Threat Intelligence - MS Security Graph

%3CLINGO-SUB%20id%3D%22lingo-sub-1152518%22%20slang%3D%22en-US%22%3EThreat%20Intelligence%20-%20MS%20Security%20Graph%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1152518%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3EHi%20community%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ei%20integrate%20Azure%20SEntinel%20in%20our%20test%20environment%20and%20i%20also%20want%20ot%20use%20TI%20feeds%20from%20MS%20Security%20Graph.%20I%20read%20a%20lot%20but%20i%20can%C2%B4t%20found%20tangible%20instructions%20to%20activate%20the%20feeds.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ei%20have%20done%20these%20steps%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1)%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fauth-v2-service%231-register-your-app%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ERegister%20an%20application%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ein%20Azure%20Active%20Directory.%3C%2FP%3E%3CP%3E2)%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fauth-v2-service%232-configure-permissions-for-microsoft-graph%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EConfigure%20permissions%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eand%20be%20sure%20to%20add%20the%20ThreatIndicators.ReadWrite.OwnedBy%20permission%20to%20the%20application.%3C%2FP%3E%3CP%3E3)%20Ask%20your%20Azure%20AD%20tenant%20administrator%20to%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fauth-v2-service%233-get-administrator-consent%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Egrant%20consent%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eto%20the%20application.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20can%20i%20configure%20step%204%20regarding%20Microsoft%20SEcurity%20Graph%3F%20Thanks%20a%20lot%20!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3E4)%20Configure%20your%20TIP%20or%20other%20integrated%20application%20to%20push%20indicators%20to%20Azure%20Sentinel%20by%20specifying%20the%20following%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CPRE%3Ea.%20The%20application%20ID%20and%20secret%20you%20received%20when%20registering%20the%20app%20(step%201%20above).%20%0A%0Ab.%20Set%20%E2%80%9CAzure%20Sentinel%E2%80%9D%20as%20the%20target.%0A%0Ac.%20Set%20an%20action%20for%20each%20indicator%20-%20%E2%80%98alert%E2%80%99%20is%20most%20relevant%20for%20Azure%20Sentinel%20use%20cases%20%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Anmerkung%202020-02-05%20142123.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F169133i8B772CD34B8E522D%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Anmerkung%202020-02-05%20142123.png%22%20alt%3D%22Anmerkung%202020-02-05%20142123.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%E2%80%83%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1384463%22%20slang%3D%22en-US%22%3ERe%3A%20Threat%20Intelligence%20-%20MS%20Security%20Graph%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1384463%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F415069%22%20target%3D%22_blank%22%3E%40Garfield-P%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDId%20you%20look%20into%20those%20guides%20and%20examples%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%3EWebinar%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fyoutu.be%2FzfoVe4iarto%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EYouTube%3C%2FA%3E%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2F1drv.ms%2Fv%2Fs!AnEPjr8tHcNmgi8zazMLahRyycPf%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EMP4%2C%26nbsp%3B%3C%2FA%3E%3C%2FSPAN%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2F1drv.ms%2Fb%2Fs!AnEPjr8tHcNmgi0pABN930p56id_%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EPresentation%3C%2FA%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%22%3C%2FSPAN%3E%3CA%20class%3D%22_e75a791d-denali-editor-page-rtfLink%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fbring-your-threat-intelligence-to-azure-sentinel%2Fba-p%2F1167546%22%20target%3D%22_blank%22%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3Ebring%20your%20threat%20intelligence%20to%20Azure%20Sentinel.%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%22%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%22%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fingesting-alien-vault-otx-threat-indicators-into-azure-sentinel%2Fba-p%2F1086566%22%20target%3D%22_blank%22%3EIngesting%20Alien%20Vault%20OTX%20Threat%20Indicators%20into%20Azure%20Sentinel%3C%2FA%3E%22%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor
 

Hi community,

 

i integrate Azure SEntinel in our test environment and i also want ot use TI feeds from MS Security Graph. I read a lot but i can´t found tangible instructions to activate the feeds.

 

i have done these steps,

 

1) Register an application in Azure Active Directory.

2) Configure permissions and be sure to add the ThreatIndicators.ReadWrite.OwnedBy permission to the application.

3) Ask your Azure AD tenant administrator to grant consent to the application.

 

How can i configure step 4 regarding Microsoft SEcurity Graph? Thanks a lot !

 

4) Configure your TIP or other integrated application to push indicators to Azure Sentinel by specifying the following:

a. The application ID and secret you received when registering the app (step 1 above). 

b. Set “Azure Sentinel” as the target.

c. Set an action for each indicator - ‘alert’ is most relevant for Azure Sentinel use cases 

 

 

 
 

Anmerkung 2020-02-05 142123.png

 

 

 

 

 

1 Reply