Generally there are multiple forms of Cyber Threat Intelligence (CTI) categories, "Tactical TI" mainly for observables & indicators - "Strategic TI" for actors intensions, capabilities & motivations (broader trends typically meant for a non-technical audience) - "Operational TI" for techniques , tools & procedures (technical details about specific attacks and campaigns) - "OSINT" for open standard formats and many others.
To maximize the value of the threat intelligence you produce, it’s critical that you identify your use cases and define your objectives before doing anything else via following the TI Lifecyle procedure: "Planning & Direction", "Collection", "Processing", "Analysis", "Dissemination", & "Feedback".
Azure Sentinel provides an out-of-the-box Tactical TI connectors for indicators & observed data that lets you import - stream the threat indicators your organization is using, which can enhance your security analysts' ability to detect and prioritize known threats. Several features from Azure Sentinel then become available or are enhanced: Analytics , Workbooks , Hunting & Notebooks.
There is a great blog post by @Jason Wescott on how to Bring your threat intelligence to Azure Sentinel with a detailed step by step guide on streaming Anomali Limo ThreatStream TAXII 2.0 via Azure Sentinel TAXII Data Connector, highly recommended to check it out!
Today our use case is how to stream ThreatConnect TI feeds to Azure Sentinel platform (SIEM + SOAR + CTI Hub) in a step-by-step guide, measure - map & hunt the streamed indicators feeds to your organization data for custom detections! , so let's get started and follow the guide.
The integration flow via Azure Sentinel is simple: "ThreatConnect TIP" > Microsoft Security Graph API (tiIndicators) > Azure Sentinel (Threat Intelligence Platforms Data Connector)
ThreatConnect TIP is a member of Microsoft Intelligent Security Association (MISA), hence a ready integrated app with Microsoft Graph Security enables ThreatConnect Playbook users to perform Get, Create, Update and Delete actions against the Graph TI API which is currently consumed by Azure Sentinel for alerting and monitoring.
https://api.threatconnect.com/v2/indicators?owner=Common%20CommunityHTTP/1.1
{
"action": "alert",
"activityGroupNames": [],
"confidence": 0,
"description": "OTX Threat Indicator -
@{items('For_each')?['type']}",
"expirationDateTime": "@{addDays(utcNow(),7)}",
"externalId": "@{items('For_each')?['id']}",
"killChain": [],
"malwareFamilyNames": [],
"severity": 0,
"tags": [],
"targetProduct": "Azure Sentinel",
"threatType": "WatchList",
"tlpLevel": "white",
"url": "@{items('For_each')?['indicator']}"
}
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.