Add TAXII threat intelligence feeds to Azure Sentinel

image

There a public threat intelligence feeds available that Azure Sentinel can take advantage of. Think of these as providing information around entities that represent threats such as compromised IP addresses, botnet domains and so on. Typically, these feeds will support the TAXII connector inside Azure Sentinel.

Select the Data connectors option from the Azure Sentinel menu on the left. Next search for TAXII. Finally, select Threat Intelligence as shown above, then the Open connector page in the lower right.

image

On the right hand side of the page, you see the Configuration area as shown above. Here you’ll require information on the following items:

– API root URL

– Collection ID

– Username

– Password

If you have a look at the bottom of this article:

Connect Azure Sentinel to STIX/TAXII threat intelligence feeds

you’ll find the details for the free Anomali Limo threat feed, which is:

– API root URL = https://limo.anomali.com/api/v1/taxii2/feeds/

– Collection ID = see list in article (i.e. 107, 135, 136, etc)

For the username and password of all these feeds use:

guest

image

Complete the details for each Collection ID, like what is shown above. When you have completed each feed select the Add button.

image

The feed will be validated and if successful, an alert will confirm this at the top of the page as shown above.

image

The entered feed will appear in a list at the bottom of the page. At this point, feed information will start flowing into your environment depending on the Polling Frequency you selected for the feed.

image

Once the feed has started to import data select the Threat intelligence from the main Sentinel menu as shown above. You should see a range of entries. These entries can now be utilised throughout your Sentinel environment. This is detailed here:

Work with threat indicators in Azure Sentinel

image

This data is stored in a table called ThreatIntelligenceIndicator as shown above, which can be used directly in hunting queries.

Keep in mind that any threat indicator data incurs an ingestion and data storage cost. However, this is not a great amount and the value they provide is well worth that minor cost. You can track threat indicator costs using workbooks that Sentinel provides. You can add more feeds if you wish and details about what is available can be found at:

Threat intelligence integration in Azure Sentinel

Having additional threat data provides more signal information for Sentinel when it examines your environment. If information from these threat indicators is detected in your environment, then alerts will be generated. For a small ingest and storage cost having these threat indicators flow into your Sentinel environment provided a huge amount of value and increase your security.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s