Forum Discussion
How to integrate custom threat intelligence feeds and populate them in lists in Azure Sentinel?
Hi Rod_Trent,
Thanks for your quick reply.
The link you shared is really helpful. Will try to integrate our TI feeds with Sentinel with the help of the steps provided in the link.
Also, how can I create a list and manually upload the IOCs if that is what my requirement is? Do we have some steps for that? In KQL with makelist we can create a list and can populate data from the previous results, can we do something similar and manually upload the IOCs?
Thanks in Advance.
Regards,
Mitesh Agrawal
MiteshAgrawal For this part, look at https://techcommunity.microsoft.com/t5/azure-sentinel/implementing-lookups-in-azure-sentinel-part-1-reference-files/ba-p/1091306 on how to use Azure Blob storage as an external source for KQL queries.
- Hi Gary,
How can I achieve my requirement without using BLOB storage? Can I do this from my local system? Or by pasting the feeds manually in a list?MiteshAgrawal You can also ingest feeds using the Microsoft Graph API using the tiIndicator.
https://docs.microsoft.com/en-us/graph/api/resources/tiindicator?view=graph-rest-beta
There has been a PoC here https://techcommunity.microsoft.com/t5/azure-sentinel/ingesting-alien-vault-otx-threat-indicators-into-azure-sentinel/ba-p/1086566
-> Make sure to give the correct right to your app registration to interact with the Threat Intelligence IoC table (something like "ThreatIndicators.ReadWrite.OwnedBy", to be verified).
If it's a publicly available feeds such as AlienVault, dnsbl.info, ... I would be more to welcome to contribute during my freetime in order to help the community.
Thomas
