The best practice would be to attach it to the same Resource Group you’re using for Sentinel(you can determine the Resource Group for your Sentinel instance by going to Settings, Workspace Settings and then select “Properties”). For the Resource Group field, you can either create a new Resource Group or attach it to an existing one. Give your playbook a descriptive name and select the correct Azure Subscription to attach it to. To start, navigate to the Playbooks tab in Sentinel and select “Add Playbook”. Now that we have a key for the OTX API, we’re going to need to create a new Playbook in Sentinel. This section of the panel is also where you’ll be able to confirm from the OTX side that your connection is functional. On the dashboard, select the “API Integration” link to get to your API key. Once you’ve signed up you will be able to access detailed documentation as well as your API key via the dashboard. To utilize the OTX API feed, you’ll want to head over to to establish an account. For this example, we’re going to limit our ingestion to just IP’s, URLs, and hostnames, but many of the IOC's in OTX can be imported into the Azure Sentinel and Microsoft Defender ATP as indicators. OTX is an open community sharing various indicators of compromise (IOC’s) such as IP addresses, domains, hostnames, URL’s, SHAs, etc. While this blog is specifically about using AlienVault OTX, one could use this same methodology with most any API based data source. But what if you have a source of indicators or other enrichment data that you want to use in Azure Sentinel but no connector to ingest it with? While Ofer Shezaf has written a great blog post about creating custom connectors and Ian Hellen wrote up an outstanding blog about using OTX data in Jupyter Notebooks in Sentinel, this blog post is going to expand upon their work by walking through adding a custom Sentinel Playbook (Azure Logic App) to connect to Alien Vault’s Open Threat Exchange (OTX) REST API to ingest threat indicators for use in hunting and alerts. One of the key capabilities of Azure Sentinel has always been its ability to work with data from multiple sources including Threat Indicator Providers who can provide their data directly into the environment via the Microsoft Security Graph. ParameterĬom.**UPDATE** : Please note, to enable this capability in Sentinel, you will need to ensure that you've enabled the " Threat Intelligence Platforms" data connector. Use the following values to configure AlienVault OTX Malware Hash for FortiSIEM. ParameterĬom.OTXMalwareUrlUpdateServiceįor AlienVault OTX Malware Hash, go to Resources > Malware Hash, select the AlienVault OTX Malware Hash folder, and repeat the same steps as for AlienVault OTX Malware Domains.
Use the following values to configure AlienVault OTX Malware URLs for FortiSIEM. ParameterĬom.OTXMalwareIPUpdateServiceįor AlienVault OTX Malware URLs, go to Resources > Malware URLs, select the AlienVault OTX Malware URL folder, and repeat the same steps as for AlienVault OTX Malware Domains. Use the following values to configure AlienVault OTX Malware IPs for FortiSIEM.
ALIENVAULT OTX TAXII FEED UPDATE
In the Update AlienVault OTX Service dialog box, select Enable AlienVault OTX Service.
Working with AlienVault OTX Malware Hash.Working with AlienVault OTX Malware URLs.Working with AlienVault OTX Malware IPs.Working with AlienVault OTX Malware Domains.
ALIENVAULT OTX TAXII FEED HOW TO
This section describes how to configure FortiSIEM to work with AlienVault OTX malware domains, IPs, URLs, and hashes.
0 kommentar(er)
