Malicious Domain Push to Other Services

Copper Contributor

Hi All!


I am looking for a way to automate pushing malicious domains found in Sentinel to other services such as O365, Zscaler and INKY. I believe that there is potential to use Logic Apps, but I am unsure of the specifics on how to implement or design.


Any help or suggestions you can provide, would be greatly appreciated!


Thank you in advance!

4 Replies
Can you provide additional information on the desired flow, the source analytics rules and whether the destination services have an API available?
Our idea for this desired flow is ingesting a new known malicious domain into Sentinel, once received, it will block the specific domains within Sentinel, but then be pushed out to other services such as INKY and Zscaler to block on those services as well. Currently working on implementing analytic rules and standing up sentinel, so I do not currently have the list of source analytic rules, but one that potentially will be added is "URL Added to Application from Unknown Domain". Regarding the APIs, I believe that Zscaler does have an API that can connect and O365 is connected internally.
Well, for external services the easiest will be a logic app triggered by incident/alert automation rule which connects to those services that have an API with a PUT call to add those URLs to those services, though the actual syntax will depend on that service. Make sure you integrate the key vault for the secrets required to connect to the external services.

That said, as this is very early in the project lifetime I feel that this is more of a general architecture to be discussed with a specialized consultant rather than asked in a general forum like this that is more focused on specific issues.
Thanks for direction on this. More than likely, we will be discussing with specialized consultant. Putting it on here was more of a way to gauge if anyone had done something similar to this. I appreciate the feedback.