Home

Sentinel & ThreatIntelligenceIndicator

%3CLINGO-SUB%20id%3D%22lingo-sub-689209%22%20slang%3D%22en-US%22%3ESentinel%20%26amp%3B%20ThreatIntelligenceIndicator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-689209%22%20slang%3D%22en-US%22%3E%3CP%3EHas%20anyone%20been%20able%20to%20get%20the%20ThreatIntelligenceIndicator%20to%20work%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-691548%22%20slang%3D%22en-US%22%3ERE%3A%20Sentinel%20%26amp%3Bamp%3B%20ThreatIntelligenceIndicator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-691548%22%20slang%3D%22en-US%22%3EI%20was%20able%20to%20bring%20in%20IoCs%20via%20Palo%20Alto%20MineMeld%20but%20I'm%20still%20trying%20to%20find%20a%20way%20to%20use%20it.%20For%20now%20I%20bring%20my%20own%20threat%20intel%20feeds%20as%20custom%20logs.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-694628%22%20slang%3D%22en-US%22%3ERe%3A%20Sentinel%20%26amp%3B%20ThreatIntelligenceIndicator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-694628%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F129396%22%20target%3D%22_blank%22%3E%40David%20Caddick%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere%20is%20the%20info.%20Thanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F27971%22%20target%3D%22_blank%22%3E%40Sarah%20Fender%3C%2FA%3E%26nbsp%3Bwho%20runs%20the%20Graph%20Security%20API%20for%20the%20info%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAzure%20Sentinel%20enables%20you%20to%20correlate%20and%20analyze%20your%20threat%20intelligence%20to%20create%20custom%20alerts%20on%20malicious%20activity%2C%20power%20hunting%20queries%2C%20and%20create%20dashboards%20to%20monitor%20threat%20activity%20levels.%20This%20can%20include%20indicators%20generated%20through%20your%20internal%20threat%20intelligence%20gathering%20or%20acquired%20from%20threat%20intelligence%20communities%2C%20licensed%20feeds%2C%20and%20other%20sources.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EStart%20by%20connecting%20your%20threat%20intelligence%20sources%20to%20Azure%20Sentinel%20in%20one%20of%20two%20ways%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EIf%20you%20use%20one%20of%20the%20threat%20intelligence%20platforms%20below%2C%20native%20integrate%20with%20the%20Microsoft%20Graph%20Security%20API%20is%20available%3A%20%26nbsp%3B%26nbsp%3B%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fthreatconnect.com%252F%2523tab-id-2%26amp%3Bdata%3D02%257C01%257COfer.Shezaf%2540microsoft.com%257C88c0ab9f6ec74da40af108d6eea936db%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C636958807883974635%26amp%3Bsdata%3D2JZAsDFcUcSmGY%252FwT3ZV55tHnYTrnNuzQRzx6b3Uxes%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EThreat%20Connect%3C%2FA%3E%20(NEW!)%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fgithub.com%252FPaloAltoNetworks%252Fminemeld-msgraph-secapi%26amp%3Bdata%3D02%257C01%257COfer.Shezaf%2540microsoft.com%257C88c0ab9f6ec74da40af108d6eea936db%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C636958807884104574%26amp%3Bsdata%3DhAVrsBZmptaErR41nlyG2j86W8bbekb2POg9zRGHnRA%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EPalo%20Alto%20Networks%20MineMeld%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Ftipmispsample%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMISP%20Open%20Source%20Threat%20Intelligence%20Platform%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3COL%3E%0A%3CLI%3EYou%20can%20also%20integrate%20your%20threat%20intelligence%20applications%20and%20feeds%20directly%20using%20the%20Microsoft%20Graph%20Security%20API%20%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fgraph%252Fapi%252Fresources%252Ftiindicator%253Fview%253Dgraph-rest-beta%26amp%3Bdata%3D02%257C01%257COfer.Shezaf%2540microsoft.com%257C88c0ab9f6ec74da40af108d6eea936db%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C636958807884104574%26amp%3Bsdata%3DD8yP2ZDvHONji7th%252F80THiM9ZCfp5K%252BtRkqKsJBtoho%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EtiIndicator%3C%2FA%3E%20entity.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThen%20simply%20configure%20the%20Threat%20Intelligence%20data%20connector%20in%20Azure%20Sentinel%20to%20begin%20ingesting%20this%20data.%26nbsp%3BTo%20use%20the%20data%2C%20review%20the%20sample%20queries%20available%20on%20the%20Azure%20Sentinel%20Threat%20Intelligence%20connector%20page.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E~%20Ofer%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-695026%22%20slang%3D%22en-US%22%3ERe%3A%20Sentinel%20%26amp%3B%20ThreatIntelligenceIndicator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-695026%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3B%26amp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F27971%22%20target%3D%22_blank%22%3E%40Sarah%20Fender%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EI%20could%20be%20wrong%2C%20but%20from%20what%20I%20can%20see%20%22Threat%20Connect%22%20doesn't%20actually%20list%20Sentinel%20or%20Azure%20under%20the%20integrations%3F%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fthreatconnect.com%2Fintegrations%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fthreatconnect.com%2Fintegrations%2F%3C%2FA%3E%3C%2FP%3E%3CP%3EIt%20does%20look%20very%20interesting%20and%20a%20great%20way%20to%20start%20-%20does%20this%20need%20to%20be%20connected%20via%20the%20API%20somehow%3F%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.threatconnect.com%2Fen%2Flatest%2Frest_api%2Frest_api.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.threatconnect.com%2Fen%2Flatest%2Frest_api%2Frest_api.html%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-825471%22%20slang%3D%22en-US%22%3ERe%3A%20Sentinel%20%26amp%3B%20ThreatIntelligenceIndicator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-825471%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F129396%22%20target%3D%22_blank%22%3E%40David%20Caddick%3C%2FA%3E%26nbsp%3B%20The%20Azure%20Sentinel%20%2B%20ThreatConnect%20integration%20is%20powered%20by%20the%20Microsoft%20Graph%20Security%20API.%20If%20you%20expand%20the%20Microsoft%20Graph%20Security%20API%20%3CA%20href%3D%22https%3A%2F%2Fthreatconnect.com%2Fintegrations%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Elisting%3C%2FA%3Eyou'll%20see%20Azure%20Sentinel%20is%20called%20out%20there.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

Has anyone been able to get the ThreatIntelligenceIndicator to work?

4 Replies
I was able to bring in IoCs via Palo Alto MineMeld but I'm still trying to find a way to use it. For now I bring my own threat intel feeds as custom logs.

@David Caddick 

 

Here is the info. Thanks @Sarah Fender who runs the Graph Security API for the info:

 

Azure Sentinel enables you to correlate and analyze your threat intelligence to create custom alerts on malicious activity, power hunting queries, and create dashboards to monitor threat activity levels. This can include indicators generated through your internal threat intelligence gathering or acquired from threat intelligence communities, licensed feeds, and other sources.

 

Start by connecting your threat intelligence sources to Azure Sentinel in one of two ways:

  1. If you use one of the threat intelligence platforms below, native integrate with the Microsoft Graph Security API is available:   
  1. You can also integrate your threat intelligence applications and feeds directly using the Microsoft Graph Security API tiIndicator entity.

 

Then simply configure the Threat Intelligence data connector in Azure Sentinel to begin ingesting this data. To use the data, review the sample queries available on the Azure Sentinel Threat Intelligence connector page.

 

~ Ofer

Thanks @Ofer_Shezaf & @Sarah Fender 

I could be wrong, but from what I can see "Threat Connect" doesn't actually list Sentinel or Azure under the integrations?  https://threatconnect.com/integrations/

It does look very interesting and a great way to start - does this need to be connected via the API somehow? https://docs.threatconnect.com/en/latest/rest_api/rest_api.html

@David Caddick  The Azure Sentinel + ThreatConnect integration is powered by the Microsoft Graph Security API. If you expand the Microsoft Graph Security API listing you'll see Azure Sentinel is called out there. 

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies