ngogift.blogg.se - Alienvault otx taxii feed

ALIENVAULT OTX TAXII FEED SERIES

These are defined in the “Docs” page for OTX and we’re using the “indicators/export” call.

Queries: This is where we’re going to add in the parameters of the actual query itself.

In the first field enter “X-OTX-API-KEY” (minus the quotes) and in the second field enter your API key from the OTX Dashboard.

Headers: The headers field is broken out into name / value fields.

We’re going to use the following settings for this connection: This will then open the parameters page for the HTTP action. For retrieving the OTX data, we’re going to choose the “HTTP Built-in” connector and then the “HTTP” action. We’re going to be seeing more of this page in the future so I’ll only include it this once. This will present us with the “Choose an action” window to choose our next step. Click the “New Step” button below the Trigger. Great! Now that we’ve defined when we want to go get our data, now it’s time to go get it.

ALIENVAULT OTX TAXII FEED SERIES

“Sliding Window” where the triggers are a series of fixed-sized, non-overlapping, and contiguous time intervals from a specified start time.įor this example, we’re going to use a simple Recurrence trigger and set the frequency to 1 day.“Recurrence” where the trigger will fire on a regular basis, and.In this case, we’re going to choose a “Scheduled” trigger. To do this, select “Blank Logic App”Īs you can see, there are multiple options available for us to choose from. Since we’re going to be creating a custom connector, we’re going to be manually defining the values for our Playbook.

After clicking “Create”, your new Playbook will be added to the Playbooks tab and you will be taken to the Logic Apps Designer workspace. Finally, choose the geographic location you wish your Playbook to run in. The best practice would be to attach it to the same Resource Group you’re using for Sentinel(you can determine the Resource Group for your Sentinel instance by going to Settings, Workspace Settings and then select “Properties”).

For the Resource Group field, you can either create a new Resource Group or attach it to an existing one. Give your playbook a descriptive name and select the correct Azure Subscription to attach it to. To start, navigate to the Playbooks tab in Sentinel and select “Add Playbook”. Now that we have a key for the OTX API, we’re going to need to create a new Playbook in Sentinel. This section of the panel is also where you’ll be able to confirm from the OTX side that your connection is functional. On the dashboard, select the “API Integration” link to get to your API key. Once you’ve signed up you will be able to access detailed documentation as well as your API key via the dashboard.

To utilize the OTX API feed, you’ll want to head over to to establish an account. For this example, we’re going to limit our ingestion to just IP’s, URLs, and hostnames, but many of the IOC's in OTX can be imported into the Azure Sentinel and Microsoft Defender ATP as indicators. OTX is an open community sharing various indicators of compromise (IOC’s) such as IP addresses, domains, hostnames, URL’s, SHAs, etc. While this blog is specifically about using AlienVault OTX, one could use this same methodology with most any API based data source. But what if you have a source of indicators or other enrichment data that you want to use in Azure Sentinel but no connector to ingest it with? While Ofer Shezaf has written a great blog post about creating custom connectors and Ian Hellen wrote up an outstanding blog about using OTX data in Jupyter Notebooks in Sentinel, this blog post is going to expand upon their work by walking through adding a custom Sentinel Playbook (Azure Logic App) to connect to Alien Vault’s Open Threat Exchange (OTX) REST API to ingest threat indicators for use in hunting and alerts. One of the key capabilities of Azure Sentinel has always been its ability to work with data from multiple sources including Threat Indicator Providers who can provide their data directly into the environment via the Microsoft Security Graph. **UPDATE** : Please note, to enable this capability in Sentinel, you will need to ensure that you've enabled the " Threat Intelligence Platforms" data connector.