Forum Discussion
MiteshAgrawal
Jan 30, 2020Brass Contributor
How to integrate custom threat intelligence feeds and populate them in lists in Azure Sentinel?
Hi Team,
I am very new to Azure Sentinel and want to integrate custom threat intelligence from our company's website.
If I download the TI feeds from our website and paste it somewhere on my local machine, then how can I update those feeds in Active lists (or similar in Sentinel) and call them against rules.
Also if this can be automatically done, I mean in ArcSight the connector reads IOCs from excel and sends it to ESM and adds the IOCs in Active lists, can the same be done in Azure Sentinel or something similar?
Thanks in Advance.
Regards,
Mitesh Agrawal
- Rod_Trent
Microsoft
MiteshAgrawal Have you looked through the following yet?
- MiteshAgrawalBrass Contributor
Hi Rod_Trent,
Thanks for your quick reply.
The link you shared is really helpful. Will try to integrate our TI feeds with Sentinel with the help of the steps provided in the link.
Also, how can I create a list and manually upload the IOCs if that is what my requirement is? Do we have some steps for that? In KQL with makelist we can create a list and can populate data from the previous results, can we do something similar and manually upload the IOCs?
Thanks in Advance.
Regards,
Mitesh Agrawal
- GaryBusheyBronze Contributor
MiteshAgrawal For this part, look at https://techcommunity.microsoft.com/t5/azure-sentinel/implementing-lookups-in-azure-sentinel-part-1-reference-files/ba-p/1091306 on how to use Azure Blob storage as an external source for KQL queries.