Azure Sentinel provides two built in data connectors for importing threat intelligence, the Threat Intelligence – TAXII data connector, and the Threat Intelligence – Platforms data connector. These data connectors are suitable for most use cases – as explained in our previous detailed blog. However, some open source threat intelligence is shared as text-based files which cannot be accessed directly from these data connectors. This blog describes how to use Azure Sentinel Playbooks to obtain text-based threat indicators from an online source, and import them directly into the ThreatIntelligenceIndicator table where they can be used by all the built-in Sentinel analytics templates to generate security incidents.
The Playbooks described in this post were created to allow Azure Sentinel customers to import Microsoft’s COVID-19 related threat indicators published on GitHub. However, these Playbooks can easily be modified to point to any other source of a text-based indicator feed.
These Azure Sentinel Playbooks work in tandem to read indicators from a source location and import the indicators to the ThreatIntelligenceIndicator table in Logs. Let’s take a closer look at the functionality of each Playbook.
Playbook 1 (C19IndicatorProcessor)
C19IndicatorProcessor Playbook performs the following steps:
- Triggered on a defined schedule
- Reads the indicators from GitHub
- Transforms the indicators from the text-based source to the appropriate tiIndicator JSON format
- Uses the Batch action to send the indicators to the second Playbook (C19ImportToSentinel)
Playbook 2 (C19ImportToSentinel)
C19ImportToSentinel Playbook performs the following steps:
- Begins with a Batch Messages trigger to receive indicators sent by the first Playbook (C19IndiatorProcessor) and groups the indicators into batches of 10
- Submits each batch of indicators to Azure Sentinel using the Microsoft Graph Security Logic App connector
Deploy the Playbooks to Azure Sentinel
The Playbook templates can be downloaded from GitHub at this location. It is important to deploy the C19ImportToSentinel Playbook before deploying the C19IndicatorProcessor playbook. Since these Playbooks rely on the Batch action, there is a natural dependency created between the two Playbooks. The C19IndicatorProcessor Playbook has a reference to the Batch endpoint published by the C19ImportToSentinel Playbook.
Follow these steps to deploy the two Playbooks to your Azure Sentinel instance.
1. Open the Azure portal and search for and select, Deploy a custom template.
2. Select, Build your own template in the editor from the list of options.
3. In the Edit template window, replace the default JSON with the contents of the C19ImportToSentinel.json template file and select Save.
4. In the Custom deployment window, select the Resource Group where you have your Azure Sentinel instance, and under Settings, input your user name which will be used to deploy the Playbook, and select Purchase.
Note: It is highly recommended to leave the Playbook Name to the default setting. However, if you rename the Playbook you will need to reference this new name when deploying the second Playbook.
Note: While the confirmation button is labeled Purchase, there is no charges associated with obtaining these Playbooks.
5. After a minute or two the Playbook will be visible under Azure Sentinel Playbooks.
6. Repeat these same steps (1-5) for the C19IndicatorProcessor Playbook with the only difference being on step (4) there is an additional option under Settings where you will input the name you used for the first Playbook you deployed.
Once deployed there is a final configuration step to import the threat indicators. The C19ImportToSentinel includes an action to submit the indicators to Azure Sentinel using the Microsoft Graph Security API. In order to receive the indicators in your Azure Sentinel instance, you will need to enable the Threat Intelligence - Platforms data connector.
Also, you will need to open the C19ImportToSentinel Playbook and configure the connection for the Submit multiple tiIndicators action as shown below.
Configuring this connection you will be asked to login to Azure Active Directory and consent for the permissions needed for the Playbook to submit threat indicators to the Graph Security API. You need to authenticate with as a user with an Azure Active Directory Limited Administrator Role of Global Administrator.
Once deployed to your Azure Sentinel instance, these Playbooks will operate in tandem to import indicators on a regular schedule so you will always have the latest threat intelligence data provided by the source. This post covered an example source from Microsoft for COVID-19 indicators hosted on GitHub but you can easily modify the HTTP action to point to a different text-based indicator feed, and update the Select action to parse the original text-based feed into tiIndicators format for import into Azure Sentinel.