Forum Discussion
Generic Logic App to ingest IOCs in text format
Hey HA13029,
I am not sure that a logic app would be enough for this kind of task, you might need indeed to use logic apps but you will need a storage to save the IoCs, probably an automation to clear out duplicates, then parse them and maybe using Graph API to upload them to ThreatIntelIndicators table.
Why don't you try building analytics using KQL with relevant rules around them?
There's plenty of threat intelligence feeds here: Bert-JanP/Open-Source-Threat-Intel-Feeds: This repository contains Open Source freely usable Threat Intel feeds that can be used without additional requirements. Contains multiple types such as IP, URL, CVE and Hash. and some KQL queries as examples on how to make use of them.
You could then head to your Unified SecOps portal and build Analytics to detect for IoCs in your tables of interest (DeviceNetworkEvents etc) based on the intelligence feed.
If I have answered your question, please mark your post as Solved
If you like my response, please consider giving it a like
Hi cyb3rmik3,
In fact, I already used it for some external feeds (mainly malwarebazaar hash latest feeds).
Logic app introduces some issues (like duplicate, etc) you mention above.
The main question is: how much data (KB, Mbits) can import using externaldata ?
Regards,
HA
Hello HA13029,
according to Microsoft (https://github.com/MicrosoftDocs/dataexplorer-docs/tree/main/data-explorer/kusto/query)
Use the externaldata operator to retrieve small reference tables of up to 100 MB from an external storage artifact.
Other than that, standard query limits (https://learn.microsoft.com/kusto/concepts/query-limits) apply to external data queries as well.
If I have answered your question, please mark your post as Solved
If you like my response, please consider giving it a like
