![]() ![]() This will cause the log to show the parent app as failed. ![]() Incorrectly formatted records will fail if encountered but the overall app will complete. This was only observed in large collections. Note: During testing the provider returned some incorrectly formatted records. Make sure to reset the Lookback days to the default 1 day when complete.Enable and run the Logic App (estimate 10 minutes processing time for every 10k records).Set the lookback days to a desired value (example 365).Note: Consider running a one-time historic lookback (described below). Activate the appropriate TI Map rules to enable alerting.Set the run variables (Tennant ID, Client ID, App Secret, and OTX API Key).Import the Logic App (disabled by default).Create an App Registration in Azure AD.This date0time value was not previously being used. I also use the “FileCreatedDateTime” column to log the time ingested. I added a lookup URL to the additionalInformation column that links back the AlienVault lookup for each IOC. To improve usability and data enrichment, I added more setup variables and made some minor adjustments. Despite being a rather complex logic app, each record counts as only 2 action executions (200k records costs around $10). This is intended to be a one time lookback followed by a daily maintenance update. ![]() This runs for about 10 minutes for every 10,000 records. I pulled in 5 years of IOC data (roughly 200,000 records) in testing. The updated playbook overcomes this limitation by breaking the request into pages (1000 indicators each). This is to support the 14 day lookback limit on analytic rules. The TimeGenerated value in the threat intelligence table gets updated periodically for records older than 14 days.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |