How to integrate custom threat intelligence feeds and populate them in lists in Azure Sentinel?

%3CLINGO-SUB%20id%3D%22lingo-sub-1141381%22%20slang%3D%22en-US%22%3EHow%20to%20integrate%20custom%20threat%20intelligence%20feeds%20and%20populate%20them%20in%20lists%20in%20Azure%20Sentinel%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1141381%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Team%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20am%20very%20new%20to%20Azure%20Sentinel%20and%20want%20to%20integrate%20custom%20threat%20intelligence%20from%20our%20company's%20website.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIf%20I%20download%20the%20TI%20feeds%20from%20our%20website%20and%20paste%20it%20somewhere%20on%20my%20local%20machine%2C%20then%20how%20can%20I%20update%20those%20feeds%20in%20Active%20lists%20(or%20similar%20in%20Sentinel)%20and%20call%20them%20against%20rules.%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EAlso%20if%20this%20can%20be%20automatically%20done%2C%20I%20mean%20in%20ArcSight%20the%20connector%20reads%20IOCs%20from%20excel%20and%20sends%20it%20to%20ESM%20and%20adds%20the%20IOCs%20in%20Active%20lists%2C%20can%20the%20same%20be%20done%20in%20Azure%20Sentinel%20or%20something%20similar%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks%20in%20Advance.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CBR%20%2F%3ERegards%2C%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EMitesh%20Agrawal%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1141411%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20integrate%20custom%20threat%20intelligence%20feeds%20and%20populate%20them%20in%20lists%20in%20Azure%20Sentinel%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1141411%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F539205%22%20target%3D%22_blank%22%3E%40MiteshAgrawal%3C%2FA%3E%26nbsp%3BHave%20you%20looked%20through%20the%20following%20yet%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-threat-intelligence%23connect-azure-sentinel-to-your-threat-intelligence-platform%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-threat-intelligence%23connect-azure-sentinel-to-your-threat-intelligence-platform%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1142111%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20integrate%20custom%20threat%20intelligence%20feeds%20and%20populate%20them%20in%20lists%20in%20Azure%20Sentinel%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1142111%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324945%22%20target%3D%22_blank%22%3E%40rodtrent%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20quick%20reply.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20link%20you%20shared%20is%20really%20helpful.%20Will%20try%20to%20integrate%20our%20TI%20feeds%20with%20Sentinel%20with%20the%20help%20of%20the%20steps%20provided%20in%20the%20link.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20how%20can%20I%20create%20a%20list%20and%20manually%20upload%20the%20IOCs%20if%20that%20is%20what%20my%20requirement%20is%3F%20Do%20we%20have%20some%20steps%20for%20that%3F%20In%20KQL%20with%20makelist%20we%20can%20create%20a%20list%20and%20can%20populate%20data%20from%20the%20previous%20results%2C%20can%20we%20do%20something%20similar%20and%20manually%20upload%20the%20IOCs%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20Advance.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EMitesh%20Agrawal%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1144309%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20integrate%20custom%20threat%20intelligence%20feeds%20and%20populate%20them%20in%20lists%20in%20Azure%20Sentinel%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1144309%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F539205%22%20target%3D%22_blank%22%3E%40MiteshAgrawal%3C%2FA%3E%26nbsp%3BFor%20this%20part%2C%20look%20at%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fimplementing-lookups-in-azure-sentinel-part-1-reference-files%2Fba-p%2F1091306%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fimplementing-lookups-in-azure-sentinel-part-1-reference-files%2Fba-p%2F1091306%3C%2FA%3E%26nbsp%3B%20%26nbsp%3Bon%20how%20to%20use%20Azure%20Blob%20storage%20as%20an%20external%20source%20for%20KQL%20queries.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1147320%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20integrate%20custom%20threat%20intelligence%20feeds%20and%20populate%20them%20in%20lists%20in%20Azure%20Sentinel%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1147320%22%20slang%3D%22en-US%22%3EHi%20Gary%2C%3CBR%20%2F%3E%3CBR%20%2F%3EHow%20can%20I%20achieve%20my%20requirement%20without%20using%20BLOB%20storage%3F%20Can%20I%20do%20this%20from%20my%20local%20system%3F%20Or%20by%20pasting%20the%20feeds%20manually%20in%20a%20list%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1147564%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20integrate%20custom%20threat%20intelligence%20feeds%20and%20populate%20them%20in%20lists%20in%20Azure%20Sentinel%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1147564%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F539205%22%20target%3D%22_blank%22%3E%40MiteshAgrawal%3C%2FA%3E%26nbsp%3BYou%20can%20also%20ingest%20feeds%20using%20the%20Microsoft%20Graph%20API%20using%20the%20tiIndicator.%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fresources%2Ftiindicator%3Fview%3Dgraph-rest-beta%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fresources%2Ftiindicator%3Fview%3Dgraph-rest-beta%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EThere%20has%20been%20a%20PoC%20here%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fingesting-alien-vault-otx-threat-indicators-into-azure-sentinel%2Fba-p%2F1086566%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fingesting-alien-vault-otx-threat-indicators-into-azure-sentinel%2Fba-p%2F1086566%3C%2FA%3E%3CBR%20%2F%3E-%26gt%3B%20Make%20sure%20to%20give%20the%20correct%20right%20to%20your%20app%20registration%20to%20interact%20with%20the%20Threat%20Intelligence%20IoC%20table%20(something%20like%20%22%3CSPAN%3EThreatIndicators.ReadWrite.OwnedBy%22%2C%20to%20be%20verified).%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20it's%20a%20publicly%20available%20feeds%20such%20as%20AlienVault%2C%26nbsp%3Bdnsbl.info%2C%20...%20I%20would%20be%20more%20to%20welcome%20to%20contribute%20during%20my%20freetime%20in%20order%20to%20help%20the%20community.%3CBR%20%2F%3E%3CBR%20%2F%3EThomas%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi Team,

 

I am very new to Azure Sentinel and want to integrate custom threat intelligence from our company's website.

 

If I download the TI feeds from our website and paste it somewhere on my local machine, then how can I update those feeds in Active lists (or similar in Sentinel) and call them against rules.

 

Also if this can be automatically done, I mean in ArcSight the connector reads IOCs from excel and sends it to ESM and adds the IOCs in Active lists, can the same be done in Azure Sentinel or something similar?

 

Thanks in Advance.


Regards,

Mitesh Agrawal

5 Replies

Hi @rodtrent,

 

Thanks for your quick reply.

 

The link you shared is really helpful. Will try to integrate our TI feeds with Sentinel with the help of the steps provided in the link.

 

Also, how can I create a list and manually upload the IOCs if that is what my requirement is? Do we have some steps for that? In KQL with makelist we can create a list and can populate data from the previous results, can we do something similar and manually upload the IOCs?

 

Thanks in Advance.

 

Regards,

Mitesh Agrawal 

Hi Gary,

How can I achieve my requirement without using BLOB storage? Can I do this from my local system? Or by pasting the feeds manually in a list?

@MiteshAgrawal You can also ingest feeds using the Microsoft Graph API using the tiIndicator.
https://docs.microsoft.com/en-us/graph/api/resources/tiindicator?view=graph-rest-beta

There has been a PoC here https://techcommunity.microsoft.com/t5/azure-sentinel/ingesting-alien-vault-otx-threat-indicators-in...
-> Make sure to give the correct right to your app registration to interact with the Threat Intelligence IoC table (something like "ThreatIndicators.ReadWrite.OwnedBy", to be verified).

If it's a publicly available feeds such as AlienVault, dnsbl.info, ... I would be more to welcome to contribute during my freetime in order to help the community.

Thomas