Forum Discussion
Generic Logic App to ingest IOCs in text format
Hi all,
I configured Sentinel to ingest IOC from different Threat Intelligence sources (free) using TAXII connector.
I would like to ingest others feeds in text format (like https://raw.githubusercontent.com/openphish/public_feed/refs/heads/main/feed.txt, , https://bazaar.abuse.ch/export/txt/sha1/recent/
) using a generic Logic App to Security Graph.
These IOCs could be IP, Hash, URL or domain.
Does this kind of Logic App exists ??
Regards,
HA
3 Replies
Hey HA13029,
I am not sure that a logic app would be enough for this kind of task, you might need indeed to use logic apps but you will need a storage to save the IoCs, probably an automation to clear out duplicates, then parse them and maybe using Graph API to upload them to ThreatIntelIndicators table.
Why don't you try building analytics using KQL with relevant rules around them?
There's plenty of threat intelligence feeds here: Bert-JanP/Open-Source-Threat-Intel-Feeds: This repository contains Open Source freely usable Threat Intel feeds that can be used without additional requirements. Contains multiple types such as IP, URL, CVE and Hash. and some KQL queries as examples on how to make use of them.
You could then head to your Unified SecOps portal and build Analytics to detect for IoCs in your tables of interest (DeviceNetworkEvents etc) based on the intelligence feed.
If I have answered your question, please mark your post as Solved
If you like my response, please consider giving it a like
Hello HA13029,
according to Microsoft (https://github.com/MicrosoftDocs/dataexplorer-docs/tree/main/data-explorer/kusto/query)
Use the externaldata operator to retrieve small reference tables of up to 100 MB from an external storage artifact.
Other than that, standard query limits (https://learn.microsoft.com/kusto/concepts/query-limits) apply to external data queries as well.
If I have answered your question, please mark your post as Solved
If you like my response, please consider giving it a like
