer": {

"transferMode": "Chunked"

}

"case": "FileHash-IMPHASH"

"Case_19": {

"actions": {

"HTTP_19": {

"type": "Http",

"inputs": {

"uri": "https://graph.microsoft.com/beta/security/tiIndicators",

"method": "POST",

"headers": {

"content-type": "application/json"

"body": {

"action": "alert",

"activityGroupNames": [],

"confidence": 0,

"description": "OTX Threat Indicator - @{items('For_each')?['type']}",

"expirationDateTime": "@{addDays(utcNow(),7)}",

"externalId": "@{items('For_each')?['id']}",

"killChain": [],

"malwareFamilyNames": [],

"severity": 0,

"tags": [],

"targetProduct": "Azure Sentinel",

"threatType": "WatchList",

"tlpLevel": "white"

"authentication": {

"audience": "https://graph.microsoft.com",

"clientId": "d31fc*****",

"secret": "zIN8Q~*****",

"tenant": "****",

"type": "ActiveDirectoryOAuth"

}

"runtimeConfiguration": {

"contentTransfer": {

"transferMode": "Chunked"

}

"case": "SSLCertFingerprint"

"Case_2": {

"actions": {

"HTTP_2": {

"type": "Http",

"inputs": {

"uri": "https://graph.microsoft.com/beta/security/tiIndicators",

"method": "POST",

"headers": {

"content-type": "application/json"

"body": {

"action": "alert",

"activityGroupNames": [],

"confidence": 0,

"description": "OTX Threat Indicator - @{items('For_each')?['type']}",

"expirationDateTime": "@{addDays(utcNow(),7)}",

"externalId": "@{items('For_each')?['id']}",

"killChain": [],

"malwareFamilyNames": [],

"severity": 0,

"tags": [],

"targetProduct": "Azure Sentinel",

"threatType": "WatchList",

"tlpLevel": "white"

"authentication": {

"audience": "https://graph.microsoft.com",

"clientId": "d31fc*****",

"secret": "zIN8Q~*****",

"tenant": "****",

"type": "ActiveDirectoryOAuth"

}

"case": "IPv4"

"Case_3": {

"actions": {

"HTTP_3": {

"type": "Http",

"inputs": {

"uri": "https://graph.microsoft.com/beta/security/tiIndicators",

"method": "POST",

"headers": {

"content-type": "application/json"

"body": {

"action": "alert",

"activityGroupNames": [],

"confidence": 0,

"description": "OTX Threat Indicator - @{items('For_each')?['type']}",

"expirationDateTime": "@{addDays(utcNow(),7)}",

"externalId": "@{items('For_each')?['id']}",

"killChain": [],

"malwareFamilyNames": [],

"severity": 0,

"tags": [],

"targetProduct": "Azure Sentinel",

"threatType": "WatchList",

"tlpLevel": "white"

"authentication": {

"audience": "https://graph.microsoft.com",

"clientId": "d31fc*****",

"secret": "zIN8Q~*****",

"tenant": "****",

"type": "ActiveDirectoryOAuth"

}

"case": "hostname"

"Case_4": {

"actions": {

"HTTP_4": {

"type": "Http",

"inputs": {

"uri": "https://graph.microsoft.com/beta/security/tiIndicators",

"method": "POST",

"headers": {

"content-type": "application/json"

"body": {

"action": "alert",

"activityGroupNames": [],

"confidence": 0,

"description": "OTX Threat Indicator - @{items('For_each')?['type']}",

"expirationDateTime": "@{addDays(utcNow(),7)}",

"externalId": "@{items('For_each')?['id']}",

"killChain": [],

"malwareFamilyNames": [],

"severity": 0,

"tags": [],

"targetProduct": "Azure Sentinel",

"threatType": "WatchList",

"tlpLevel": "white"

"authentication": {

"audience": "https://graph.microsoft.com",

"clientId": "d31fc*****",

"secret": "zIN8Q~*****",

"tenant": "****",

"type": "ActiveDirectoryOAuth"

}

"case": "CVE"

"Case_5": {

"actions": {

"HTTP_5": {

"type": "Http",

"inputs": {

"uri": "https://graph.microsoft.com/beta/security/tiIndicators",

"method": "POST",

"headers": {

"content-type": "application/json"

"body": {

"action": "alert",

"activityGroupNames": [],

"confidence": 0,

"description": "OTX Threat Indicator - @{items('For_each')?['type']}",

"expirationDateTime": "@{addDays(utcNow(),7)}",

"externalId": "@{items('For_each')?['id']}",

"killChain": [],

"malwareFamilyNames": [],

"networkSourceCidrBlock": "@{items('For_each')?['indicator']}",

"severity": 0,

"tags": [],

"targetProduct": "Azure Sentinel",

"threatType": "WatchList",

"tlpLevel": "white"

"authentication": {

"audience": "https://graph.microsoft.com",

"clientId": "d31fc*****",

"secret": "zIN8Q~*****",

"tenant": "****",

"type": "ActiveDirectoryOAuth"

}

"case": "CIDR"

"Case_6": {

"actions": {

"HTTP_6": {

"type": "Http",

"inputs": {

"uri": "https://graph.microsoft.com/beta/security/tiIndicators",

"method": "POST",

"headers": {

"content-type": "application/json"

"body": {

"action": "alert",

"activityGroupNames": [],

"confidence": 0,

"description": "OTX Threat Indicator - @{items('For_each')?['type']}",

"expirationDateTime": "@{addDays(utcNow(),7)}",

"externalId": "@{items('For_each')?['id']}",

"killChain": [],

"malwareFamilyNames": [],

"severity": 0,

"tags": [],

"targetProduct": "Azure Sentinel",

"threatType": "WatchList",

"tlpLevel": "white",

"url": "@{items('For_each')?['indicator']}"

"authentication": {

"audience": "https://graph.microsoft.com",

"clientId": "d31fc*****",

"secret": "zIN8Q~*****",

"tenant": "****",

"type": "ActiveDirectoryOAuth"

}

"case": "URL"

"Case_7": {

"actions": {

"HTTP_7": {

"type": "Http",

"inputs": {

"uri": "https://graph.microsoft.com/beta/security/tiIndicators",

"method": "POST",

"headers": {

"content-type": "application/json"

"body": {

"action": "alert",

"activityGroupNames": [],

"confidence": 0,

"description": "OTX Threat Indicator - @{items('For_each')?['type']}",

"expirationDateTime": "@{addDays(utcNow(),7)}",

"externalId": "@{items('For_each')?['id']}",

"killChain": [],

"malwareFamilyNames": [],

"severity": 0,

"tags": [],

"targetProduct": "Azure Sentinel",

"threatType": "WatchList",

"tlpLevel": "white"

"authentication": {

"audience": "https://graph.microsoft.com",

"clientId": "d31fc*****",

"secret": "zIN8Q~*****",

"tenant": "****",

"type": "ActiveDirectoryOAuth"

}

"case": "FilePath"

"Case_8": {

"actions": {

"HTTP_8": {

"type": "Http",

"inputs": {

"uri": "https://graph.microsoft.com/beta/security/tiIndicators",

"method": "POST",

"headers": {

"content-type": "application/json"

"body": {

"action": "alert",

"activityGroupNames": [],

"confidence": 0,

"description": "OTX Threat Indicator - @{items('For_each')?['type']}",

"expirationDateTime": "@{addDays(utcNow(),7)}",

"externalId": "@{items('For_each')?['id']}",

"killChain": [],

"malwareFamilyNames": [],

"severity": 0,

"tags": [],

"targetProduct": "Azure Sentinel",

"threatType": "WatchList",

"tlpLevel": "white"

"authentication": {

"audience": "https://graph.microsoft.com",

"clientId": "d31fc*****",

"secret": "zIN8Q~*****",

"tenant": "****",

"type": "ActiveDirectoryOAuth"

}

"case": "FileHash-SHA256"

"Case_9": {

"actions": {

"HTTP_9": {

"type": "Http",

"inputs": {

"uri": "https://graph.microsoft.com/beta/security/tiIndicators",

"method": "POST",

"headers": {

"content-type": "application/json"

"body": {

"action": "alert",

"activityGroupNames": [],

"confidence": 0,

"description": "OTX Threat Indicator - @{items('For_each')?['type']}",

"expirationDateTime": "@{addDays(utcNow(),7)}",

"externalId": "@{items('For_each')?['id']}",

"killChain": [],

"malwareFamilyNames": [],

"severity": 0,

"tags": [],

"targetProduct": "Azure Sentinel",

"threatType": "WatchList",

"tlpLevel": "white"

"authentication": {

"audience": "https://graph.microsoft.com",

"clientId": "d31fc*****",

"secret": "zIN8Q~*****",

"tenant": "****",

"type": "ActiveDirectoryOAuth"

}

"case": "domain"

}

"runAfter": {

"Parse_JSON": [

"Succeeded"

]

}

"HTTP": {

"type": "Http",

"inputs": {

"uri": "https://otx.alienvault.com/api/v1/indicators/export",

"method": "GET",

"headers": {

"X-OTX-API-KEY": "*****************"

"queries": {

"modified_since": "addDays(utcNow(),-1)",

"types": "IPv4,IPv6,domain,hostname,JA3,Mutex,CVE,CIDR,YARA,URL,FilePath,FileHash-SHA256,FileHash-SHA1,FileHash-MD5,FileHash-PEHASH,FileHash-IMPHASH,SSLCertFingerprint,BitcoinAddress"

}

"runAfter": {}

"Parse_JSON": {

"type": "ParseJson",

"inputs": {

"content": "@body('HTTP')",

"schema": {

"properties": {

"count": {

"type": "integer"

"next": {},

"previous": {},

"results": {

"items": {

"properties": {

"content": {

"type": "string"

"description": {},

"id": {

"type": "integer"

"indicator": {

"type": "string"

"title": {},

"type": {

"type": "string"

}

"required": [

"id",

"indicator",

"type",

"title",

"description",

"content"

"type": "object"

"type": "array"

}

"type": "object"

}

"runAfter": {

"HTTP": [

"Succeeded"

]

}

"outputs": {},

"parameters": {

"$connections": {

"type": "Object",

"defaultValue": {}

}

"parameters": {

"$connections": {

"value": {}

}

Action

Status

Duration

For_each	Failed	1.15 Minutes
HTTP	Succeeded	624 Milliseconds
HTTP_10	Failed	0 Milliseconds
HTTP_11	Skipped	0 Milliseconds
HTTP_12	Skipped	1 Millisecond
HTTP_13	Skipped	0 Milliseconds
HTTP_14	Skipped	0 Milliseconds
HTTP_15	Failed	0 Milliseconds
HTTP_16	Failed	1 Millisecond
HTTP_17	Skipped	1 Millisecond
HTTP_18	Skipped	0 Milliseconds
HTTP_19	Skipped	0 Milliseconds
HTTP_2	Failed	0 Milliseconds
HTTP_3	Failed	0 Milliseconds
HTTP_4	Failed	1 Millisecond
HTTP_5	Skipped	1 Millisecond
HTTP_6	Failed	1 Millisecond
HTTP_7	Skipped	0 Milliseconds
HTTP_8	Failed	0 Milliseconds
HTTP_9	Failed	1 Millisecond
Parse_JSON	Succeeded	82 Milliseconds
Switch	Failed	0 Milliseconds

=====================

Diagnostic outputs from a sample failed run - "HTTP_10":

============================

Start date
Thursday, July 13, 2023 at 8:42:56 AM
End date
Thursday, July 13, 2023 at 8:42:56 AM
Status
Failed
Tracking ID

Inputs
No inputs
Outputs
No outputs

Blog Post

Ingesting Alien Vault OTX Threat Indicators into Azure Sentinel