Threat Intelligence Integration

%3CLINGO-SUB%20id%3D%22lingo-sub-745530%22%20slang%3D%22en-US%22%3EThreat%20Intelligence%20Integration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-745530%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20is%20the%20best%20way%20to%20connect%20a%20threat%20intelligence%20feed%20to%20my%20sentinel%20instance%3F%20I%20cannot%20find%20any%20documentation%20online%20detailing%20how%20to%20integrate%20a%20free%20threat%20intel%20feed.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-745976%22%20slang%3D%22en-US%22%3ERe%3A%20Threat%20Intelligence%20Integration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-745976%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F373559%22%20target%3D%22_blank%22%3E%40davidbrilliant%3C%2FA%3E-%20There%20are%20two%20ways%20to%20connect%20your%20threat%20intelligence%20to%20Azure%20Sentinel%3A%3C%2FP%3E%0A%3CP%3E1)%20If%20you%20use%20one%20of%20the%20threat%20intelligence%20platforms%20below%2C%20native%20integrate%20with%20the%20Microsoft%20Graph%20Security%20API%20is%20available%3A%20%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fthreatconnect.com%2F%23tab-id-2%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EThreat%20Connect%3C%2FA%3E%20(NEW!)%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FPaloAltoNetworks%2Fminemeld-msgraph-secapi%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EPalo%20Alto%20Networks%20MineMeld%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Ftipmispsample%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMISP%20Open%20Source%20Threat%20Intelligence%20Platform%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E2)%20You%20can%20also%20integrate%20your%20threat%20intelligence%20applications%20and%20feeds%20directly%20using%20the%20Microsoft%20Graph%20Security%20API%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fresources%2Ftiindicator%3Fview%3Dgraph-rest-beta%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EtiIndicator%3C%2FA%3Eentity.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EThen%20simply%20configure%20the%20Threat%20Intelligence%20data%20connector%20in%20Azure%20Sentinel%20to%20begin%20ingesting%20this%20data.%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EAzure%20Sentinel%20enables%20you%20to%20correlate%20and%20analyze%20your%20threat%20intelligence%20data%20to%20create%20custom%20alerts%20on%20malicious%20activity%2C%20power%20hunting%20queries%2C%20and%20create%20dashboards%20to%20monitor%20threat%20activity%20levels.%20%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-812593%22%20slang%3D%22en-US%22%3ERe%3A%20Threat%20Intelligence%20Integration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-812593%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F27971%22%20target%3D%22_blank%22%3E%40Sarah%20Fender%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20threat%20intelligence%20is%20feed%20with%20MineMeld.%3C%2FP%3E%3CP%3EI%20have%20firewalls%20logs%20that%20I%20want%20to%20correlate%20with%20the%20Threat%20Intelligence%20feed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELet's%20say%20I%20create%20a%20Alert%20when%20a%20firewall%20logs%20contains%20a%20Destination%20IP%20that%20matches%20a%20IP%20from%20the%20Threat%20Intel%20DB.%20My%20problem%20is%20that%20the%20Alert%20is%20only%20looking%20for%20the%205%20last%20hours%20in%20both%20tables.%20I%20need%20to%20%3A%3C%2FP%3E%3CP%3E-%20Firewall%20logs%20%3A%20Look%20for%20the%205%20last%20hours%3C%2FP%3E%3CP%3E-%20Threat%20Intel%20%3A%20Looks%20in%20the%20whole%20database%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20possible%20to%20do%20this%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

What is the best way to connect a threat intelligence feed to my sentinel instance? I cannot find any documentation online detailing how to integrate a free threat intel feed.

2 Replies
Highlighted

@davidbrilliant - There are two ways to connect your threat intelligence to Azure Sentinel:

1) If you use one of the threat intelligence platforms below, native integrate with the Microsoft Graph Security API is available:   

2) You can also integrate your threat intelligence applications and feeds directly using the Microsoft Graph Security API tiIndicator entity.

 

Then simply configure the Threat Intelligence data connector in Azure Sentinel to begin ingesting this data. 

 

Azure Sentinel enables you to correlate and analyze your threat intelligence data to create custom alerts on malicious activity, power hunting queries, and create dashboards to monitor threat activity levels.

 

Highlighted

Hi @Sarah Fender 

My threat intelligence is feed with MineMeld.

I have firewalls logs that I want to correlate with the Threat Intelligence feed.

 

Let's say I create a Alert when a firewall logs contains a Destination IP that matches a IP from the Threat Intel DB. My problem is that the Alert is only looking for the 5 last hours in both tables. I need to :

- Firewall logs : Look for the 5 last hours

- Threat Intel : Looks in the whole database

 

Is it possible to do this ?

 

Thanks