Give your playbook a descriptive name and select the correct Azure Subscription to attach it to. To start, navigate to the Playbooks tab in Sentinel and select “Add Playbook”. Now that we have a key for the OTX API, we’re going to need to create a new Playbook in Sentinel. This section of the panel is also where you’ll be able to confirm from the OTX side that your connection is functional. On the dashboard, select the “API Integration” link to get to your API key. Once you’ve signed up you will be able to access detailed documentation as well as your API key via the dashboard. To utilize the OTX API feed, you’ll want to head over to to establish an account. For this example, we’re going to limit our ingestion to just IP’s, URLs, and hostnames, but many of the IOC's in OTX can be imported into the Azure Sentinel and Microsoft Defender ATP as indicators.
OTX is an open community sharing various indicators of compromise (IOC’s) such as IP addresses, domains, hostnames, URL’s, SHAs, etc. While this blog is specifically about using AlienVault OTX, one could use this same methodology with most any API based data source. But what if you have a source of indicators or other enrichment data that you want to use in Azure Sentinel but no connector to ingest it with? While Ofer Shezaf has written a great blog post about creating custom connectors and Ian Hellen wrote up an outstanding blog about using OTX data in Jupyter Notebooks in Sentinel, this blog post is going to expand upon their work by walking through adding a custom Sentinel Playbook (Azure Logic App) to connect to Alien Vault’s Open Threat Exchange (OTX) REST API to ingest threat indicators for use in hunting and alerts. One of the key capabilities of Azure Sentinel has always been its ability to work with data from multiple sources including Threat Indicator Providers who can provide their data directly into the environment via the Microsoft Security Graph. **UPDATE** : Please note, to enable this capability in Sentinel, you will need to ensure that you've enabled the " Threat Intelligence Platforms" data connector.
0 kommentar(er)
