Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Ingesting Alien Vault OTX Threat Indicators into Azure Sentinel
Published Jan 03 2020 01:00 PM 42.8K Views
Microsoft

**UPDATE** 11/4/2022:  Please note, to enable this capability in Sentinel, you will need to ensure that you've enabled the "Threat Intelligence Platforms" data connector.

One of the key capabilities of Azure Sentinel has always been its ability to work with data from multiple sources including Threat Indicator Providers who can provide their data directly into the environment via the Microsoft Security Graph. But what if you have a source of indicators or other enrichment data that you want to use in Azure Sentinel but no connector to ingest it with? While Ofer Shezaf has written a great blog post about creating custom connectors and Ian Hellen wrote up an outstanding blog about using OTX data in Jupyter Notebooks in Sentinel, this blog post is going to expand upon their work by walking through adding a custom Sentinel Playbook (Azure Logic App) to connect to Alien Vault’s Open Threat Exchange (OTX) REST API to ingest threat indicators for use in hunting and alerts. While this blog is specifically about using AlienVault OTX, one could use this same methodology with most any API based data source.

What is OTX?

OTX is an open community sharing various indicators of compromise (IOC’s) such as IP addresses, domains, hostnames, URL’s, SHAs, etc. For this example, we’re going to limit our ingestion to just IP’s, URLs, and hostnames, but many of the IOC's in OTX can be imported into the Azure Sentinel and Microsoft Defender ATP as indicators.

Establish an OTX account

To utilize the OTX API feed, you’ll want to head over to https://otx.alienvault.com/ to establish an account. Once you’ve signed up you will be able to access detailed documentation as well as your API key via the dashboard. On the dashboard, select the “API Integration” link to get to your API key.

clipboard_image_0.png

This section of the panel is also where you’ll be able to confirm from the OTX side that your connection is functional.

Create a new playbook in Sentinel

Now that we have a key for the OTX API, we’re going to need to create a new Playbook in Sentinel. To start, navigate to the Playbooks tab in Sentinel and select “Add Playbook”.

clipboard_image_1.png

Give your playbook a descriptive name and select the correct Azure Subscription to attach it to. For the Resource Group field, you can either create a new Resource Group or attach it to an existing one. The best practice would be to attach it to the same Resource Group you’re using for Sentinel(you can determine the Resource Group for your Sentinel instance by going to Settings, Workspace Settings and then select “Properties”). Finally, choose the geographic location  you wish your Playbook to run in. After clicking “Create”, your new Playbook will be added to the Playbooks tab and you will be taken to the Logic Apps Designer workspace.

clipboard_image_2.png

Configure your Playbook

Since we’re going to be creating a custom connector, we’re going to be manually defining the values for our Playbook. To do this, select “Blank Logic App”

clipboard_image_3.png

Select a trigger [manual or scheduled]

As you can see, there are multiple options available for us to choose from. In this case, we’re going to choose a “Scheduled” trigger. Scheduled triggers come in two flavors:

  • “Recurrence” where the trigger will fire on a regular basis, and
  • “Sliding Window” where the triggers are a series of fixed-sized, non-overlapping, and contiguous time intervals from a specified start time.

For this example, we’re going to use a simple Recurrence trigger and set the frequency to 1 day

clipboard_image_4.png

 

Get the data

Great! Now that we’ve defined when we want to go get our data, now it’s time to go get it. Click the “New Step” button below the Trigger. This will present us with the “Choose an action” window to choose our next step. We’re going to be seeing more of this page in the future so I’ll only include it this once. For retrieving the OTX data, we’re going to choose the “HTTP Built-in” connector and then the “HTTP” action.

clipboard_image_5.png

This will then open the parameters page for the HTTP action.

clipboard_image_6.png

We’re going to use the following settings for this connection:

  • Method: GET
  • URI: https://otx.alienvault.com/api/v1/indicators/export
  • Headers: The headers field is broken out into name / value fields. In the first field enter “X-OTX-API-KEY” (minus the quotes) and in the second field enter your API key from the OTX Dashboard.
  • Queries: This is where we’re going to add in the parameters of the actual query itself. These are defined in the “Docs” page for OTX and we’re using the “indicators/export” call. This has a number of parameters available, but we’re only going to be using two of them.
    • modified_since: This is an ISO format datetime string. For this scenario, we’re taking advantage of an Expression in LogicApps. Expressions allow us to create programmatic values in lieu of fixed values. We can use the GUI to click each of the expression variables or just enter it directly. In this case we’re using the expression “addDays(utcNow(),-1)”. Since we’re running our Trigger to fire once a day, we’re going to look at new indicators since the last time we ran.
    • types: These are the indicator types that we want to retrieve from the OTX feed. OTX has a lot of different types, but for this example we’re going to use the domain, hostname, and IPv4 types. You can get a JSON file of all of the supported types by navigating to https://otx.alienvault.com/api/v1/pulses/indicators/types.

At this point it’s probably a good call to save our work as well as test our connection to see if we’re getting back the data we want. This is also a good time to collect an example of the output of the call as we’re going to use that to build a schema for the next step. To save our work, just click the “Save” button. This will now enable the “Run” button which we can click to have our connection fire. Assuming everything went as expected, we should see a page like the following:

clipboard_image_7.png


You’ll want to copy the “Body” section (highlighted above) to use in the next step.

(Note: If the “Body” section is empty, it may just be that there haven’t been any new indicators added in the last day. You might want to consider removing or changing the “modified_since” parameter to get a list of indicators)

Parse the data

Now that we have our HTTP data connection, it’s time to parse the JSON that’s returned. If you did a test run of the Playbook so far, click the “Designer” button to go back to the designer page. Now select the “New step” button that is below the HTTP section. From the page that opens, choose “Data Operations” and then “Parse JSON”. In the panel that opens, you’ll see two fields: Content and Schema. Clicking in the “Content” field will open the Dynamic Content flyout panel from which we’re going to select the pre-built “Body” option. This is telling the Parse JSON connector to parse the body content from the HTTP connector we defined earlier.

clipboard_image_8.png

For the Schema field, we’re going to use the body data that we copied earlier. Below the Schema box, there is a link to “Use sample payload to generate schema” click that link and then paste the body data into the “Enter or paste a sample JSON payload” box and then click “Done”.

clipboard_image_9.png

This will create the schema for the data:

clipboard_image_10.png

One small change that I had to make from using this method was to modify the “next” value to be an empty set of braces instead of the values the schema generator created to account for scenarios where the “next” link isn’t populated.

Send the data to the Graph

Now that we’ve connected to the OTX API, retrieved our data, and parsed it, we need to send this data to the Microsoft Security Graph API. The Microsoft Graph supports the ingestion of Threat Intelligence Indicators (tiIndicators) which can be shared to both Azure Sentinel and Microsoft Defender ATP. Let’s add this functionality to the ingestion playbook we just created. Because we’re writing to the Graph, we first need to create an application registration in Azure AD that has the “ThreatIndicators.ReadWrite.OwnedBy” permissions. The process of creating a new application has been very well documented, so I am not going to reproduce it in detail here, but instead point you to the docs.microsoft.com page: Walkthrough: Register an app with Azure Active Directory .  Just make sure that when you grant the application permissions that you give it the “ThreatIndicators.ReadWrite.OwnedBy” permissions. Once you’ve registered the application, we’re going to need three pieces of information: The Tenant ID, Application (client) ID, and the Client Secret.

The first thing we’re going to do is add a “Switch” step after the Parse JSON step. Click the “+” symbol after the Parse JSON step. From the options presented choose “Control” and then select “Switch”. A Switch statement allows us to make a branching action based on the value of a field.

clipboard_image_11.png

For this Switch block, we’re going to evaluate the “type” field from our parsed JSON data, so click in the “Choose a value” field and select the “type” value from the JSON dynamic data set:

clipboard_image_12.png

When you select the “type” field from the Parse JSON step, the Logic App page is going to embed the Switch block into a “For-Each” control flow block. This is because we’re going to be iterating over each of the records returned from the OTX API and Logic Apps is smart enough to realize this and automatically take care of this for us.

Now that we know what we’re going to switch our actions on, we need to choose actions for each type of data we want to act on. I’m only going to walk through creating the switch case for the URL response, but the other data types use the same pattern so you can reproduce it for them. 
[added 1/26/2022]: Please note that for this code to function properly you will want to create a switch case for each of the datatypes you are requesting from AlienVault OTX. e.g. If you requested "domain" indicators, then you will need a switch case for domain, if you have "IPv4" then you'll need a case for IPv4, etc. (thanks @emilec)

In the Case window, click on the “Equals” field and enter “URL” (without the quotes). The Switch comparison is case sensitive, so we need to make sure we’re using the proper case that’s returned and for URL’s from OTX it’s upper case.

clipboard_image_13.png

Now we just need to add an action. We’re already familiar with the HTTP API call to get data from OTX, and we’re going to use it again here to put data into the Microsoft Graph.
Select the HTTP action from the actions list.

clipboard_image_14.png

Just like we did when we connected to OTX, we’re going to need to supply some values to the HTTP connector as well as the Body of the request:

  • Method: POST
  • URI: https://graph.microsoft.com/beta/security/tiIndicators
  • Headers: The headers field is broken out into name / value fields. In the first field enter “content-type” (minus the quotes) and in the second field enter “application/json” (again, without the quotes)
  • Body: Here is where we make the actual API call into the Graph. By way of example, here is what I am using for the Sentinel connection (you can see what it looks like in the playbook in the image above).  These are the minimum required fields for the tiIndicators data type.  You can add more fields as appropriate for your use case:

{
"action": "alert",
"activityGroupNames": [],
"confidence": 0,
"description": "OTX Threat Indicator - @{items('For_each')?['type']}",
"expirationDateTime": "@{addDays(utcNow(),7)}",
"externalId": "@{items('For_each')?['id']}",
"killChain": [],
"malwareFamilyNames": [],
"severity": 0,
"tags": [],
"targetProduct": "Azure Sentinel",
"threatType": "WatchList",
"tlpLevel": "white",
"url": "@{items('For_each')?['indicator']}"
}

The “expiration date time” value is using an expression to expire the custom TI seven days after ingestion.

“tlpLevel” is referring to the Traffic Light Protocol (https://www.us-cert.gov/tlp) that defines the shareability of the information / indicator. Since this is all public information, I went ahead and hardcoded my entries to “white” which means it has an unrestricted distribution.

There are other values that we could be supplying in the Threat Intelligence Indicators (tiIndicators) call, like the “Diamond Model” or “Kill Chain” values, however for this example I am just using the required minimums.

Since we’re writing to the graph though, we also need to provide our authentication information. We get this information from the Azure AD application we registered earlier.

  • Authentication: Active Directory OAuth
  • Tenant: Your Azure tenant ID
  • Audience: https://graph.microsoft.com
  • Client ID: The client id from the Azure AD application registration you did earlier.
  • Credential Type:
  • Secret: The secret from the Azure AD application registration you did earlier.

Once you’ve created this step we’re done and the connector is ready to test.

This first connector will make the TI indicators available only to Sentinel, however, you could create another HTTP connection to supply the indicators to Microsoft Defender ATP.  However, you must separate these calls as the API requires that the “targetProduct” value be set to either “Microsoft Defender ATP” or “Azure Sentinel”. A really cool benefit  of sending the data to MDATP as well as to Azure Sentinel is that if you change the “action” parameter from “alert” to “block” and if you’ve enabled Network Protection, your Windows 10 clients (v1709 and higher) enrolled in MDATP will be automatically blocked from accessing those URL’s! Making the MDATP connector is the same as making the Azure Sentinel connector except for a minor tweak on the Ip addresses. Microsoft Defender ATP supports destination IPv4/IPv6 only. This means that for IPv4/IPv6 indicators you need to set the “networkDestinationIPv4” or “networkDestinationIPv6” properties.  To add a second REST API call to the graph, just click the "+" sign after the Sentinel API call.  Make sure to change the "targetProduct" field value to "Microsoft Defender ATP".

Run queries against the data

Now that we have our enrichment data, how can we use it? Of course it’s going to depend on what your other data sources are as well as what you’re looking for. We have a GitHub repository of really great queries that utilize the Threat Intelligence Indicators Here’s one query I thought to write that looked at the malicious IP addresses and see if any of them were showing up in my Azure AD SigninLogs.  This can be done pretty simply with the following query:

 

let ipIndicators =

ThreatIntelligenceIndicator

| where NetworkIP != ""

| project IPAddress = NetworkIP;

ipIndicators

| join (SigninLogs) on IPAddress

 

What this query is doing is creating a temporary table (“ipIndicators”) that is composed of just the IPv4 addresses from the ThreatIntelligenceIndicator table. This is then joined to the SigninLogs table using IPAddress as they key for the join (e.g. where the field values match in both tables).

 

Happy hunting!

 

Matt Egen @FlyingBlueMonki
Cybersecurity Solutions Group

References

Traffic Light Protocol: https://www.us-cert.gov/tlp

Diamond Model of intrusion Analysis: https://apps.dtic.mil/docs/citations/ADA586960

Lockheed Martin Cyber Kill Chain: https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html

Azure Sentinel: Creating Custom Connectors: https://techcommunity.microsoft.com/t5/azure-sentinel/azure-sentinel-creating-custom-connectors/ba-p...

Using Threat Intelligence in your Jupyter Notebooks: https://techcommunity.microsoft.com/t5/azure-sentinel/using-threat-intelligence-in-your-jupyter-note...

 

52 Comments
Brass Contributor

Great blog post,

 

However, @Matt Egen, should we not include "url" without quote in the HTTP action when you do the GET call towards AlienVault OTX like below ?


AlienVault_OTX.PNG

 

For those interested, here below is an example for the "domainName" indicator for those trying it.

"action": "alert",
"activityGroupNames": [],
"confidence": 0,
"description": "OTX Threat Indicator - @{items('For_each')?['type']}",
"domainName": "@{items('For_each')?['indicator']}",
"expirationDateTime": "@{addDays(utcNow(),7)}",
"externalId": "@{items('For_each')?['id']}",
"killChain": [],
"malwareFamilyNames": [],
"severity": 0,
"tags": [],
"targetProduct": "Azure Sentinel",
"threatType": "WatchList",
"tlpLevel": "white"

Regarding the app registrations, make sure that the following right is grant: ThreatIndicators.ReadWrite.OwnedBy

Microsoft

Hi @thomasdefise ,

 

Thanks for reading the article!  You can certainly include "url" in the headers for the call to OTX API.  The image that I used for the post is an example and I see now that I hadn't put "URL" into the field in that screen grab.  Great catch!  I'll update it later today.

 

Thanks again,

 

Matt

Microsoft

@ Matt... I'm trying to walk a customer through this an I don't see where to "Select a trigger [manual or scheduled]".

 

What am I missing.

Copper Contributor

@Matt Egen ,

 

How do I get around this error?

 

{
  "error": {
    "code": "UnknownError",
    "message": "Auth token does not contain valid permissions or user does not have valid roles."

I have global admin and security admin permissions 

Copper Contributor

@David_BrilliantI'm having the same issue as well, did you end up getting it resolved?

 

EDIT: I got it resolved by using 

 

{
"action": "alert",
"activityGroupNames": [],
"confidence": 0,
"description": "OTX Threat Indicator - @{items('For_each')?['type']}",
"domainName": "@{items('For_each')?['indicator']}",
"expirationDateTime": "@{addDays(utcNow(),7)}",
"externalId": "@{items('For_each')?['id']}",
"killChain": [],
"malwareFamilyNames": [],
"severity": 0,
"tags": [],
"targetProduct": "Azure Sentinel",
"threatType": "WatchList",
"tlpLevel": "white"
}

 

In the POST body

Microsoft

Hey there @acoggins and @David_Brilliant ,

My apologies for the delay in responding to these comments.  Apparently I don't have notifications configured properly on TechCommunity :(  Looks like you got the issue(s) resolved though?

 

 

Copper Contributor

Hey @Matt Egen when I try to send the indicators to ATP it is seeing the URL/Domain indicators but none of the IP ones are showing up. I tried changing to networkDestinationIPv4 like you mentioned but that isn't working.

Copper Contributor

Hello,

I created a template which will deploy everything described in the article plus domain, IPv4, email, URI, FileHash-MD5, FileHash-SHA1, FileHash-SHA256, CIDR, FilePath, Mutex.

In parameter section you just need to add required details for MS Graph and OTX. This will pull up new indicators every 12h.

For those new to templates go to https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/quickstart-create-templates-...

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "workflows_AlienVaultFeed_name": {
            "defaultValue": "OTXAlienVaultFeed",
            "type": "String"
        },
		"MS_Graph_clientId": {
            "defaultValue": "<PUT APP ID HERE>",
            "type": "String"
        },
		"MS_Graph_secret": {
            "defaultValue": "<PUT SECRET HERE>",
            "type": "String"
        },
		"MS_Graph_tenantID": {
            "defaultValue": "<PUT TENANT ID HERE>",
            "type": "String"
        },
		"OTX_API_key": {
            "defaultValue": "<PUT OTX API KEY HERE>",
            "type": "String"
        }
    },
    "variables": {},
    "resources": [
        {
            "type": "Microsoft.Logic/workflows",
            "apiVersion": "2017-07-01",
            "name": "[parameters('workflows_AlienVaultFeed_name')]",
            "location": "northeurope",
            "properties": {
                "state": "Enabled",
                "definition": {
                    "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
                    "contentVersion": "1.0.0.0",
                    "parameters": {},
                    "triggers": {
                        "Recurrence": {
                            "recurrence": {
                                "frequency": "Hour",
                                "interval": 12
                            },
                            "type": "Recurrence"
                        }
                    },
                    "actions": {
                        "For_each": {
                            "foreach": "@body('Parse_JSON')?['results']",
                            "actions": {
                                "Switch": {
                                    "runAfter": {},
                                    "cases": {
                                        "Case": {
                                            "case": "URL",
                                            "actions": {
                                                "HTTP_2": {
                                                    "runAfter": {},
                                                    "type": "Http",
                                                    "inputs": {
                                                        "authentication": {
                                                            "audience": "https://graph.microsoft.com",
                                                            "clientId": "[parameters('MS_Graph_clientId')]",
                                                            "secret": "[parameters('MS_Graph_secret')]",
                                                            "tenant": "[parameters('MS_Graph_tenantID')]",
                                                            "type": "ActiveDirectoryOAuth"
                                                        },
                                                        "body": {
                                                            "action": "alert",
                                                            "activityGroupNames": [],
                                                            "confidence": 0,
                                                            "description": "OTX Threat Indicator - @{items('For_each')?['type']}",
                                                            "expirationDateTime": "@{addDays(utcNow(),7)}",
                                                            "externalId": "@{items('For_each')?['id']}",
                                                            "killChain": [],
                                                            "malwareFamilyNames": [],
                                                            "severity": 0,
                                                            "tags": [],
                                                            "targetProduct": "Azure Sentinel",
                                                            "threatType": "WatchList",
                                                            "tlpLevel": "white",
                                                            "url": "@{items('For_each')?['indicator']}"
                                                        },
                                                        "headers": {
                                                            "content-type": "application/json"
                                                        },
                                                        "method": "POST",
                                                        "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
                                                    }
                                                }
                                            }
                                        },
                                        "Case_10": {
                                            "case": "FilePath",
                                            "actions": {
                                                "HTTP_11": {
                                                    "runAfter": {},
                                                    "type": "Http",
                                                    "inputs": {
                                                        "authentication": {
                                                            "audience": "https://graph.microsoft.com",
                                                            "clientId": "[parameters('MS_Graph_clientId')]",
                                                            "secret": "[parameters('MS_Graph_secret')]",
                                                            "tenant": "[parameters('MS_Graph_tenantID')]",
                                                            "type": "ActiveDirectoryOAuth"
                                                        },
                                                        "body": {
                                                            "action": "alert",
                                                            "activityGroupNames": [],
                                                            "confidence": 0,
                                                            "description": "OTX Threat Indicator - @{items('For_each')?['type']}",
                                                            "expirationDateTime": "@{addDays(utcNow(),7)}",
                                                            "externalId": "@{items('For_each')?['id']}",
                                                            "filePath": "@{items('For_each')?['indicator']}",
                                                            "killChain": [],
                                                            "malwareFamilyNames": [],
                                                            "severity": 0,
                                                            "tags": [],
                                                            "targetProduct": "Azure Sentinel",
                                                            "threatType": "WatchList",
                                                            "tlpLevel": "white"
                                                        },
                                                        "headers": {
                                                            "content-type": "application/json"
                                                        },
                                                        "method": "POST",
                                                        "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
                                                    }
                                                }
                                            }
                                        },
                                        "Case_11": {
                                            "case": "Mutex",
                                            "actions": {
                                                "HTTP_12": {
                                                    "runAfter": {},
                                                    "type": "Http",
                                                    "inputs": {
                                                        "authentication": {
                                                            "audience": "https://graph.microsoft.com",
                                                            "clientId": "[parameters('MS_Graph_clientId')]",
                                                            "secret": "[parameters('MS_Graph_secret')]",
                                                            "tenant": "[parameters('MS_Graph_tenantID')]",
                                                            "type": "ActiveDirectoryOAuth"
                                                        },
                                                        "body": {
                                                            "action": "alert",
                                                            "activityGroupNames": [],
                                                            "confidence": 0,
                                                            "description": "OTX Threat Indicator - @{items('For_each')?['type']}",
                                                            "expirationDateTime": "@{addDays(utcNow(),7)}",
                                                            "externalId": "@{items('For_each')?['id']}",
                                                            "fileMutexName": "@{items('For_each')?['indicator']}",
                                                            "killChain": [],
                                                            "malwareFamilyNames": [],
                                                            "severity": 0,
                                                            "tags": [],
                                                            "targetProduct": "Azure Sentinel",
                                                            "threatType": "WatchList",
                                                            "tlpLevel": "white"
                                                        },
                                                        "headers": {
                                                            "content-type": "application/json"
                                                        },
                                                        "method": "POST",
                                                        "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
                                                    }
                                                }
                                            }
                                        },
                                        "Case_2": {
                                            "case": "FileHash-SHA256",
                                            "actions": {
                                                "HTTP_3": {
                                                    "runAfter": {},
                                                    "type": "Http",
                                                    "inputs": {
                                                        "authentication": {
                                                            "audience": "https://graph.microsoft.com",
                                                            "clientId": "[parameters('MS_Graph_clientId')]",
                                                            "secret": "[parameters('MS_Graph_secret')]",
                                                            "tenant": "[parameters('MS_Graph_tenantID')]",
                                                            "type": "ActiveDirectoryOAuth"
                                                        },
                                                        "body": {
                                                            "FileHashType": "SHA256",
                                                            "FileHashValue": "@{items('For_each')?['indicator']}",
                                                            "action": "alert",
                                                            "activityGroupNames": [],
                                                            "confidence": 0,
                                                            "description": "OTX Threat Indicator - @{items('For_each')?['type']}",
                                                            "expirationDateTime": "@{addDays(utcNow(),7)}",
                                                            "externalId": "@{items('For_each')?['id']}",
                                                            "killChain": [],
                                                            "malwareFamilyNames": [],
                                                            "severity": 0,
                                                            "tags": [],
                                                            "targetProduct": "Azure Sentinel",
                                                            "threatType": "WatchList",
                                                            "tlpLevel": "white"
                                                        },
                                                        "headers": {
                                                            "content-type": "application/json"
                                                        },
                                                        "method": "POST",
                                                        "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
                                                    }
                                                }
                                            }
                                        },
                                        "Case_3": {
                                            "case": "email",
                                            "actions": {
                                                "HTTP_4": {
                                                    "runAfter": {},
                                                    "type": "Http",
                                                    "inputs": {
                                                        "authentication": {
                                                            "audience": "https://graph.microsoft.com",
                                                            "clientId": "[parameters('MS_Graph_clientId')]",
                                                            "secret": "[parameters('MS_Graph_secret')]",
                                                            "tenant": "[parameters('MS_Graph_tenantID')]",
                                                            "type": "ActiveDirectoryOAuth"
                                                        },
                                                        "body": {
                                                            "EmailSenderAddress": "@{items('For_each')?['indicator']}",
                                                            "action": "alert",
                                                            "activityGroupNames": [],
                                                            "confidence": 0,
                                                            "description": "OTX Threat Indicator - @{items('For_each')?['type']}",
                                                            "expirationDateTime": "@{addDays(utcNow(),7)}",
                                                            "externalId": "@{items('For_each')?['id']}",
                                                            "killChain": [],
                                                            "malwareFamilyNames": [],
                                                            "severity": 0,
                                                            "tags": [],
                                                            "targetProduct": "Azure Sentinel",
                                                            "threatType": "WatchList",
                                                            "tlpLevel": "white"
                                                        },
                                                        "headers": {
                                                            "content-type": "application/json"
                                                        },
                                                        "method": "POST",
                                                        "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
                                                    }
                                                }
                                            }
                                        },
                                        "Case_4": {
                                            "case": "IPv4",
                                            "actions": {
                                                "HTTP_5": {
                                                    "runAfter": {},
                                                    "type": "Http",
                                                    "inputs": {
                                                        "authentication": {
                                                            "audience": "https://graph.microsoft.com",
                                                            "clientId": "[parameters('MS_Graph_clientId')]",
                                                            "secret": "[parameters('MS_Graph_secret')]",
                                                            "tenant": "[parameters('MS_Graph_tenantID')]",
                                                            "type": "ActiveDirectoryOAuth"
                                                        },
                                                        "body": {
                                                            "action": "alert",
                                                            "activityGroupNames": [],
                                                            "confidence": 0,
                                                            "description": "OTX Threat Indicator - @{items('For_each')?['type']}",
                                                            "expirationDateTime": "@{addDays(utcNow(),7)}",
                                                            "externalId": "@{items('For_each')?['id']}",
                                                            "killChain": [],
                                                            "malwareFamilyNames": [],
                                                            "networkIPv4": "@{items('For_each')?['indicator']}",
                                                            "severity": 0,
                                                            "tags": [],
                                                            "targetProduct": "Azure Sentinel",
                                                            "threatType": "WatchList",
                                                            "tlpLevel": "white"
                                                        },
                                                        "headers": {
                                                            "content-type": "application/json"
                                                        },
                                                        "method": "POST",
                                                        "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
                                                    }
                                                }
                                            }
                                        },
                                        "Case_5": {
                                            "case": "domain",
                                            "actions": {
                                                "HTTP_6": {
                                                    "runAfter": {},
                                                    "type": "Http",
                                                    "inputs": {
                                                        "authentication": {
                                                            "audience": "https://graph.microsoft.com",
                                                            "clientId": "[parameters('MS_Graph_clientId')]",
                                                            "secret": "[parameters('MS_Graph_secret')]",
                                                            "tenant": "[parameters('MS_Graph_tenantID')]",
                                                            "type": "ActiveDirectoryOAuth"
                                                        },
                                                        "body": {
                                                            "action": "alert",
                                                            "activityGroupNames": [],
                                                            "confidence": 0,
                                                            "description": "OTX Threat Indicator - @{items('For_each')?['type']}",
                                                            "domainName": "@{items('For_each')?['indicator']}",
                                                            "expirationDateTime": "@{addDays(utcNow(),7)}",
                                                            "externalId": "@{items('For_each')?['id']}",
                                                            "killChain": [],
                                                            "malwareFamilyNames": [],
                                                            "severity": 0,
                                                            "tags": [],
                                                            "targetProduct": "Azure Sentinel",
                                                            "threatType": "WatchList",
                                                            "tlpLevel": "white"
                                                        },
                                                        "headers": {
                                                            "content-type": "application/json"
                                                        },
                                                        "method": "POST",
                                                        "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
                                                    }
                                                }
                                            }
                                        },
                                        "Case_6": {
                                            "case": "URI",
                                            "actions": {
                                                "HTTP_7": {
                                                    "runAfter": {},
                                                    "type": "Http",
                                                    "inputs": {
                                                        "authentication": {
                                                            "audience": "https://graph.microsoft.com",
                                                            "clientId": "[parameters('MS_Graph_clientId')]",
                                                            "secret": "[parameters('MS_Graph_secret')]",
                                                            "tenant": "[parameters('MS_Graph_tenantID')]",
                                                            "type": "ActiveDirectoryOAuth"
                                                        },
                                                        "body": {
                                                            "action": "alert",
                                                            "activityGroupNames": [],
                                                            "confidence": 0,
                                                            "description": "OTX Threat Indicator - @{items('For_each')?['type']}",
                                                            "expirationDateTime": "@{addDays(utcNow(),7)}",
                                                            "externalId": "@{items('For_each')?['id']}",
                                                            "killChain": [],
                                                            "malwareFamilyNames": [],
                                                            "severity": 0,
                                                            "tags": [],
                                                            "targetProduct": "Azure Sentinel",
                                                            "threatType": "WatchList",
                                                            "tlpLevel": "white",
                                                            "url": "@{items('For_each')?['indicator']}"
                                                        },
                                                        "headers": {
                                                            "content-type": "application/json"
                                                        },
                                                        "method": "POST",
                                                        "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
                                                    }
                                                }
                                            }
                                        },
                                        "Case_7": {
                                            "case": "FileHash-MD5",
                                            "actions": {
                                                "HTTP_8": {
                                                    "runAfter": {},
                                                    "type": "Http",
                                                    "inputs": {
                                                        "authentication": {
                                                            "audience": "https://graph.microsoft.com",
                                                            "clientId": "[parameters('MS_Graph_clientId')]",
                                                            "secret": "[parameters('MS_Graph_secret')]",
                                                            "tenant": "[parameters('MS_Graph_tenantID')]",
                                                            "type": "ActiveDirectoryOAuth"
                                                        },
                                                        "body": {
                                                            "FileHashType": "MD5",
                                                            "FileHashValue": "@{items('For_each')?['indicator']}",
                                                            "action": "alert",
                                                            "activityGroupNames": [],
                                                            "confidence": 0,
                                                            "description": "OTX Threat Indicator - @{items('For_each')?['type']}",
                                                            "expirationDateTime": "@{addDays(utcNow(),7)}",
                                                            "externalId": "@{items('For_each')?['id']}",
                                                            "killChain": [],
                                                            "malwareFamilyNames": [],
                                                            "severity": 0,
                                                            "tags": [],
                                                            "targetProduct": "Azure Sentinel",
                                                            "threatType": "WatchList",
                                                            "tlpLevel": "white"
                                                        },
                                                        "headers": {
                                                            "content-type": "application/json"
                                                        },
                                                        "method": "POST",
                                                        "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
                                                    }
                                                }
                                            }
                                        },
                                        "Case_8": {
                                            "case": "FileHash-SHA1",
                                            "actions": {
                                                "HTTP_9": {
                                                    "runAfter": {},
                                                    "type": "Http",
                                                    "inputs": {
                                                        "authentication": {
                                                            "audience": "https://graph.microsoft.com",
                                                            "clientId": "[parameters('MS_Graph_clientId')]",
                                                            "secret": "[parameters('MS_Graph_secret')]",
                                                            "tenant": "[parameters('MS_Graph_tenantID')]",
                                                            "type": "ActiveDirectoryOAuth"
                                                        },
                                                        "body": {
                                                            "FileHashType": "SHA1",
                                                            "FileHashValue": "@{items('For_each')?['indicator']}",
                                                            "action": "alert",
                                                            "activityGroupNames": [],
                                                            "confidence": 0,
                                                            "description": "OTX Threat Indicator - @{items('For_each')?['type']}",
                                                            "expirationDateTime": "@{addDays(utcNow(),7)}",
                                                            "externalId": "@{items('For_each')?['id']}",
                                                            "killChain": [],
                                                            "malwareFamilyNames": [],
                                                            "severity": 0,
                                                            "tags": [],
                                                            "targetProduct": "Azure Sentinel",
                                                            "threatType": "WatchList",
                                                            "tlpLevel": "white"
                                                        },
                                                        "headers": {
                                                            "content-type": "application/json"
                                                        },
                                                        "method": "POST",
                                                        "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
                                                    }
                                                }
                                            }
                                        },
                                        "Case_9": {
                                            "case": "CIDR",
                                            "actions": {
                                                "HTTP_10": {
                                                    "runAfter": {},
                                                    "type": "Http",
                                                    "inputs": {
                                                        "authentication": {
                                                            "audience": "https://graph.microsoft.com",
                                                            "clientId": "[parameters('MS_Graph_clientId')]",
                                                            "secret": "[parameters('MS_Graph_secret')]",
                                                            "tenant": "[parameters('MS_Graph_tenantID')]",
                                                            "type": "ActiveDirectoryOAuth"
                                                        },
                                                        "body": {
                                                            "action": "alert",
                                                            "activityGroupNames": [],
                                                            "confidence": 0,
                                                            "description": "OTX Threat Indicator - @{items('For_each')?['type']}",
                                                            "expirationDateTime": "@{addDays(utcNow(),7)}",
                                                            "externalId": "@{items('For_each')?['id']}",
                                                            "killChain": [],
                                                            "malwareFamilyNames": [],
                                                            "networkSourceCidrBlock": "@{items('For_each')?['indicator']}",
                                                            "severity": 0,
                                                            "tags": [],
                                                            "targetProduct": "Azure Sentinel",
                                                            "threatType": "WatchList",
                                                            "tlpLevel": "white"
                                                        },
                                                        "headers": {
                                                            "content-type": "application/json"
                                                        },
                                                        "method": "POST",
                                                        "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
                                                    }
                                                }
                                            }
                                        }
                                    },
                                    "default": {
                                        "actions": {}
                                    },
                                    "expression": "@items('For_each')?['type']",
                                    "type": "Switch"
                                }
                            },
                            "runAfter": {
                                "Parse_JSON": [
                                    "Succeeded"
                                ]
                            },
                            "type": "Foreach"
                        },
                        "HTTP": {
                            "runAfter": {},
                            "type": "Http",
                            "inputs": {
                                "headers": {
                                    "X-OTX-API-KEY": "[parameters('OTX_API_key')]"
                                },
                                "method": "GET",
                                "queries": {
                                    "modified_since": "addHours(utcNow(),-1)",
                                    "types": "URL,domain,IPv4,email,URI,FileHash-MD5,FileHash-SHA1,FileHash-SHA256,CIDR,FilePath,Mutex"
                                },
                                "uri": "https://otx.alienvault.com/api/v1/indicators/export"
                            }
                        },
                        "Parse_JSON": {
                            "runAfter": {
                                "HTTP": [
                                    "Succeeded"
                                ]
                            },
                            "type": "ParseJson",
                            "inputs": {
                                "content": "@body('HTTP')",
                                "schema": {
                                    "properties": {
                                        "count": {
                                            "type": "integer"
                                        },
                                        "next": {},
                                        "previous": {},
                                        "results": {
                                            "items": {
                                                "properties": {
                                                    "content": {
                                                        "type": "string"
                                                    },
                                                    "description": {},
                                                    "id": {
                                                        "type": "integer"
                                                    },
                                                    "indicator": {
                                                        "type": "string"
                                                    },
                                                    "title": {},
                                                    "type": {
                                                        "type": "string"
                                                    }
                                                },
                                                "required": [
                                                    "id",
                                                    "indicator",
                                                    "type",
                                                    "title",
                                                    "description",
                                                    "content"
                                                ],
                                                "type": "object"
                                            },
                                            "type": "array"
                                        }
                                    },
                                    "type": "object"
                                }
                            }
                        }
                    },
                    "outputs": {}
                },
                "parameters": {}
            }
        }
    ]
}

Best Regards,

Jmarci

Copper Contributor

Small correction - I noticed I used wrong value for modified_since time.

"modified_since": "addHours(utcNow(),-1)",

 In case of 12h interval this should be:

"modified_since": "addHours(utcNow(),-12)",

Best Regards,

Jmarci

Copper Contributor

Hi @Matt Egen  - thank you for the article!

 

I've done everything you've listed out and able to run the logicapp successfully.  However, how do I verify that the TI has been ingested correctly on Sentinel?  

I checked under Sentinel - Threat Management - Threat Intelligence and not able to see the output of integration.  Unless I need to look elsewhere?

 

Your assistance, or anyone else, is greatly appreciated.

 

Best,

Al

Copper Contributor

Hi @moose7up ,

 

You should see records in ThreatIntelligenceIndicator which have OTX in description like in screenshot below.

Jmarci666_0-1617084984313.png

Regards,

Jmarci

 

Copper Contributor

Thanks @Jmarci666 !

 

However, just found something's wrong with my logicapp as I didn't get any results after running the query.  

 

moose7up_4-1617100765892.png

 

Have you seen this before?  "branching condition is not satisfied"... I've placed screenshots of what I've done below.  I will check on my side as well.

 

moose7up_0-1617100190316.png

moose7up_1-1617100246531.png

moose7up_2-1617100329410.png

 

moose7up_3-1617100493395.png

 

Thanks again. Al

 

Copper Contributor

Hi @moose7up 

 

Your missing URL in GET request.

Jmarci666_0-1617102458978.png

Regards,

Jmarci

Copper Contributor

Thanks.  I've updated that with lower/upper caps of the "url" yet on the GET, then on the POST and yet returned w/same results...

 

I've double checked w/the Auth section info (IDs) and still keep saying "ActionBranchingConditionNotSatisfied. The execution of template action 'HTTP_2' skipped: the branching condition for this action is not satisfied."

 

Any other suggestions you might have?

I'm thinking of recreate another identical logicapp but not sure why that would be any different though..

 

moose7up_0-1617119666143.png

 

Copper Contributor

Hi @Jmarci666 ,

 

Would you know on why I keep getting the error message for this usage? I've followed all the suggested steps and unfortunately I'm still stuck with it.

Any help is greatly appreciated!

 

moose7up_1-1617213320054.png

Regards,

Al

 

 

 

Microsoft

Hi @moose7up 

Sorry for the delayed response (again I apparently don't have notifications right on this site :( ).  Looking at the screenshots so far, it looks like you're not seeing the "url" response entities coming from Alienvault OTX.  If you look at the HTTP response to the call raw data, do you see URL responses?  If so, then make sure the case statement is using the same case as the query (e.g. if all uppercase in the response, then it has to be all uppercase in the case switch statement).  

 

Cheers,

 

Matt

Copper Contributor

Hello @Matt Egen

 

When I run the playbook, I get ValidationFailed. The schema validation failed:

Here is the Output:

 

[
  {
    "message""Invalid type. Expected String but got Null.",
    "lineNumber"0,
    "linePosition"0,
    "path""results[1].description",
    "schemaId""#/properties/results/items/properties/description",
    "errorType""type",
    "childErrors": []
  },
  {
    "message""Invalid type. Expected String but got Null.",
    "lineNumber"0,
    "linePosition"0,
    "path""results[2].description",
    "schemaId""#/properties/results/items/properties/description",
    "errorType""type",
    "childErrors": []
  },
.....................................................
 
 
Copper Contributor

I forgot to ask the question sorry. This error is at parse JSON part. Could you tell what am I doing wrong ? 

 

Thank you,

Adrian

Microsoft

Hi @adyp1988 ,

 

Well, it looks to me like you're getting back a null (or empty) value for the "description" field from OTX.  It's possible that the schema changed since this article was written, but you could try modifying the JSON scheme like so:  where the current "description" field is defined, you could try changing it to:

"description": {"type": ["string", "null"] },

 

That should account for that possibility I think. Let me know if that works!

 

-Matt

 

Copper Contributor

Hello @Matt Egen ,

 

Thanks for the fast reply ! You were right. It worked. parse JSON is done. Now I have the following error :

adyp1988_0-1628525289015.png

 

But I used the right client secret I think. Is it something not done correctly on the app registration part maybe? 

 

Thank you,

Adrian 

Microsoft

Hi @adyp1988 ,

 

That's what it looks like to me.  The error is specifically calling out the token value.  Double check that you've assigned the correct permissions to the app?

Copper Contributor

Hello @Matt Egen ,

 

I thnink so (see below picture). I verified the client id and secret and they are correct. Any other ideas ? 

 

 

adyp1988_0-1628577766050.png

 

Thank you for your fast replies,

Adrian

 

Copper Contributor

Hello @Matt Egen ,

 

I managed to get past the token invalid error -> not the "secret ID" must be inserted there but the "Value" of it... lol. Fixed now I think.

But now I get "Forbbiden" error and the following message:

 

{
  "error": {
    "code""UnknownError",
    "message""Auth token does not contain valid permissions or user does not have valid roles.",
    "innerError": {
      "date""2021-08-10T11:00:31",
      "request-id""b5ed5283-57bb-457d-bf3e-2ddf25b23b84",
      "client-request-id""b5ed5283-57bb-457d-bf3e-2ddf25b23b84"
    }
  }
}
adyp1988_0-1628593939205.png

Thank you in advance,

Adrian

 
Microsoft

Ahhh, it looks like you're using delegated permissions.  You'll want to use App Permissions instead.

Copper Contributor

Hello @Matt Egen 

 

You`re right. That was the problem. Works now :) 

 

Many Thanks,

Adrian

Copper Contributor

Hi @Matt Egen 

 

I am currently having a similar issue to @moose7up where I'm not getting an error but looking back at the run history I can see that the "Case Equals URL" is giving an error "ActionBranchingConditionNotSatisfied"

 

I have read through all the comments trying to fix this issue but cannot seem to work it out. Any help would be much appreciated.

 

Screenshots of setup:

JWat12_1-1629410541771.png

JWat12_2-1629410679894.pngJWat12_3-1629410784139.png

 

 

 

Thanks

Jordan

Microsoft

Hi @JWat12 (Jordan),

 

Apologies for the delay in responding.  When you see the error, if you look at the details of the run and click on the error, do you see error details by any chance?

Copper Contributor

Hi @Matt Egen,

 

Thanks for the awesome writeup. I am trying to set this up and while running the playbook, it is erroring out at the stage of sending the retrieved indicator data to Microsoft Graph Security API. I'm able to view different retrieved indicators(domains, IPv4, hostnames etc.) as the output of the GET request and as the input to the final POST request to the Graph API, but the output of POST request shows the error message: 

Http request failed with statusCode=BadRequest : {\"error\":{\"code\":\"ValidationFailed\",\"message\":\"Validation of indicator content failed.\",\"target\":\"body\",\"details\":[{\"code\":\"ValidationFailed\",\"message\":\"At least one Observable must be set (e.g. IP or URL).\",\"target\":\"Any Observables (e.g. IP or URL).\"}]}}; "
 
Here is the body of the POST request for your reference:
 
AnandRMenon_0-1636699372605.png

 

Please help out on this issue. Thank you.
 
Regards,
Anand R Menon 
Copper Contributor

For those that are stuck with the: "ActionBranchingConditionNotSatisfied" in the switch portion. @moose7up 
In the first HTTP GET section the example uses types:  domain, hostname, and IPv4. These need be matched in the case section. The guide does mention this, but then uses URL as the example rather than one of those 3 types. So the case is trying to match URL which isn't in any of the three you used in the HTTP GET section. If you want to get to a working example only Input URL as the the type in the HTTP GET section and then follow the rest of the guide. I had also followed the guide line by line and hit the same issue. The template posted by @Jmarci666 helped me realise that was the issue.

 

The easier way to get this working now is to use the Playbook from Azure on GitHub: https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Get-AlienVault_OTX

 

It is still worth understanding how this all works so you can build your own in the future or troubleshoot it when it goes wrong :)

Microsoft

@emilec :  Good catch on needing the additional note / data about the other switch cases.  I'll add it to the article.  Thank you!  And you're right, the easiest way to do this now is to use the Playbooks in the GitHub repository :)

Sorry for the delay in responding to this

Copper Contributor

Hey Matt and everyone,

 

I have tested the Github playbook - it runs fine, however I'm only getting about 100 TI events in Sentinel the past hour. Recurrence is set to 1 day and lookback was set to 365 days for the first trigger. After successful execution, i switched the lookback to 1 day as per recommendation. Any idea why its not ingesting as expected as described in the guide(10k in 10mins etc)?

Steel Contributor

Hello everyone, 

It started working for me only when I changed the target from "Azure Sentinel" to "Microsoft Sentinel" and Connected "Threat Intelligence Platforms (Preview)" under Data Connectors. 

 

By the way, is the "confidence" parameter used anywhere? I tried to set 95 but the playbook ingested 50, 80, and 90 but nothing that is higher than 95.

 

UPD:

It didn't work with "Microsoft Sentinel" as a target parameter. Use default, "Azure Sentinel".

Copper Contributor

@kraken85For the playbook on GitHub, did you retain the minus in front of the look back days? That recently caught me. If you leave the minus out it adds the 365 to the date and looks for events a year into the future to ingest. Caused me some head scratching at the end of a long day :lol:

Steel Contributor

Good day to all,

Does anybody use this Playbook? 

I've found a new issue. 

For each indicator I have values like: 

Screenshot2.PNG

 

The playbook enters "time" in each value. 

Even after deploying it from scratch, it enters the same thing.

 

UPD:

 

I don't believe that only I have issues with this playbook :)

Now I removed "FileCreatedDateTime: utcNow()" from the Send to Sentinel part and it works fine.

I wonder why the removed parameter exists in the GitHub playbook but doesn't exist in the example from the article.

 

@JWat12 "url" needs to be changed with "URL" under Switch on indicator type -> URL.

Copper Contributor

Hi @emilec ,

 

You are right - I misinterpreted the 'minus' as well :)

 

Copper Contributor

I deployed the playbook from github earlier today and am having issues getting it working. This is what I see in the run history

JimK1_0-1646083686656.png

 

This is what is see the in run details:

JimK1_1-1646083745947.png

 

Any thoughts/help would be greatly appreciated!

Copper Contributor

@JimK1  check your output in the logic app block and see what is the error message. That would provide you some context on what's failing

Steel Contributor

@JimK1 there are some fixes that should be done in order to get the playbook working.

Please, check my comments above.

Copper Contributor

@kraken85& @mikhailf - thanks for your posts. I'm kind of new to this so please pardon my newby questions.

@kraken85 I don't see any info in the output that would be indicative of what's failing, here's a sample of what I see in OUTPUTS:

{
      "id"540030,
      "indicator""185.141.27.143",
      "type""IPv4",
      "title"null,
      "description""CC=AE ASN=AS60117 Host Sailor Ltd",
      "content"""
    },

 

The only error(s) I see in is the Switch on indicator type step under Processing Pages:

JimK1_0-1646155215591.png


@mikhailf - I'm not sure where to review/update the information from you previous posts..

Again, please pardon my newby questions ;)

Steel Contributor

@JimK1 sent you a private message.

Copper Contributor

Hi, can someone please explain or provide some hints on the following. I'm ingesting IOC's via Graph API in Logic App. Getting HTTP 201 but no data is available under ThreatIntelligenceIndicator table in Sentinel. 

 

status_code.png

When I then make a call to list List threat intelligence indicators - Microsoft Graph beta | Microsoft Docs it is not returning any data:

 

list.png

Steel Contributor

Hello @crypto4096,

Did you subscribe to any IOCs on AlienVault website?

Copper Contributor

Hi @mikhailf ,

 

the problem was that I haven't enabled the Threat Intelligence Platforms data connector. My bad - now I can see the data in the corresponding Sentinel table. 

Thanks 

Copper Contributor

can someone enlighten me why my LogicApps "Switch" unable to see "Type" value?

ahhann_0-1655364636498.png

My parsing schema is working fine:

{
    "properties": {
        "count": {
            "type""integer"
        },
        "next": {},
        "previous": {},
        "results": {
            "items": {
                "properties": {
                    "content": {
                        "type": [
                            "string",
                            "null"
                        ]
                    },
                    "description": {
                        "type": [
                            "string",
                            "null"
                        ]
                    },
                    "id": {
                        "type": [
                            "integer",
                            "null"
                        ]
                    },
                    "indicator": {
                        "type": [
                            "string",
                            "null"
                        ]
                    },
                    "title": {
                        "type": [
                            "string",
                            "null"
                        ]
                    },
                    "type": {
                        "type": [
                            "string"
                        ]
                    }
                },
                "required": [
                    "id",
                    "indicator",
                    "type",
                    "title",
                    "description",
                    "content"
                ],
                "type""object"
            },
            "type""array"
        }
    },
    "type""object"
}
 
The parsed result:
{
  "results": [
    {
      "id"302823502,
      "indicator""103.85.24.121",
      "type""IPv4",
      "title"null,
      "description"null,
      "content"""
    },
    {
      "id"770206482,
      "indicator""103.78.242.62",
      "type""IPv4",
      "title"null,
      "description"null,
      "content"""
    },
    {
      "id"1843551844,
      "indicator""92.38.176.47",
      "type""IPv4",
      "title"null,
      "description"null,
      "content"""
    },
    {
      "id"2285315518,
      "indicator""149.28.16.63",
      "type""IPv4",
      "title"null,
      "description""CC=JP ASN=AS20473 AS-CHOOPA",
      "content"""
    },
Copper Contributor

My logic app is working fine. I have also connected the connector for Threat Intelligence Platforms in sentinel. But still no data is reflecting in sentinel neither the table "ThreatIntelligenceIndicator". 

Copper Contributor

there is no way this works as of 2-14-2023, the beta endpoints apparently are no longer POSTing to Sentinel.

 

Sorry, this does work. You need this connector to be enabled

dataconnector.PNG

Steel Contributor

@ameri1805

We used this playbook yesterday and it worked well.

Copper Contributor

@mikhailf  with the beta endpoints?

Steel Contributor
Copper Contributor

@mikhailf  interesting.

Does your app registration have anything other than these permissions?Capture.PNG

 

I can POST to the endpoint successfully (get the right code and objects back); however, the indicators don't show up in Sentinel's Threat Intel blade, neither in the "ThreatIntelligenceIndicator" table in log analytics.

Co-Authors
Version history
Last update:
‎Nov 04 2022 10:10 AM
Updated by: