Send to Security Graph API - Batch Import (OpenCTI)

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Content Index

This playbook sends messages to Security GraphAPI in batches

Attribute Value
Type Playbook
Solution OpenCTI
Source View on GitHub

Logic App Connectors

This playbook uses 1 Logic App connector / built-in action:

Connector / Action Type Connections Actions
microsoftgraphsecurity Managed 1 1
Action parameters (URLs, paths, function IDs)

microsoftgraphsecurity (Managed)

Action Method Endpoint Other
Submit_multiple_tiIndicators post /beta/security/tiIndicators/submitTiIndicators

Additional Documentation

📄 Source: OpenCTIPlaybooks/OpenCTI-ImportToSentinel/readme.md

OpenCTI- Update indicator's confidence score Playbook

Summary

This playbook sends messages to Security GraphAPI in batches

Playbook Designer view

Prerequisites

  1. None

Deployment instructions

  1. Deploy the playbook by clicking on "Deploy to Azure" button. This will take you to deplyoing an ARM Template wizard. Deploy to Azure Deploy to Azure Gov

  2. Fill in the required paramteres:

    • Playbook Name: Enter the playbook name here (Ex: OpenCTI-ImportToSentinel)

Post-Deployment instructions

  1. From your Azure portal navigate to "Azure Activity Directory" and identify your tenantId (this is your azure tenant id, that require while running below commands)

AAD TenantId view

  1. Open Logic app "OpenCTI-ImportToSentinel" and Select "Identity" section and copy Object (principle) ID - this is your Logic app system assigned managed identity

LogicApp System Identity TenantId view

NOTE: Only Azure Tenant admins have permissions to perform below activity.

$AzureTenantId = "< Enter your Azure tenant id here >"
$MIGuid = "< Enter your Logic app system assigned managed identity here >"

Connect-AzureAD -TenantId $AzureTenantId

$MI = Get-AzureADServicePrincipal -ObjectId $MIGuid

$GraphApIAppId = "00000003-0000-0000-c000-000000000000"
$PermissionName = "ThreatIndicators.ReadWrite.OwnedBy" 

$GrphAPIServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphApIAppId'"
$AppRole = $GrphAPIServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId -ResourceId $GrphAPIServicePrincipal.ObjectId -Id $AppRole.Id

Configurations in Sentinel

None

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Playbooks · Back to OpenCTI