Microsoft Sentinel is a cloud native SIEM that offers a variety of options to import threat intelligence data that can be used for hunting, investigation and other analysis. There are three ways to import rich threat intelligence data into Microsoft Sentinel – using the Threat Intelligence TAXII data connector, Threat Intelligence Platform (TIP) connector or importing indicators of compromise or attack using a flat file.
Microsoft Sentinel was an early adopter of STIX/TAXII as the preferred way to import threat intelligence data. Microsoft Sentinel “Threat Intelligence -TAXII” connector uses the TAXII protocol for sharing data in STIX format. This data connector supports pulling data from TAXII 2.0 and 2.1 servers. The Threat Intelligence – TAXII data connector is essentially a built-in TAXII client in Microsoft Sentinel to import threat intelligence from TAXII 2.x servers.
Today we are announcing our integration with CYFIRMA, which allows organizations to import curated threat intelligence data from CYFIRMA into Microsoft Sentinel using the Threat Intelligence – TAXII Data Connector.
Microsoft Sentinel Benefits with CYFIRMA External Threat Landscape Insights:
With CYFIRMA’s External Threat Landscape Management insights, the Sentinel platform is enriched with personalized and actionable insights to help security leaders mitigate risk and prevent the impact of a cyber-attack. The threat intelligence provided by CYFIRMA uncovers external attack surfaces that hackers can use to penetrate the organization, highlight exploitable vulnerabilities, and recommends remedial actions to help strengthen the organization's cyber posture.
Unlike generic threat feeds, the intelligence from CYFIRMA reduces noise as it is tailored to an organization’s industry, geography, and technology ecosystem. By reducing this noise overload, security operations teams can focus on the validated high-severity threats.
These contextual insights help organizations understand the threat actor, motive, campaign, and methods so security teams can be adequately prepared to mitigate risk and reduce the impact of an attack. CYFIRMA’s External Threat Landscape Management insights provide an outside-in view of an organizations and is the underpinning foundation for cyber controls, enabling seamless integration into security tools such as Sentinel that drive insights and remediate risks rapidly. With CYFIRMA’s intelligence, users of Sentinel will be equipped with detection, protection, monitoring, and response capabilities that can be used to automate everyday tasks that enable organizations to stay ahead of cybercriminals.
DeCYFIR TI Feeds creation process
The core capabilities of DeCYFIR that can be combined with MS sentinel are:
Associated IOCs:
Rich data on the tactics, techniques and procedures used by threat actors with IOC specific remediation steps and tactical execution recommendations. These can be used for threat hunting, investigation, and analysis of threats.
Connecting Microsoft Sentinel to CYFIRMA TAXII Server
To connect Microsoft Sentinel to CYFIRMA TAXII Server, you will need the API Root, Collection ID, Username and Password from CYFIRMA. Please contact CYFIRMA at contact@cyfirma.com to request your trial or commercial access.
For more details on how to configure the TAXII data connector in Microsoft Sentinel, please refer to - Connect Microsoft Sentinel to STIX/TAXII threat intelligence feeds.
Put CYFIRMA Threat Intelligence to use in Microsoft Sentinel
Once the CYFIRMA threat intelligence is imported into Microsoft Sentinel it can used to enrich your existing data sources using the out-of-the-box analytic rules in Microsoft Sentinel. These completely customizable analytics rules are used to match threat indicators with your event data, for faster identification and response times. To learn how to enable and create analytic rules within Microsoft Sentinel, follow these steps - Use threat indicators in analytics rules.
You can also create customized dashboards using Workbooks in Sentinel to get a deeper understanding of the threat landscape covered by the CYFIRMA feed. You can read more about the out-of-the-box threat intelligence workbook here – Microsoft Sentinel Threat Intelligence Workbook.
Reach out to CYFIRMA to learn further how their Threat Intelligence can keep you and your organization ahead of threat actors - contact@cyfirma.com