[Deprecated] Intel 471 Malware Intelligence to Graph Security
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook ingests malware indicators from Intel 471's Titan API into Microsoft Graph Security as tiIndicator resource type.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Intel471 |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 4 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azureblob |
Managed | 1 | 5 |
keyvault |
Managed | 1 | 2 |
microsoftgraphsecurity |
Managed | 1 | 1 |
http |
Built-in | 0 | 1 |
Action parameters (URLs, paths, function IDs)
azureblob (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| StoreCursor | put | /v2/datasets/@{encodeURIComponent(encodeURIComponent(parameters('StorageAccountName')))}/files/@{encodeURIComponent(encodeURIComponent(parameters('StorageAccountContainerName'),'/',parameters('BlobNameCursor')))} |
— |
| GetCursorFromBlob | get | /v2/datasets/@{encodeURIComponent(encodeURIComponent(parameters('StorageAccountName')))}/files/@{encodeURIComponent(encodeURIComponent(parameters('StorageAccountContainerName'),'/',parameters('BlobNameCursor')))}/content |
— |
| GetFromDateFromBlob | get | /v2/datasets/@{encodeURIComponent(encodeURIComponent(parameters('StorageAccountName')))}/files/@{encodeURIComponent(encodeURIComponent(parameters('StorageAccountContainerName'),'/',parameters('BlobNameFromDate')))}/content |
— |
| CreateBlobForCursor | post | /v2/datasets/@{encodeURIComponent(encodeURIComponent(parameters('StorageAccountName')))}/files |
— |
| CreateBlobForFromDate | post | /v2/datasets/@{encodeURIComponent(encodeURIComponent(parameters('StorageAccountName')))}/files |
— |
keyvault (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| GetApiKey | get | /secrets/@{encodeURIComponent('TitanAPIKeyGraph')}/value |
— |
| GetUsername | get | /secrets/@{encodeURIComponent('TitanUserNameGraph')}/value |
— |
microsoftgraphsecurity (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Submit_multiple_tiIndicators | post | /beta/security/tiIndicators/submitTiIndicators |
— |
http (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| HTTP | GET | https://api.intel471.com/v1/indicators/stream |
— |
Additional Documentation
📄 Source: Intel471-ImportMalwareIntelligenceToGraphSecurity/readme.md
Intel 471 Malware Intelligence import to Microsoft Graph Security
Table of contents
- Overview
- Prerequisites
- Deployment instructions
- Post-deployment instructions
- Querying Intel 471 Malware Intelligence data in Sentinel
- Data mapping
- Script for granting ThreatIndicators.ReadWrite.OwnedBy role
Overview
This playbook fetches malware intelligence indicators from the Intel 471's Titan API and ingests them as tiIndicators through Microsoft Graph Security tiIndicators API to make them available in Microsoft Sentinel and other Microsoft security solutions such as Defender ATP.
Data connector used in this playbook is on a path for deprecation. For new solutions use the new threat intelligence upload indicators API data connector, which is used in Intel471-ImportMalwareIntelligenceToSentinel playbook. For more information, see Connect your threat intelligence platform to Microsoft Sentinel with the upload indicators API.
azuredeploy.json Azure Resource Manager template (ARM template) is responsible for building the Logic App along with the necessary connections. The ARM builds following components:
- Logic App responsible for fetching the data from Titan API and ingesting them into
ThreatIntelligenceIndicatortable - Connection objects
- Logic app to Blob storage (authorized automatically)
- Logic app to Key Vault (requires manual configuration)
- Logic app to Microsoft Security Graph (requires manual configuration)
Prerequisites
- An active account in Titan platform, which is available as part of Intel 471's subscriptions. For more information, please contact sales@intel471.com.
- Titan API credentials.
- Pre-existing Key Vault for securely storing Titan API credentials. Store Titan API credentials as secrets under
TitanUserNameGraphandTitanAPIKeyGraphkeys. - Pre-existing Blob storage with blob container for persisting data such as cursor between the API calls.
- Threat Intelligence connector enabled in Sentinel. Go to Sentinel instance →
Content huband installThreat Intelligencesolution.
Deployment instructions
To deploy the Playbook, click the Deploy to Azure button. It will launch the ARM Template deployment wizard.
Provide following parameters:
- Playbook Name: Either leave the default one or change it as needed
- StorageAccountName: Name of the Storage account (see prerequisites)
- StorageAccountContainerName: Name of the blob container in the Storage account
- KeyVaultName: Name of the Key Vault (see prerequisites)
- Target Product: Security product to which the indicators will be applied. Allowed values:
Azure Sentinel,Microsoft Defender ATP - Action: The action to apply if the indicator is matched from within the targetProduct security tool. Allowed values:
unknown,allow,block,alert - Look Back Days: How many days of history should be pulled on the first run. Leave 0 to start from the current time
Post-deployment instructions
- Go to the Key Vault. Select
Access control (IAM)→+ Add→Add role assignment. ChooseKey Vault Secrets User. On the next screen hit+ Select members, search for Intel 471 and select newly created logic app. Select it and proceed with granting access rights.
[Content truncated...]
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊