Author: Deepak Kumar Ray
For any technical questions, please contact me on Twitter or Linkedln.
This Playbook is created to automatically fetch IP from the threat Intel sites mentioned here and Update Into the Sentinel Watchlist. Please note that there is a watchlist limitation of 10 million active Items so you need to delete Old IOC when it crosses the limit.
The following items are required under the template settings during deployment:
- Create a watchlist and Provide an Alias/Description for the same.
- Upload a CSV file with one dummy IP (later remove It), Make sure the field Name is "IP" In the CSV File because the same field is hardcoded in the KQL.
- Run the Playbook to upload the IOC (IP) to the watchlist.
Use the below KQL Query to fetch details, This will get updated with new TI Feeds.
TBDOnce the Playbook starts running, It will automatically add the IOC to the watchlist. This watchlist can be used to correlate against RAW logs of different log sources to generate alerts.
Utilize It with different Sentinel Tables which consist of Fieldname as IP address. Use the below query to check if there are any Intel IP matches In the CommonSecurityLog Table.
let TI_Hash = _GetWatchlist('External_IOC')
| project IP;
CommonSecurityLog
| where SourceIP in (TI_Hash)