Forum Discussion
Sentinel & ThreatIntelligenceIndicator
Has anyone been able to get the ThreatIntelligenceIndicator to work?
6 Replies
- Ofer_Shezaf
Microsoft
Here is the info. Thanks Sarah Fender who runs the Graph Security API for the info:
Azure Sentinel enables you to correlate and analyze your threat intelligence to create custom alerts on malicious activity, power hunting queries, and create dashboards to monitor threat activity levels. This can include indicators generated through your internal threat intelligence gathering or acquired from threat intelligence communities, licensed feeds, and other sources.
Start by connecting your threat intelligence sources to Azure Sentinel in one of two ways:
- If you use one of the threat intelligence platforms below, native integrate with the Microsoft Graph Security API is available:
- You can also integrate your threat intelligence applications and feeds directly using the Microsoft Graph Security API tiIndicator entity.
Then simply configure the Threat Intelligence data connector in Azure Sentinel to begin ingesting this data. To use the data, review the sample queries available on the Azure Sentinel Threat Intelligence connector page.
~ Ofer
Thanks Ofer_Shezaf & @Sarah Fender
I could be wrong, but from what I can see "Threat Connect" doesn't actually list Sentinel or Azure under the integrations? https://threatconnect.com/integrations/
It does look very interesting and a great way to start - does this need to be connected via the API somehow? https://docs.threatconnect.com/en/latest/rest_api/rest_api.html
David Caddick The Azure Sentinel + ThreatConnect integration is powered by the Microsoft Graph Security API. If you expand the Microsoft Graph Security API listing you'll see Azure Sentinel is called out there.
- I was able to bring in IoCs via Palo Alto MineMeld but I'm still trying to find a way to use it. For now I bring my own threat intel feeds as custom logs.
