Read Stream- OpenCTI Indicators

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Content Index

This playbook fetches indicators from OpenCTI and send to Sentinel. Supported types are Domain, File, IPv4, IPv6, Account, Url. This runs for every 10 minutes

Attribute Value
Type Playbook
Solution OpenCTI
Source View on GitHub

Logic App Connectors

This playbook uses 1 Logic App connector / built-in action:

Connector / Action Type Connections Actions
OpenCTICustomConnector Custom 1 2
Action parameters (URLs, paths, function IDs)

OpenCTICustomConnector (Custom)

Action Method Endpoint Other
Run_Sample_GraphQL_Query_to_check_Auth_ post /graphql
Run_GraphQL_Query_Get_Indicators post /graphql

Additional Documentation

📄 Source: OpenCTIPlaybooks/OpenCTI-GetIndicatorsStream/readme.md

OpenCTI- Update indicator's confidence score Playbook

Summary

This playbook fetches indicators from OpenCTI and send to Sentinel. Supported types are Domain, File, IPv4, IPv6, Account, Url. This runs for every 10 minutes

Playbook Designer view

Prerequisites

  1. OpenCTI Custom Connector needs to be deployed prior to the deployment of this playbook under the same subscription.
  2. API key. To get API Key, login into your OpenCTI instance dashboard and navigate to User profile page --> API Access.
  3. OpenCTI-ImportToSentinel must be installed and keep playbook name and batchname handy

Deployment instructions

  1. Deploy the playbook by clicking on "Deploy to Azure" button. This will take you to deplyoing an ARM Template wizard. Deploy to Azure Deploy to Azure Gov

  2. Fill in the required paramteres:

    • Playbook Name: Enter the playbook name here (Ex: OpenCTI-UpdateIndicatorInfo)
    • Custom Connector Name: Enter the OpenCTI custom connector name here (Ex: OpenCTICustomConnector)
    • Import Batch Playbook Name: Enter the Name of the batch import playbook here (Ex: OpenCTI-ImportToSentinel)
    • Batch Name: Enter the batch name that used in OpenCTI-ImportToSentinel playbook here (Ex: OpenCTIToSentinel)

Post-Deployment instructions

a. Authorize connections

Once deployment is complete, you will need to authorize each connection.

  1. Click the Microsoft Sentinel connection resource
  2. Click edit API connection
  3. Click Authorize
  4. Sign in
  5. Click Save
  6. Repeat steps for OpenCTI Connection (For authorizing the OpenCTI GraphQL API connection, API Key needs to be provided)

b. Configurations in Sentinel

  1. None

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Playbooks · Back to OpenCTI