TAXII2 and Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-1425873%22%20slang%3D%22en-US%22%3ETAXII2%20and%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1425873%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20there%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20think%20I%20have%20finally%20found%20the%20right%20community%20for%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20a%20university%20student%20that%20is%20currently%20working%20on%20a%20project%20for%20sharing%20Threat%20Intelligence%20to%20Azure%20Sentinel.%20We%20have%20a%20running%20TAXII2%20server%20on%20a%20VM%20that%20we%20want%20to%20connect%20to%20our%20Azure%20Sentinel%20instance%20using%20the%20provided%20data%20connector.%20However%2C%20since%20we%20are%20still%20in%20development%20we%20do%20not%20want%20to%20give%20our%20VM%20are%20public%20IP%20address%20and%20allow%20connections%20to%20our%20TAXII2%20from%20any%20source%2C%20for%20security%20reasons.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20know%20of%20a%20secure%20way%20to%20connect%20to%20our%20TAXII2%20server%20without%20needing%20to%20expose%20it%20to%20the%20whole%20internet%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%20I%20have%20done%20some%20tests%20trying%20to%20use%20the%20Data%20Connector%20to%20our%20TAXII2%20server%20and%20it%20does%20not%20seem%20to%20want%20to%20connect.%20I%20was%20wondering%20if%20the%20Data%20Connector%20needs%20to%20use%20HTTPS%20not%20HTTP%2C%20since%20our%20development%20server%20is%20just%20using%20HTTP.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1426264%22%20slang%3D%22en-US%22%3ERe%3A%20TAXII2%20and%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1426264%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F683084%22%20target%3D%22_blank%22%3E%40GhostCcamm%3C%2FA%3E%26nbsp%3BFirst%2C%20your%20VM%20would%20need%20to%20be%20exposed%20to%20the%20Internet%20since%20that%20is%20where%20you%20are%20obtaining%20your%20data.%26nbsp%3B%20You%20can%20use%20a%20Network%20Security%20Group%20to%20just%20allow%20the%20traffic%20from%20your%20provider%20to%20access%20the%20server%20however.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESecond%2C%20while%20I%20am%20not%20100%25%20certain%20HTTPS%20is%20required%20I%20am%2090%25%20certain%20it%20is.%26nbsp%3B%20Even%20if%20it%20isn't%20required%2C%20you%20should%20use%20it%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1426361%22%20slang%3D%22en-US%22%3ERe%3A%20TAXII2%20and%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1426361%22%20slang%3D%22en-US%22%3EThanks%20Gary!%20We%20have%20only%20been%20using%20HTTP%20for%20testing%2C%20but%20will%20switch%20to%20HTTPS.%20Also%20thanks%20for%20clarifying%20that%20that%20using%20the%20NSG%20to%20control%20access%20is%20the%20way%20to%20go.%20I%20just%20thought%20that%20there%20might%20of%20been%20a%20way%20to%20connect%20Sentinel%20to%20our%20subnet%20and%20wouldn't%20need%20to%20give%20our%20VM%20a%20public%20IP.%3C%2FLINGO-BODY%3E
New Contributor

Hi there,

 

I think I have finally found the right community for this.

 

I am a university student that is currently working on a project for sharing Threat Intelligence to Azure Sentinel. We have a running TAXII2 server on a VM that we want to connect to our Azure Sentinel instance using the provided data connector. However, since we are still in development we do not want to give our VM are public IP address and allow connections to our TAXII2 from any source, for security reasons.

 

Does anyone know of a secure way to connect to our TAXII2 server without needing to expose it to the whole internet?

 

Also I have done some tests trying to use the Data Connector to our TAXII2 server and it does not seem to want to connect. I was wondering if the Data Connector needs to use HTTPS not HTTP, since our development server is just using HTTP.

2 Replies

@GhostCcamm First, your VM would need to be exposed to the Internet since that is where you are obtaining your data.  You can use a Network Security Group to just allow the traffic from your provider to access the server however.

 

Second, while I am not 100% certain HTTPS is required I am 90% certain it is.  Even if it isn't required, you should use it

 

Thanks Gary! We have only been using HTTP for testing, but will switch to HTTPS. Also thanks for clarifying that that using the NSG to control access is the way to go. I just thought that there might of been a way to connect Sentinel to our subnet and wouldn't need to give our VM a public IP.