Microsoft Sentinel is a cloud native SIEM that offers various options to import threat intelligence data and use them for hunting, investigation, analytics etc. Some of the ways to import rich threat intelligence data into Microsoft Sentinel include the Threat Intelligence - TAXII data connector and Threat Intelligence Platforms (TIP) connector.
Microsoft Sentinel was one of the early adopters of STIX/TAXII as the preferred way to import threat intelligence data. Microsoft Sentinel “Threat Intelligence -TAXII” connector uses the TAXII protocol for sharing data in STIX format. This data connector supports pulling data from TAXII 2.0 and 2.1 servers. The Threat Intelligence – TAXII data connector is essentially a built-in TAXII client in Microsoft Sentinel to import threat intelligence from TAXII 2.x servers.
Anomali ThreatStream offered integrations with Microsoft Sentinel in the past using the ThreatStream integrator and leveraging the power of the Graph Security API and TIP data connector of Microsoft Sentinel.
Today we are announcing our integration with Anomali ThreatStream, which allows you to get threat intelligence data from Anomali ThreatStream into Microsoft Sentinel using the Threat Intelligence – TAXII Data Connector.
Microsoft Sentinel benefits with Anomali ThreatStream
Anomali ThreatStream allows you to automate threat data collection from hundreds of threat sources, including commercial vendors, OSINT, ISACs and more, to deliver a single high fidelity set of threat intelligence at scale.
This intelligence is aggregated, scored and categorized by Anomali Macula, a proprietary machine learning engine, fully preparing the intelligence for operationalizing in your downstream security tools. You can choose between configuring your integrations to send only high confidence, high severity observables, or focus instead on observables that are associated with known threat actors, active malware campaigns, or a number of other Threat Models.
Pushing these filtered, prioritized observables to Microsoft Sentinel via TAXII allows you to correlate events within your network against high fidelity intelligence and proactively identify threats against your organization.
Connecting Microsoft Sentinel to Anomali ThreatStream TAXII Server
To connect Microsoft Sentinel to Anomali ThreatStream’s TAXII Server, obtain the API Root, Collection ID, Username and Password from Anomali.
ThreatStream allows you to configure Saved Searches against your observables set, and these are automatically provided as TAXII collections for consumption by TAXII clients.
Once you’ve configured a saved search, navigate to the Manage Observable Searches page, and identify the ID of the desired search.
You can then use the following details to configure the TAXII data connector:
- API Root: https://api.threatstream.com/api/v1/taxii21/search_filters/
- Collection ID: <Saved Search ID>
- Username & Password: The ThreatStream Username & Password of the user who configured the saved search.
For more details on how to configure the TAXII data connector in Microsoft Sentinel, please refer to the following documentation.
Put Anomali threat intelligence to use in Microsoft Sentinel
Once the threat intelligence from Anomali ThreatStream is imported into Microsoft Sentinel, you can use it for matching against log sources. This can be done using the out-of-the-box analytic rules in Microsoft Sentinel. These completely customizable analytics rules used to match threat indicators with your event data all have names beginning with, ‘TI map’.
To learn how to enable and create analytic rules, follow the steps mentioned in this documentation.
You can also create customized dashboards using Workbooks in Sentinel to get a deeper understanding of the threat landscape covered by the Anomali ThreatStream feed.
Hope this article has helped you understand the advantages of importing the Anomali ThreatStream feed into Microsoft Sentinel and use it to protect your organization.