Home

Threat Intelligence Integration

%3CLINGO-SUB%20id%3D%22lingo-sub-745530%22%20slang%3D%22en-US%22%3EThreat%20Intelligence%20Integration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-745530%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20is%20the%20best%20way%20to%20connect%20a%20threat%20intelligence%20feed%20to%20my%20sentinel%20instance%3F%20I%20cannot%20find%20any%20documentation%20online%20detailing%20how%20to%20integrate%20a%20free%20threat%20intel%20feed.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-745976%22%20slang%3D%22en-US%22%3ERe%3A%20Threat%20Intelligence%20Integration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-745976%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F373559%22%20target%3D%22_blank%22%3E%40davidbrilliant%3C%2FA%3E-%20There%20are%20two%20ways%20to%20connect%20your%20threat%20intelligence%20to%20Azure%20Sentinel%3A%3C%2FP%3E%0A%3CP%3E1)%20If%20you%20use%20one%20of%20the%20threat%20intelligence%20platforms%20below%2C%20native%20integrate%20with%20the%20Microsoft%20Graph%20Security%20API%20is%20available%3A%20%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fthreatconnect.com%2F%23tab-id-2%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EThreat%20Connect%3C%2FA%3E%20(NEW!)%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FPaloAltoNetworks%2Fminemeld-msgraph-secapi%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EPalo%20Alto%20Networks%20MineMeld%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Ftipmispsample%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMISP%20Open%20Source%20Threat%20Intelligence%20Platform%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E2)%20You%20can%20also%20integrate%20your%20threat%20intelligence%20applications%20and%20feeds%20directly%20using%20the%20Microsoft%20Graph%20Security%20API%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fresources%2Ftiindicator%3Fview%3Dgraph-rest-beta%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EtiIndicator%3C%2FA%3Eentity.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EThen%20simply%20configure%20the%20Threat%20Intelligence%20data%20connector%20in%20Azure%20Sentinel%20to%20begin%20ingesting%20this%20data.%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EAzure%20Sentinel%20enables%20you%20to%20correlate%20and%20analyze%20your%20threat%20intelligence%20data%20to%20create%20custom%20alerts%20on%20malicious%20activity%2C%20power%20hunting%20queries%2C%20and%20create%20dashboards%20to%20monitor%20threat%20activity%20levels.%20%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-812593%22%20slang%3D%22en-US%22%3ERe%3A%20Threat%20Intelligence%20Integration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-812593%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F27971%22%20target%3D%22_blank%22%3E%40Sarah%20Fender%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20threat%20intelligence%20is%20feed%20with%20MineMeld.%3C%2FP%3E%3CP%3EI%20have%20firewalls%20logs%20that%20I%20want%20to%20correlate%20with%20the%20Threat%20Intelligence%20feed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELet's%20say%20I%20create%20a%20Alert%20when%20a%20firewall%20logs%20contains%20a%20Destination%20IP%20that%20matches%20a%20IP%20from%20the%20Threat%20Intel%20DB.%20My%20problem%20is%20that%20the%20Alert%20is%20only%20looking%20for%20the%205%20last%20hours%20in%20both%20tables.%20I%20need%20to%20%3A%3C%2FP%3E%3CP%3E-%20Firewall%20logs%20%3A%20Look%20for%20the%205%20last%20hours%3C%2FP%3E%3CP%3E-%20Threat%20Intel%20%3A%20Looks%20in%20the%20whole%20database%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20possible%20to%20do%20this%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
davidbrilliant
New Contributor

What is the best way to connect a threat intelligence feed to my sentinel instance? I cannot find any documentation online detailing how to integrate a free threat intel feed.

2 Replies

@davidbrilliant - There are two ways to connect your threat intelligence to Azure Sentinel:

1) If you use one of the threat intelligence platforms below, native integrate with the Microsoft Graph Security API is available:   

2) You can also integrate your threat intelligence applications and feeds directly using the Microsoft Graph Security API tiIndicator entity.

 

Then simply configure the Threat Intelligence data connector in Azure Sentinel to begin ingesting this data. 

 

Azure Sentinel enables you to correlate and analyze your threat intelligence data to create custom alerts on malicious activity, power hunting queries, and create dashboards to monitor threat activity levels.

 

Hi @Sarah Fender 

My threat intelligence is feed with MineMeld.

I have firewalls logs that I want to correlate with the Threat Intelligence feed.

 

Let's say I create a Alert when a firewall logs contains a Destination IP that matches a IP from the Threat Intel DB. My problem is that the Alert is only looking for the 5 last hours in both tables. I need to :

- Firewall logs : Look for the 5 last hours

- Threat Intel : Looks in the whole database

 

Is it possible to do this ?

 

Thanks

 

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies