Blog Post

Microsoft Sentinel Blog
3 MIN READ

Import Pulsedive Feed into Microsoft Sentinel

RijutaKapoor's avatar
RijutaKapoor
Icon for Microsoft rankMicrosoft
Jun 07, 2022

Microsoft Sentinel is a cloud native SIEM that offers various options to import threat intelligence data and use them for hunting, investigation, analytics etc. Some of the ways to import rich threat intelligence data into Microsoft Sentinel include the Threat Intelligence - TAXII data connector, Threat Intelligence Platforms (TIP) connector and import of indicators through a flat file.

 

Microsoft Sentinel was one of the early adopters of STIX/TAXII as the preferred way to import threat intelligence data. Microsoft Sentinel “Threat Intelligence -TAXII” connector uses the TAXII protocol for sharing data in STIX format. This data connector supports pulling data from TAXII 2.0 and 2.1 servers. The Threat Intelligence – TAXII data connector is essentially a built-in TAXII client in Microsoft Sentinel to import threat intelligence from TAXII 2.x servers.

 

Today we are announcing our integration with Pulsedive, which allows you to get threat intelligence data from Pulsedive into Microsoft Sentinel using the Threat Intelligence – TAXII Data Connector.

 

Pulsedive + Microsoft Sentinel Solution

The Pulsedive + Microsoft Sentinel integration offers automated, bulk enrichment and more meaningful alerting on indicators of compromise (IOCs). The integration streamlines your CTI ingestion and uses Pulsedive's risk scoring to reduce noise. This  integration has made getting TI from Pulsedive into Microsoft Sentinel extremely quick and easy without the need to contact the Pulsedive sales to get access to the TI feed.

 

Pulsedive’s threat intelligence database includes ingestion and vetting of dozens of reputable open-source feeds, as well as unique, real-time community contributions. Combined with Sentinel’s security analytics capabilities, this integration helps users gain key visibility and context into IOCs associated with malware, phishing, scams, ransomware, threat groups, and more - to help teams reduce time chasing down key data and shift focus to meaningful, challenging work.

 

Microsoft Sentinel benefits with Pulsedive Feed:

With Microsoft Sentinel + Pulsedive’s cloud-native deployment, combine known threats from around the world with world-class analytics, modeling, detection, and investigation. Benefits include:

 

Streamlined Use. Get the latest IOCs de-duplicated and scored from sources like abuse.ch, phishtank, blocklist.de, plus cryptojacking, brute force, C2, and other dedicated feeds tracking various threats around the world.

 

Less Noise. Leverage Pulsedive’s risk scoring to prioritize alerts and reduce false positives.

 

Enhanced Analysis. Get access to a wealth of additional contextual information gathered from Pulsedive’s first-hand passive and active scanning, plus timestamps, risk factors, associated threats, and source feeds.

 

 

Connecting Microsoft Sentinel to Pulsedive TAXII Server

To connect Microsoft Sentinel to Pulsedive’s TAXII Server, obtain the API Root, Collection ID, Username and Password from Pulsedive.

 

Obtain access to Pulsedive via Microsoft Sentinel by following these steps:

  • Create a free Pulsedive account at pulsedive.com/register
  • Upgrade to the Feed plan that best suits your requirements
    • More information on the Pulsedive Feed service can be found here
  • Configure the TAXII client in Sentinel with the following information:
  • Visit Pulsedive’s TAXII documentation to learn more

 

Need help?

 

For more details on how to configure the TAXII data connector in Microsoft Sentinel, please refer to the following documentation.

 

Put Pulsedive threat intelligence to use in Microsoft Sentinel

 

Once the threat intelligence from Pulsedive is imported into Microsoft Sentinel, you can use it for matching against log sources. This can be done using the out-of-the-box analytic rules in Microsoft Sentinel. These completely customizable analytics rules used to match threat indicators with your event data all have names beginning with, ‘TI map’.

To learn how to enable and create analytic rules, follow the steps mentioned in this documentation.

 

You can also create customized dashboards using Workbooks in Sentinel to get a deeper understanding of the threat landscape covered by the Pulsedive feed.

 

Hope this article has helped you understand the advantages of importing the Pulsedive feed into Microsoft Sentinel and use it to protect your organization.

 

Updated Jun 07, 2022
Version 1.0
  • I believe the reason you are getting the Collection ID error is because in the guide it references a collection ID that is not available to free tier subscriptions.

     

    On the Taxii documentation if you scroll down to the section title "GET request to /taxii2/api/collections with parameters:" and hit send request it will show whether or not your account has permissions to read/write to the feed (See picture below which shows that the free tier cannot read the first 2 collection ids. Only the Sample/Test data collection works).

     

     

  • dneto's avatar
    dneto
    Copper Contributor

    Amazing. Thanks for sharing. 

     

    I reviewed all copy and pasted data, API KEY, but still receiving "Failed to add TAXII connector"

     

     

  • jpot87's avatar
    jpot87
    Copper Contributor

    Before I start coding myself, are there any playbooks to add pulsedive threat information from their api to the Sentinel incident as a comment?

  • JMSHW0420's avatar
    JMSHW0420
    Iron Contributor

    Hello,

     

    I am struggling to connect to Microsoft Sentinel through this data connector and the Pulse Dive TI service.

     

    As seen below, I have a FREE account and am trying to 'connect' to the free 'Collection'.

     

    Can I clarify that the following is correct:

     

    API root: https://pulsedive.com/taxii2/api/
    Collection ID: 981c4916-ebb2-4567-aece-54ae970c4230
    Username: jmshw0123
    Password: your API key, which can be found on your account page

     

    I have run the following operation in Pulse Dive (Explore) : GET request to /taxii2/api/collections/981c4916-ebb2-4567-aece-54ae970c4230/objects/ and it returns data. Also stating that I have read access to the collection ("can_read": true...)

     

    ANY guidance would be appreciated...

     

     

     

  • JMSHW0420's avatar
    JMSHW0420
    Iron Contributor

    Hi all,

     

    A quick update on the issue I had.

     

    This has been resolved by using the Username: taxii2 instead of your own.

     

    I believe this is specific to when you try importing the Pulse Dive 'Test' Collection feed ONLY.