NCSCNLShareSTIXBundle

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

This playbook gets triggered every hour and perform the following actions: 1. Get all the threat intelligence indicators from Microsoft Sentinel Workspace with given tag. 2. Filter all the indicators whose export in not completed. 3. Share the STIX Bundle, that includes the 'Indicator, corresponding Identities, Markings and optional Sighting' with the to provided TAXII server.

Attribute	Value
Type	Playbook
Solution	NCSC-NL NDN Cyber Threat Intelligence Sharing
Source	View on GitHub

Logic App Connectors

This playbook uses 1 Logic App connector / built-in action:

Connector / Action	Type	Connections	Actions
`http`	Built-in	0	4

Action parameters (URLs, paths, function IDs)

`http` (Built-in)

Action	Method	Endpoint	Other
HTTP_POST_stix_bundle_to_TAXII_using_api_key	POST	`@{parameters('TAXIIServer RootURL')}/collections/@{parameters('Collection ID')}/objects/`	—
HTTP_POST_stix_bundle_to_TAXII_using_username-password	POST	`@{parameters('TAXIIServer RootURL')}/collections/@{parameters('Collection ID')}/objects/`	—
HTTP_appendTags_request	POST	`[uriComponentToString(uri(variables('azure'), 'subscriptions/@{parameters(''SubscriptionID'')}/resourceGroups/@{parameters(''ResourceGroup'')}/providers/Microsoft.OperationalInsights/workspaces/@{parameters(''Workspace'')}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/@{items(''For_each_filtered_indicator'')?[''name'']}/appendTags?api-version=2021-10-01'))]`	—
HTTP_queryIndicators_request	POST	`[uriComponentToString(uri(variables('azure'),'subscriptions/@{parameters(''SubscriptionID'')}/resourceGroups/@{parameters(''ResourceGroup'')}/providers/Microsoft.OperationalInsights/workspaces/@{parameters(''Workspace'')}/providers/Microsoft.SecurityInsights/threatIntelligence/main/queryIndicators?api-version=2022-06-01-preview'))]`	—

Additional Documentation

📄 Source: NCSCNLShareSTIXBundle/readme.md

Summary

This playbook is inspired on the previous ACSC codecase and is enhanced with an additional Sighting feature and API key support. It gets triggered every day and perform the following actions:

Get all the threat intelligence indicators from Microsoft Sentinel Workspace with given tag.
Filter all the indicators whose export in not completed.
Optional wil include a sighting object to report.
Verify/Add TLP labels to indicators.
Add Grouping and Identity Objects to indicators.
Export the bundle to provided TAXII server.

Prerequisites

Have TAXII Server Url, Collection ID, your Organization STIX Identity and API Key available before the deployment of the Playbook.

Deployment instructions

To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
Fill in the required parameters:
- Playbook Name
- TAXII Server Url
- TAXII Server API Key
- Collection ID
- Organization Name
- Organization ID (UUID)
- Microsoft Sentinel Workspace
- Tag for indicators to be exported
- Tag for indicators after export completion
- Default TLP Label
Optional you can set the following parameters:
- Include Sighting Object (default is yes)
- TAXII Server Username (default is using API Key)
- TAXII Server Password (default is using API Key)