cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to integrate custom threat intelligence feeds and populate them in lists in Azure Sentinel?

MiteshAgrawal
Brass Contributor

‎Jan 30 2020 11:41 AM

‎Jan 30 2020 11:41 AM

How to integrate custom threat intelligence feeds and populate them in lists in Azure Sentinel?

Hi Team,

 

I am very new to Azure Sentinel and want to integrate custom threat intelligence from our company's website.

 

If I download the TI feeds from our website and paste it somewhere on my local machine, then how can I update those feeds in Active lists (or similar in Sentinel) and call them against rules.

 

Also if this can be automatically done, I mean in ArcSight the connector reads IOCs from excel and sends it to ESM and adds the IOCs in Active lists, can the same be done in Azure Sentinel or something similar?

 

Thanks in Advance.


Regards,

Mitesh Agrawal

2,893 Views
0 Likes
5 Replies
Reply
5 Replies
MiteshAgrawal

‎Jan 30 2020 09:34 PM

‎Jan 30 2020 09:34 PM

Re: How to integrate custom threat intelligence feeds and populate them in lists in Azure Sentinel?

Hi @rodtrent,

 

Thanks for your quick reply.

 

The link you shared is really helpful. Will try to integrate our TI feeds with Sentinel with the help of the steps provided in the link.

 

Also, how can I create a list and manually upload the IOCs if that is what my requirement is? Do we have some steps for that? In KQL with makelist we can create a list and can populate data from the previous results, can we do something similar and manually upload the IOCs?

 

Thanks in Advance.

 

Regards,

Mitesh Agrawal 

0 Likes
Reply
MiteshAgrawal

‎Feb 02 2020 09:58 PM

‎Feb 02 2020 09:58 PM

Re: How to integrate custom threat intelligence feeds and populate them in lists in Azure Sentinel?

Hi Gary,

How can I achieve my requirement without using BLOB storage? Can I do this from my local system? Or by pasting the feeds manually in a list?
0 Likes
Reply
thomasdefise

‎Feb 03 2020 03:09 AM - edited ‎Feb 03 2020 03:11 AM

‎Feb 03 2020 03:09 AM - edited ‎Feb 03 2020 03:11 AM

Re: How to integrate custom threat intelligence feeds and populate them in lists in Azure Sentinel?

@MiteshAgrawal You can also ingest feeds using the Microsoft Graph API using the tiIndicator.
https://docs.microsoft.com/en-us/graph/api/resources/tiindicator?view=graph-rest-beta

There has been a PoC here https://techcommunity.microsoft.com/t5/azure-sentinel/ingesting-alien-vault-otx-threat-indicators-in...
-> Make sure to give the correct right to your app registration to interact with the Threat Intelligence IoC table (something like "ThreatIndicators.ReadWrite.OwnedBy", to be verified).

If it's a publicly available feeds such as AlienVault, dnsbl.info, ... I would be more to welcome to contribute during my freetime in order to help the community.

Thomas

0 Likes
Reply