Microsoft Sentinel is a cloud native SIEM that offers various options to import threat intelligence data and use them for hunting, investigation, analytics etc. Some of the ways to import rich threat intelligence data into Microsoft Sentinel include the Threat Intelligence - TAXII data connector, Threat Intelligence Platforms (TIP) connector and import of indicators through a flat file.
Microsoft Sentinel was one of the early adopters of STIX/TAXII as the preferred way to import threat intelligence data. Microsoft Sentinel “Threat Intelligence -TAXII” connector uses the TAXII protocol for sharing data in STIX format. This data connector supports pulling data from TAXII 2.0 and 2.1 servers. The Threat Intelligence – TAXII data connector is essentially a built-in TAXII client in Microsoft Sentinel to import threat intelligence from TAXII 2.x servers.
Today we are announcing our integration with Pulsedive, which allows you to get threat intelligence data from Pulsedive into Microsoft Sentinel using the Threat Intelligence – TAXII Data Connector.
Pulsedive + Microsoft Sentinel Solution
The Pulsedive + Microsoft Sentinel integration offers automated, bulk enrichment and more meaningful alerting on indicators of compromise (IOCs). The integration streamlines your CTI ingestion and uses Pulsedive's risk scoring to reduce noise. This integration has made getting TI from Pulsedive into Microsoft Sentinel extremely quick and easy without the need to contact the Pulsedive sales to get access to the TI feed.
Pulsedive’s threat intelligence database includes ingestion and vetting of dozens of reputable open-source feeds, as well as unique, real-time community contributions. Combined with Sentinel’s security analytics capabilities, this integration helps users gain key visibility and context into IOCs associated with malware, phishing, scams, ransomware, threat groups, and more - to help teams reduce time chasing down key data and shift focus to meaningful, challenging work.
Microsoft Sentinel benefits with Pulsedive Feed:
With Microsoft Sentinel + Pulsedive’s cloud-native deployment, combine known threats from around the world with world-class analytics, modeling, detection, and investigation. Benefits include:
Streamlined Use. Get the latest IOCs de-duplicated and scored from sources like abuse.ch, phishtank, blocklist.de, plus cryptojacking, brute force, C2, and other dedicated feeds tracking various threats around the world.
Less Noise. Leverage Pulsedive’s risk scoring to prioritize alerts and reduce false positives.
Enhanced Analysis. Get access to a wealth of additional contextual information gathered from Pulsedive’s first-hand passive and active scanning, plus timestamps, risk factors, associated threats, and source feeds.
Connecting Microsoft Sentinel to Pulsedive TAXII Server
To connect Microsoft Sentinel to Pulsedive’s TAXII Server, obtain the API Root, Collection ID, Username and Password from Pulsedive.
Obtain access to Pulsedive via Microsoft Sentinel by following these steps:
- Create a free Pulsedive account at pulsedive.com/register
- Upgrade to the Feed plan that best suits your requirements
- More information on the Pulsedive Feed service can be found here
- Configure the TAXII client in Sentinel with the following information:
- API root: https://pulsedive.com/taxii2/api/
- Indicator collection ID: a5cffbfe-c0ff-4842-a235-cb3a7a040a37
- Username: taxii2
- Password: your API key, which can be found on your account page
- Visit Pulsedive’s TAXII documentation to learn more
Need help?
- For technical troubleshooting, reach out to support@pulsedive.com
- For procurement questions, please contact sales@pulsedive.com
For more details on how to configure the TAXII data connector in Microsoft Sentinel, please refer to the following documentation.
Put Pulsedive threat intelligence to use in Microsoft Sentinel
Once the threat intelligence from Pulsedive is imported into Microsoft Sentinel, you can use it for matching against log sources. This can be done using the out-of-the-box analytic rules in Microsoft Sentinel. These completely customizable analytics rules used to match threat indicators with your event data all have names beginning with, ‘TI map’.
To learn how to enable and create analytic rules, follow the steps mentioned in this documentation.
You can also create customized dashboards using Workbooks in Sentinel to get a deeper understanding of the threat landscape covered by the Pulsedive feed.
Hope this article has helped you understand the advantages of importing the Pulsedive feed into Microsoft Sentinel and use it to protect your organization.