%3CLINGO-SUB%20id%3D%22lingo-sub-1460379%22%20slang%3D%22en-US%22%3EMAY%20THE%20%22TI%22%20BE%20WITH%20YOU%3A%20Connect%20ThreatConnect%20TIP%20with%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1460379%22%20slang%3D%22en-US%22%3E%3CP%20class%3D%22lia-align-center%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22CTILogo.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F198512i466FCB7A35FA7C32%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22CTILogo.png%22%20alt%3D%22CTILogo.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EGenerally%20there%20are%20multiple%20forms%20of%20Cyber%20Threat%20Intelligence%26nbsp%3B(CTI)%20categories%2C%20%22Tactical%20TI%22%20mainly%20for%20observables%20%26amp%3B%20indicators%20-%20%22Strategic%20TI%22%20for%20actors%20intensions%2C%20capabilities%26nbsp%3B%26amp%3B%20motivations%20(broader%20trends%20typically%20meant%20for%20a%20non-technical%20audience)%20-%20%22Operational%20TI%22%20for%20techniques%20%2C%20tools%20%26amp%3B%20procedures%20(technical%20details%20about%20specific%20attacks%20and%20campaigns)%20-%20%22OSINT%22%20for%20open%20standard%20formats%20and%20many%20others.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ETo%20maximize%20the%20value%20of%20the%20threat%20intelligence%20you%20produce%2C%20it%E2%80%99s%20critical%20that%20you%20identify%20your%20use%20cases%26nbsp%3Band%20define%20your%20objectives%20before%20doing%20anything%20else%20via%20following%20the%20TI%20Lifecyle%26nbsp%3Bprocedure%3A%20%22Planning%20%26amp%3B%20Direction%22%2C%20%22Collection%22%2C%20%22Processing%22%2C%20%22Analysis%22%2C%20%22Dissemination%22%2C%20%26amp%3B%20%22Feedback%22.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EAzure%20Sentinel%20provides%20an%20out-of-the-box%20Tactical%20TI%20connectors%20for%20indicators%20%26amp%3B%20observed%20data%20that%20lets%20you%20import%20-%20stream%20the%20threat%20indicators%20your%20organization%20is%20using%2C%20which%20can%20enhance%20your%20security%20analysts'%20ability%20to%20detect%20and%20prioritize%20known%20threats.%20Several%20features%20from%20Azure%20Sentinel%20then%20become%20available%20or%20are%20enhanced%3A%26nbsp%3B%3CSTRONG%3EAnalytics%3C%2FSTRONG%3E%26nbsp%3B%2C%26nbsp%3B%3CSTRONG%3EWorkbooks%3C%2FSTRONG%3E%26nbsp%3B%2C%26nbsp%3B%3CSTRONG%3EHunting%3C%2FSTRONG%3E%26nbsp%3B%20%26amp%3B%26nbsp%3B%3CSTRONG%3ENotebooks.%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere%20is%20a%20great%20blog%20post%20by%26nbsp%3B-ERR%3AREF-NOT-FOUND-%40Jason%20Wescott%26nbsp%3Bon%20how%20to%26nbsp%3B%3CSPAN%20class%3D%22lia-message-unread%20lia-message-unread-windows%22%3E-ERR%3AREF-NOT-FOUND-Bring%20your%20threat%20intelligence%20to%20Azure%20Sentinel%26nbsp%3Bwith%20a%20detailed%20step%20by%20step%20guide%20on%20streaming%20Anomali%20Limo%20ThreatStream%20TAXII%202.0%20via%20Azure%20Sentinel%20TAXII%20Data%20Connector%2C%20highly%20recommended%20to%20check%20it%20out!%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-message-unread%20lia-message-unread-windows%22%3EToday%20our%20use%20case%20is%20how%20to%20stream%20ThreatConnect%20TI%20feeds%20to%20Azure%20Sentinel%20platform%20(SIEM%20%2B%20SOAR%20%2B%20CTI%20Hub)%20in%20a%20step-by-step%20guide%2C%20measure%20-%20map%20%26amp%3B%20hunt%20the%20streamed%20indicators%20feeds%20to%20your%20organization%20data%20for%20custom%20detections!%20%2C%20so%20let's%20get%20started%20and%20follow%20the%20guide.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-message-unread%20lia-message-unread-windows%22%3EThe%20integration%20flow%20via%20Azure%20Sentinel%20is%20simple%3A%20%22ThreatConnect%20TIP%22%20%26gt%3B%20Microsoft%20Security%20Graph%20API%20(tiIndicators)%20%26gt%3B%20Azure%20Sentinel%20(Threat%20Intelligence%20Platforms%20Data%20Connector)%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-message-unread%20lia-message-unread-windows%22%3EThreatConnect%20TIP%20is%20a%20member%20of%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fsecurity%2Fbusiness%2Fintelligent-security-association%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20Intelligent%20Security%20Association%20(MISA)%3C%2FA%3E%2C%20hence%20a%20ready%20integrated%20app%20with%20Microsoft%20Graph%20Security%20enables%20%3CA%20href%3D%22https%3A%2F%2Fthreatconnect.com%2Fintegrations%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EThreatConnect%20Playbook%3C%2FA%3E%20users%20to%20perform%20Get%2C%20Create%2C%20Update%20and%20Delete%20actions%20against%20the%20Graph%20TI%20API%20which%20is%20currently%20consumed%20by%20Azure%20Sentinel%20for%20alerting%20and%20monitoring.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-message-unread%20lia-message-unread-windows%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20image-alt%3D%22TIPFlow.PNG%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F198513i81AA987684CF6F78%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22TIPFlow.PNG%22%20alt%3D%22TIPFlow.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--50595046%22%20id%3D%22toc-hId--1325032840%22%20id%3D%22toc-hId--1325032840%22%3EStep%20(1)%20-%20Sign%20In%20to%20your%20ThreatConnect%20API%20User%20Connection%3C%2FH2%3E%0A%3CUL%3E%0A%3CLI%3ESign%20in%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fapp.threatconnect.com%2Fauth%2Findex.xhtml%23%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fapp.threatconnect.com%2Fauth%2Findex.xhtml%23%2F%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EType%20your%20system%20administrator%20(Organizational%20role)%20credentials%2C%20for%20your%20details%20about%20%3CA%20href%3D%22https%3A%2F%2Ftraining.threatconnect.com%2Flearn%2Farticle%2Fcreating-user-accounts-kb-article%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eorganization%20role%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22TC1.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F198514iA2C34804C12C2560%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22TC1.PNG%22%20alt%3D%22TC1.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EClick%20on%20settings%20%26gt%3B%20Org%20Settings%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22TC2.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F198515i66D6485081FD7222%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22TC2.PNG%22%20alt%3D%22TC2.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EUnder%20Membership%20%26gt%3B%20Create%20API%20User%2C%20then%20save%20the%20user%20account%20and%20keep%20the%20key%20value%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22TC3.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F198517i190F5EA1B5D6CFF1%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22TC3.png%22%20alt%3D%22TC3.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EKeep%20your%20Access%20ID%20%26amp%3B%20Secret%20key%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--50595046%22%20id%3D%22toc-hId-1162479993%22%20id%3D%22toc-hId-1162479993%22%3EStep%20(2)%20-%20Azure%20App%20Registrations%3C%2FH2%3E%0A%3CUL%3E%0A%3CLI%3ESign%20in%20to%20your%20Azure%20portal%20%3CA%20href%3D%22http%3A%2F%2Fportal.azure.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fportal.azure.com%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3ESearch%20for%20App%20registrations%20%26gt%3B%20type%20a%20name%20for%20your%20app%20and%20click%20register%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22TC4.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F198518iBD826FCE6AAB8BD5%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22TC4.PNG%22%20alt%3D%22TC4.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EUnder%20API%20permissions%20%26gt%3B%20Click%20Add%20a%20permission%20%26gt%3B%20Select%20Microsoft%20Graph%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22TC5.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F198519iC7FCB639499F229C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22TC5.PNG%22%20alt%3D%22TC5.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ESelect%20Application%20permissions%20%26gt%3B%20Under%20ThreatIndicators%20%26gt%3B%20Check%20%22ThreatIndicators.ReadWrite.OwnedBy%22%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22TC6.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F198520i2D5771719E27ED0C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22TC6.PNG%22%20alt%3D%22TC6.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EClick%20%22Grant%20admin%20consent%22%20button%20%26gt%3B%20Yes%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22TC7.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F198521i6BEB25FDD1FEDB57%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22TC7.png%22%20alt%3D%22TC7.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22TC8.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F198522i3CB83674CC52A6DE%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22TC8.png%22%20alt%3D%22TC8.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EClick%20%22Certificates%20%26amp%3B%20secrets%22%20%26gt%3B%20New%20client%20secret%20%26gt%3B%20type%20a%20description%20and%20select%20expires%20option%2C%20then%20Add%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22TC9.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F198523iD2B2BB3FD1111241%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22TC9.PNG%22%20alt%3D%22TC9.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EKeep%20the%20new%20registered%20app%20%22Client%20ID%22%2C%20%22Secret%22%20and%20Tenant%20ID%20value%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--50595046%22%20id%3D%22toc-hId--644974470%22%20id%3D%22toc-hId--644974470%22%3EStep%20(3)%20-%20Build%20the%20Azure%20Sentinel%20Logic%20App%20-%20Playbook%3C%2FH2%3E%0A%3CUL%3E%0A%3CLI%3ESign%20in%20to%20Azure%20Sentinel%3C%2FLI%3E%0A%3CLI%3EUnder%20configuration%20%26gt%3B%20Playbooks%20%26gt%3B%20Add%20Playbook%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22TC10.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F198524i128CAE268361AFB6%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22TC10.PNG%22%20alt%3D%22TC10.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ESelect%20subscription%2C%20resource%20group%2C%20type%20Logic%20App%20name%2C%20select%20location%20and%20click%20review%20%26amp%3B%20create%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22TC11.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F198525i1C37D19DEF873390%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22TC11.PNG%22%20alt%3D%22TC11.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ESelect%20Recurrence%20as%20a%20trigger%20template%3A%3CUL%3E%0A%3CLI%3EType%20interval%20%26amp%3B%20frequency%20value%3C%2FLI%3E%0A%3CLI%3EAdd%20new%20step%20%26gt%3B%20HTTP%26nbsp%3B%3CUL%3E%0A%3CLI%3EMethod%3A%20GET%3C%2FLI%3E%0A%3CLI%3EURI%3A%26nbsp%3B%3CUL%3E%0A%3CLI%3E%3CPRE%3Ehttps%3A%2F%2Fapi.threatconnect.com%2Fv2%2Findicators%3Fowner%3DCommon%2520CommunityHTTP%2F1.1%3C%2FPRE%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EHeaders%3A%0A%3CUL%3E%0A%3CLI%3EAPI_SECRET%3A%20type%20API%20Secret%20value%3C%2FLI%3E%0A%3CLI%3EAPI_ID%3A%20type%20API%20ID%20value%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EQueries%3A%0A%3CUL%3E%0A%3CLI%3Emodified_since%3A%26nbsp%3B%20addDays(utcNow()%2C-1)%3C%2FLI%3E%0A%3CLI%3Etypes%3A%20URL%2C%20hostname%2C%20domain%2C%20IPv4%26nbsp%3B%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EThen%20run%20the%20API%20for%20body%20sample%20to%20parse%20and%20keep%20the%20body%20value%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22TC14.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F198528iB6FEA9A7D2503B6C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22TC14.png%22%20alt%3D%22TC14.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ENoting%20that%20here's%20a%20list%20of%20the%20out%20of%20the%20box%20ThreatConnect%20Indicators%20types%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22TC13.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F198527i51FDF05B47D7CED2%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22TC13.PNG%22%20alt%3D%22TC13.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EAdd%20new%20step%20%26gt%3B%20select%20Data%20Operations%20%26gt%3B%20Parse%20JSON%20under%20actions%0A%3CUL%3E%0A%3CLI%3EContent%3A%20Add%20dynamic%20content%20%26gt%3B%20Body%3C%2FLI%3E%0A%3CLI%3ESchema%3A%20Paste%20the%20copied%20sample%20body%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22TC15.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F198529iE293EFA3BFA9BB93%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22TC15.PNG%22%20alt%3D%22TC15.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ENow%20lets%20add%20a%20step%20to%20send%20data%20to%20security%20graph%2C%20choose%20Control%20and%20select%20Switch%0A%3CUL%3E%0A%3CLI%3EOn%3A%20Type%3C%2FLI%3E%0A%3CLI%3ECase%3A%20URL%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22TC16.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F198532i7BCC3D13520E27C0%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22TC16.PNG%22%20alt%3D%22TC16.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EUnder%20%22Case%22%20%26gt%3B%20Add%20an%20action%0A%3CUL%3E%0A%3CLI%3EMethod%3A%20POST%3C%2FLI%3E%0A%3CLI%3EURI%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fbeta%2Fsecurity%2FtiIndicators%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fbeta%2Fsecurity%2FtiIndicators%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EHeaders%3A%0A%3CUL%3E%0A%3CLI%3EKey%3A%20content-type%3C%2FLI%3E%0A%3CLI%3EValue%3A%20application%2Fjson%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EBody%3A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3E%7B%0A%22action%22%3A%20%22alert%22%2C%0A%22activityGroupNames%22%3A%20%5B%5D%2C%0A%22confidence%22%3A%200%2C%0A%22description%22%3A%20%22OTX%20Threat%20Indicator%20-%0A%40%7Bitems('For_each')%3F%5B'type'%5D%7D%22%2C%0A%22expirationDateTime%22%3A%20%22%40%7BaddDays(utcNow()%2C7)%7D%22%2C%0A%22externalId%22%3A%20%22%40%7Bitems('For_each')%3F%5B'id'%5D%7D%22%2C%0A%22killChain%22%3A%20%5B%5D%2C%0A%22malwareFamilyNames%22%3A%20%5B%5D%2C%0A%22severity%22%3A%200%2C%0A%22tags%22%3A%20%5B%5D%2C%0A%22targetProduct%22%3A%20%22Azure%20Sentinel%22%2C%0A%22threatType%22%3A%20%22WatchList%22%2C%0A%22tlpLevel%22%3A%20%22white%22%2C%0A%22url%22%3A%20%22%40%7Bitems('For_each')%3F%5B'indicator'%5D%7D%22%0A%7D%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ECheck%20%22Authentication%22%0A%3CUL%3E%0A%3CLI%3EAuthentication%20type%3A%20Active%20Directory%20OAuth%3C%2FLI%3E%0A%3CLI%3ETenant%3A%20type%20Azure%20tenant%20ID%3C%2FLI%3E%0A%3CLI%3EAudience%3A%20-ERR%3AREF-NOT-FOUND-%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EClient%20ID%3A%20Azure%20App%20registrations%20Client%20ID%20value%3C%2FLI%3E%0A%3CLI%3ECredential%20Type%3A%20Secret%3C%2FLI%3E%0A%3CLI%3ESecret%3A%20Azure%20App%20registrations%20Secret%20value%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22TC18.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F198534i482701692A80548D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22TC18.PNG%22%20alt%3D%22TC18.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ENow%20you%20can%20repeat%20the%20steps%20via%20a%20case%20for%20each%20separate%20indicator%20type%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CH2%20id%3D%22toc-hId-1842538363%22%20id%3D%22toc-hId-1842538363%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22toc-hId--50595046%22%20id%3D%22toc-hId-35083900%22%20id%3D%22toc-hId-35083900%22%3EStep%20(4)%20-%20Azure%20Sentinel%20TIP%20Data%20Connector%20%26amp%3B%20Detections%3C%2FH2%3E%0A%3CUL%3E%0A%3CLI%3ESign%20in%20to%20Azure%20Sentinel%3C%2FLI%3E%0A%3CLI%3EUnder%20configuration%20%26gt%3B%20Data%20Connectors%20%26gt%3B%20Threat%20Intelligence%20Platforms%20%26gt%3B%20Open%20Connector%20Page%20%26gt%3B%20Connect%20Button%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22TC19.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F198535iD7A1B78EC85C3179%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22TC19.PNG%22%20alt%3D%22TC19.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22TC20.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F198537i51D0FF8AA0BBA48F%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22TC20.PNG%22%20alt%3D%22TC20.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ENow%20you%20can%20query%20the%20ingested%20ThreatConnect%20indicators%20-%20feeds%20to%20Azure%20Sentinel%2C%20go%20to%20Logs%20and%20query%20%22ThreatIntelligenceIndicator%22%20table%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22TC21.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F198538iD682CCC0AE73F977%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22TC21.PNG%22%20alt%3D%22TC21.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EEnjoy%20as%20well%20the%20out%20of%20the%20box%20TI%20analytics%20rules%2C%20feel%20free%20to%20use%2C%20reuse%20%2C%20customize%20or%20build%20new%20rules%20from%20scratch%3A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22TC22.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F198539i528A7C98C3D81394%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22TC22.PNG%22%20alt%3D%22TC22.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1460379%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EAzure%20Sentinel%20provides%20an%20out-of-the-box%20Tactical%20TI%20connectors%20for%20indicators%20%26amp%3B%20observed%20data%20that%20lets%20you%20import%20-%20stream%20the%20threat%20indicators%20your%20organization%20is%20using%2C%20which%20can%20enhance%20your%20security%20analysts'%20ability%20to%20detect%20and%20prioritize%20known%20threats.%20Several%20features%20from%20Azure%20Sentinel%20then%20become%20available%20or%20are%20enhanced%3A%26nbsp%3B%3CSTRONG%3EAnalytics%3C%2FSTRONG%3E%26nbsp%3B%2C%26nbsp%3B%3CSTRONG%3EWorkbooks%3C%2FSTRONG%3E%26nbsp%3B%2C%26nbsp%3B%3CSTRONG%3EHunting%3C%2FSTRONG%3E%26nbsp%3B%20%26amp%3B%26nbsp%3B%3CSTRONG%3ENotebooks.%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22lia-message-unread%20lia-message-unread-windows%22%3EHow%20to%20stream%20ThreatConnect%20TI%20feeds%20to%20Azure%20Sentinel%20platform%20(SIEM%20%2B%20SOAR%20%2B%20CTI%20Hub)%20via%20a%20step-by-step%20guide%2C%20measure%20-%20map%20%26amp%3B%20hunt%20the%20streamed%20indicators%20feeds%20to%20your%20organization%20data%20for%20custom%20detections!%20%2C%20let's%20see%20how%20to%20get%20it%20done%20%3F%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1460379%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Sentinel%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

CTILogo.png

 

Generally there are multiple forms of Cyber Threat Intelligence (CTI) categories, "Tactical TI" mainly for observables & indicators - "Strategic TI" for actors intensions, capabilities & motivations (broader trends typically meant for a non-technical audience) - "Operational TI" for techniques , tools & procedures (technical details about specific attacks and campaigns) - "OSINT" for open standard formats and many others.

 

To maximize the value of the threat intelligence you produce, it’s critical that you identify your use cases and define your objectives before doing anything else via following the TI Lifecyle procedure: "Planning & Direction", "Collection", "Processing", "Analysis", "Dissemination", & "Feedback".

 

Azure Sentinel provides an out-of-the-box Tactical TI connectors for indicators & observed data that lets you import - stream the threat indicators your organization is using, which can enhance your security analysts' ability to detect and prioritize known threats. Several features from Azure Sentinel then become available or are enhanced: Analytics , Workbooks , Hunting  & Notebooks.

 

There is a great blog post by @Jason Wescott on how to Bring your threat intelligence to Azure Sentinel with a detailed step by step guide on streaming Anomali Limo ThreatStream TAXII 2.0 via Azure Sentinel TAXII Data Connector, highly recommended to check it out!

 

Today our use case is how to stream ThreatConnect TI feeds to Azure Sentinel platform (SIEM + SOAR + CTI Hub) in a step-by-step guide, measure - map & hunt the streamed indicators feeds to your organization data for custom detections! , so let's get started and follow the guide.

 

The integration flow via Azure Sentinel is simple: "ThreatConnect TIP" > Microsoft Security Graph API (tiIndicators) > Azure Sentinel (Threat Intelligence Platforms Data Connector)

 

ThreatConnect TIP is a member of Microsoft Intelligent Security Association (MISA), hence a ready integrated app with Microsoft Graph Security enables ThreatConnect Playbook users to perform Get, Create, Update and Delete actions against the Graph TI API which is currently consumed by Azure Sentinel for alerting and monitoring.

 

TIPFlow.PNG

 

 

 

 

 

 

Step (1) - Sign In to your ThreatConnect API User Connection

TC1.PNG

  • Click on settings > Org Settings

TC2.PNG

 

  • Under Membership > Create API User, then save the user account and keep the key value

TC3.png

  • Keep your Access ID & Secret key

 

Step (2) - Azure App Registrations

  • Sign in to your Azure portal http://portal.azure.com
  • Search for App registrations > type a name for your app and click register

TC4.PNG

  • Under API permissions > Click Add a permission > Select Microsoft Graph

TC5.PNG

  • Select Application permissions > Under ThreatIndicators > Check "ThreatIndicators.ReadWrite.OwnedBy"

TC6.PNG

  • Click "Grant admin consent" button > Yes

TC7.png

 

TC8.png

  • Click "Certificates & secrets" > New client secret > type a description and select expires option, then Add

TC9.PNG

  • Keep the new registered app "Client ID", "Secret" and Tenant ID value

 

Step (3) - Build the Azure Sentinel Logic App - Playbook

  • Sign in to Azure Sentinel
  • Under configuration > Playbooks > Add Playbook

TC10.PNG

  • Select subscription, resource group, type Logic App name, select location and click review & create

TC11.PNG

  • Select Recurrence as a trigger template:
    • Type interval & frequency value
    • Add new step > HTTP 
      • Method: GET
      • URI: 
        • https://api.threatconnect.com/v2/indicators?owner=Common%20CommunityHTTP/1.1
      • Headers:
        • API_SECRET: type API Secret value
        • API_ID: type API ID value
      • Queries:
        • modified_since:  addDays(utcNow(),-1)
        • types: URL, hostname, domain, IPv4 
    • Then run the API for body sample to parse and keep the body value

TC14.png

  • Noting that here's a list of the out of the box ThreatConnect Indicators types

TC13.PNG

  • Add new step > select Data Operations > Parse JSON under actions
    • Content: Add dynamic content > Body
    • Schema: Paste the copied sample body

TC15.PNG

  • Now lets add a step to send data to security graph, choose Control and select Switch
    • On: Type
    • Case: URL

TC16.PNG

 

 

 

 

{
"action": "alert",
"activityGroupNames": [],
"confidence": 0,
"description": "OTX Threat Indicator -
@{items('For_each')?['type']}",
"expirationDateTime": "@{addDays(utcNow(),7)}",
"externalId": "@{items('For_each')?['id']}",
"killChain": [],
"malwareFamilyNames": [],
"severity": 0,
"tags": [],
"targetProduct": "Azure Sentinel",
"threatType": "WatchList",
"tlpLevel": "white",
"url": "@{items('For_each')?['indicator']}"
}

 

 

 

 

  • Check "Authentication"
    • Authentication type: Active Directory OAuth
    • Tenant: type Azure tenant ID
    • Audience: https://graph.microsoft.com
    • Client ID: Azure App registrations Client ID value
    • Credential Type: Secret
    • Secret: Azure App registrations Secret value

TC18.PNG

  • Now you can repeat the steps via a case for each separate indicator type

 

Step (4) - Azure Sentinel TIP Data Connector & Detections

  • Sign in to Azure Sentinel
  • Under configuration > Data Connectors > Threat Intelligence Platforms > Open Connector Page > Connect Button

TC19.PNG

 

TC20.PNG

  • Now you can query the ingested ThreatConnect indicators - feeds to Azure Sentinel, go to Logs and query "ThreatIntelligenceIndicator" table

TC21.PNG

  • Enjoy as well the out of the box TI analytics rules, feel free to use, reuse , customize or build new rules from scratch:

TC22.PNG