There a public threat intelligence feeds available that Azure Sentinel can take advantage of. Think of these as providing information around entities that represent threats such as compromised IP addresses, botnet domains and so on. Typically, these feeds will support the TAXII connector inside Azure Sentinel.
Select the Data connectors option from the Azure Sentinel menu on the left. Next search for TAXII. Finally, select Threat Intelligence as shown above, then the Open connector page in the lower right.
On the right hand side of the page, you see the Configuration area as shown above. Here you’ll require information on the following items:
– API root URL
– Collection ID
If you have a look at the bottom of this article:
you’ll find the details for the free Anomali Limo threat feed, which is:
– API root URL = https://limo.anomali.com/api/v1/taxii2/feeds/
– Collection ID = see list in article (i.e. 107, 135, 136, etc)
For the username and password of all these feeds use:
Complete the details for each Collection ID, like what is shown above. When you have completed each feed select the Add button.
The feed will be validated and if successful, an alert will confirm this at the top of the page as shown above.
The entered feed will appear in a list at the bottom of the page. At this point, feed information will start flowing into your environment depending on the Polling Frequency you selected for the feed.
Once the feed has started to import data select the Threat intelligence from the main Sentinel menu as shown above. You should see a range of entries. These entries can now be utilised throughout your Sentinel environment. This is detailed here:
This data is stored in a table called ThreatIntelligenceIndicator as shown above, which can be used directly in hunting queries.
Keep in mind that any threat indicator data incurs an ingestion and data storage cost. However, this is not a great amount and the value they provide is well worth that minor cost. You can track threat indicator costs using workbooks that Sentinel provides. You can add more feeds if you wish and details about what is available can be found at:
Having additional threat data provides more signal information for Sentinel when it examines your environment. If information from these threat indicators is detected in your environment, then alerts will be generated. For a small ingest and storage cost having these threat indicators flow into your Sentinel environment provided a huge amount of value and increase your security.