TAXII Data Connector - Provider requires a whitelisted IP

%3CLINGO-SUB%20id%3D%22lingo-sub-1374180%22%20slang%3D%22en-US%22%3ETAXII%20Data%20Connector%20-%20Provider%20requires%20a%20whitelisted%20IP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1374180%22%20slang%3D%22en-US%22%3E%3CP%3EGood%20day%2C%3C%2FP%3E%3CP%3EJust%20getting%20started%20with%20Sentinel%2C%20playing%20around%20a%20bit%20within%20a%20fairly%20constrained%20budget.%20But%20so%20far%20it's%20been%20going%20pretty%20good.%3C%2FP%3E%3CP%3EI'm%20looking%20at%20integrating%20some%20threat%20intelligence%20from%20our%20security%20partners.%20One%20in%20particular%20is%20hosting%20a%20TAXII%20feed%2C%20and%20they%20require%20a%20whitelisted%20IP%20in%20their%20system%20to%20connect.%20From%20what%20I%20can%20see%2C%20there's%20no%20way%20for%20me%20to%20determine%20the%20IP(s)%20being%20used%20when%20Sentinel%20connects%20via%20TAXII.%20This%20partner%20has%20mentioned%20they%20may%20be%20able%20to%20tail%20the%20logs%20to%20find%20out%20which%20IP%20I'm%20using%2C%20but%20I'm%20not%20sure%20how%20effective%20that%20will%20be%2C%20considering%20Sentinel%20lives%20in%20the%20cloud%20and%20I%20won't%20know%20one%20day%20to%20the%20next%20where%20the%20traffic%20will%20be%20coming%20from.%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20to%20reliably%20determine%20the%20source%20IP(s)%20for%20the%20TAXII%20connection%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1377905%22%20slang%3D%22en-US%22%3ERe%3A%20TAXII%20Data%20Connector%20-%20Provider%20requires%20a%20whitelisted%20IP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1377905%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F660904%22%20target%3D%22_blank%22%3E%40cursor500%3C%2FA%3E%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETagging%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F118392%22%20target%3D%22_blank%22%3E%40Jason%20Wescott%3C%2FA%3E%2C%20the%20PM%20in%20charge%20of%20TI%20at%20Azure%20Sentinel%20to%20comment%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E~%20Ofer%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

Good day,

Just getting started with Sentinel, playing around a bit within a fairly constrained budget. But so far it's been going pretty good.

I'm looking at integrating some threat intelligence from our security partners. One in particular is hosting a TAXII feed, and they require a whitelisted IP in their system to connect. From what I can see, there's no way for me to determine the IP(s) being used when Sentinel connects via TAXII. This partner has mentioned they may be able to tail the logs to find out which IP I'm using, but I'm not sure how effective that will be, considering Sentinel lives in the cloud and I won't know one day to the next where the traffic will be coming from.

Is there a way to reliably determine the source IP(s) for the TAXII connection?

 

Thanks!

1 Reply

@cursor500:

 

Tagging @Jason Wescott, the PM in charge of TI at Azure Sentinel to comment

 

~ Ofer