AusCtisExportTaggedIndicators

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Content Index

This playbook gets triggered every hour and perform the following actions: 1. Get all the threat intelligence indicators from Microsoft Sentinel Workspace with given tag. 2. Filter all the indicators whose export in not completed. 3. Export the indicators to provided TAXII server.

Attribute Value
Type Playbook
Solution Australian Cyber Security Centre
Source View on GitHub

Logic App Connectors

This playbook uses 1 Logic App connector / built-in action:

Connector / Action Type Connections Actions
http Built-in 0 3
Action parameters (URLs, paths, function IDs)

http (Built-in)

Action Method Endpoint Other
HTTP_appendTags_request POST [uriComponentToString(uri(variables('azure'), 'subscriptions/@{parameters(''SubscriptionID'')}/resourceGroups/@{parameters(''ResourceGroup'')}/providers/Microsoft.OperationalInsights/workspaces/@{parameters(''Workspace'')}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/@{items(''For_each_filtered_indicator'')?[''name'']}/appendTags?api-version=2021-10-01'))]
HTTP_POST_stix_bundle_to_TAXII_server POST @{parameters('TAXIIServerRootURL')}/collections/@{parameters('CollectionID')}/objects/
HTTP_queryIndicators_request POST [uriComponentToString(uri(variables('azure'),'subscriptions/@{parameters(''SubscriptionID'')}/resourceGroups/@{parameters(''ResourceGroup'')}/providers/Microsoft.OperationalInsights/workspaces/@{parameters(''Workspace'')}/providers/Microsoft.SecurityInsights/threatIntelligence/main/queryIndicators?api-version=2022-06-01-preview'))]

Additional Documentation

📄 Source: AusCtisExportTaggedIndicators/readme.md

Summary

This playbook gets triggered every day and perform the following actions:

  1. Get all the threat intelligence indicators from Microsoft Sentinel Workspace with given tag.
  2. Filter all the indicators whose export in not completed.
  3. Verify/Add TLP labels to indicators.
  4. Add Grouping and Identity Objects to indicators.
  5. Export the bundle to provided TAXII server.


Prerequisites

  1. Have TAXII Server Url, Collection ID, Username and Password handy before the deployment of the Playbook

Deployment instructions

  1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
  2. Fill in the required parameters:
    • Playbook Name
    • TAXII Server Url
    • TAXII Server Username
    • TAXII Server Password
    • Collection ID
    • Orgnization UUID
    • Microsoft Sentinel Workspace
    • Tag for indicators to be exported
    • Tag for indicators after export completion
    • Default TLP Label

Deploy to Azure Deploy to Azure

Post-Deployment instructions

a. Authorize Playbook to access Log Analytics Workspace

Once deployment is complete, assign playbook Log Analytics contributor role.

  1. Go to Log Analytics Workspace resource
  2. Select Access control (IAM) tab
  3. Add role assignments
  4. Select Contributor role
  5. In the Members tab choose "Assign access to" Managed Identity
  6. Click on "Select members"
  7. Provide correct Subscription and Managed Identity
  8. Provide the playbook name in "Search by name" textbox
  9. Select the correct identity and click on Select
  10. Click on "Review + assign"

References

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Playbooks · Back to Australian Cyber Security Centre