Create Indicator - OpenCTI

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Content Index

This playbook adds new indicator in OpenCTI based on the entities info present in Sentinel incident. This playbook search in OpenCTI for indicatoes based on the entities (Account, Host, IP, FileHash, URL) present in Microsoft Sentinel incident. If it presnts in OpenCTI, information will be added to incident comment otherwise it creates new indicator in OpenCTI

Attribute Value
Type Playbook
Solution OpenCTI
Source View on GitHub

Additional Documentation

📄 Source: OpenCTIPlaybooks/OpenCTI-CreateIndicator/readme.md

OpenCTI- Add Indicators in OpenCTI Playbook

## Summary When a new Microsoft Sentinel incident is created, this playbook gets triggered and performs below actions 1. Searches for the matching indicator info of Entities (Accounts, Host, IP Address, FileHash, URL) in OpenCTI 2. If indicators are not found, this playbook adds the new indicators to OpenCTI databse (Separate indicators for each Accounts, Host, IP Address, FileHash, URL that are presnet in Sentinel incident) Comment example

Playbook Designer view

Prerequisites

  1. OpenCTI Custom Connector needs to be deployed prior to the deployment of this playbook under the same subscription.
  2. API key. To get API Key, login into your OpenCTI instance dashboard and navigate to User profile page --> API Access.

Deployment instructions

  1. Deploy the playbook by clicking on "Deploy to Azure" button. This will take you to deplyoing an ARM Template wizard. Deploy to Azure Deploy to Azure Gov

  2. Fill in the required paramteres:

    • Playbook Name: Enter the playbook name here (Ex: OpenCTI-CreateIndicator)
    • Custom Connector Name: Enter the OpenCTI custom connector name here (Ex: OpenCTICustomConnector)

Post-Deployment instructions

a. Authorize connections

Once deployment is complete, you will need to authorize each connection. 1. Click the Microsoft Sentinel connection resource 2. Click edit API connection 3. Click Authorize 4. Sign in 5. Click Save 6. Repeat steps for OpenCTI Api Connection (For authorizing the OpenCTI GraphQL API connection, API Key needs to be provided)

b. Configurations in Sentinel

  1. In Microsoft sentinel analytical rules should be configured to trigger an incident with risky user account or host or URL or FileHash or IP Address.
  2. Configure the automation rules to trigger this playbook

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Playbooks · Back to OpenCTI