Create Indicator - OpenCTI

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

This playbook adds new indicator in OpenCTI based on the entities info present in Sentinel incident. This playbook search in OpenCTI for indicatoes based on the entities (Account, Host, IP, FileHash, URL) present in Microsoft Sentinel incident. If it presnts in OpenCTI, information will be added to incident comment otherwise it creates new indicator in OpenCTI

Attribute	Value
Type	Playbook
Solution	OpenCTI
Source	View on GitHub

Logic App Connectors

This playbook uses 2 Logic App connectors / built-in actions:

Connector / Action	Type	Connections	Actions
`azuresentinel`	Managed	1	6
`OpenCTICustomConnector`	Custom	1	17

Action parameters (URLs, paths, function IDs)

`azuresentinel` (Managed)

Action	Method	Endpoint	Other
Add_comment_to_incident_(V3)	post	`/Incidents/Comment`	—
Entities_-_Get_Accounts	post	`/entities/account`	—
Entities_-_Get_FileHashes	post	`/entities/filehash`	—
Entities_-_Get_Hosts	post	`/entities/host`	—
Entities_-_Get_IPs	post	`/entities/ip`	—
Entities_-_Get_URLs	post	`/entities/url`	—

`OpenCTICustomConnector` (Custom)

Action	Method	Endpoint	Other
Run_GraphQL_Query_Create_Org	post	`/graphql`	—
Run_GraphQL_Query_Create_new_label	post	`/graphql`	—
Run_GraphQL_Query_Create_Marking_Info	post	`/graphql`	—
Run_GraphQL_Query_Create_Indicator_-_account	post	`/graphql`	—
Run_GraphQL_Query_to_get_indicator_info_-_Accounts	post	`/graphql`	—
Run_GraphQL_Query_Create_Indicator_-_FileHash	post	`/graphql`	—
Run_GraphQL_Query_to_get_indicator_info_-_FileHash	post	`/graphql`	—
Run_GraphQL_Query_Create_Indicator_-_Host	post	`/graphql`	—
Run_GraphQL_Query_to_get_indicator_info_-_Host	post	`/graphql`	—
Run_GraphQL_Query_Create_Indicator_-_IP	post	`/graphql`	—
Run_GraphQL_Query_to_get_indicator_info_-_IP	post	`/graphql`	—
Run_GraphQL_Query_Create_Indicator_-_URL	post	`/graphql`	—
Run_GraphQL_Query_to_get_indicator_info_-_URLs	post	`/graphql`	—
Run_GraphQL_Get_Marking_info	post	`/graphql`	—
Run_GraphQL_Query_Get_Label_info	post	`/graphql`	—
Run_GraphQL_Query_for_Orginfo	post	`/graphql`	—
Run_Sample_GraphQL_Query_to_check_Auth_	post	`/graphql`	—

Additional Documentation

📄 Source: OpenCTIPlaybooks/OpenCTI-CreateIndicator/readme.md

OpenCTI- Add Indicators in OpenCTI Playbook

Summary

When a new Microsoft Sentinel incident is created, this playbook gets triggered and performs below actions

Searches for the matching indicator info of Entities (Accounts, Host, IP Address, FileHash, URL) in OpenCTI
If indicators are not found, this playbook adds the new indicators to OpenCTI databse (Separate indicators for each Accounts, Host, IP Address, FileHash, URL that are presnet in Sentinel incident)

Playbook Designer view

Prerequisites

OpenCTI Custom Connector needs to be deployed prior to the deployment of this playbook under the same subscription.
API key. To get API Key, login into your OpenCTI instance dashboard and navigate to User profile page --> API Access.

Deployment instructions

Deploy the playbook by clicking on "Deploy to Azure" button. This will take you to deplyoing an ARM Template wizard.
Fill in the required paramteres:
- Playbook Name: Enter the playbook name here (Ex: OpenCTI-CreateIndicator)
- Custom Connector Name: Enter the OpenCTI custom connector name here (Ex: OpenCTICustomConnector)

Post-Deployment instructions

a. Authorize connections

Once deployment is complete, you will need to authorize each connection.

Click the Microsoft Sentinel connection resource
Click edit API connection
Click Authorize
Sign in
Click Save
Repeat steps for OpenCTI Api Connection (For authorizing the OpenCTI GraphQL API connection, API Key needs to be provided)

b. Configurations in Sentinel

In Microsoft sentinel analytical rules should be configured to trigger an incident with risky user account or host or URL or FileHash or IP Address.
Configure the automation rules to trigger this playbook