Connect Azure Sentinel to STIX/TAXII threat intelligence feeds

Note

For information about feature availability in US Government clouds, see the Azure Sentinel tables in Cloud feature availability for US Government customers.

See also: Connect your threat intelligence platform (TIP) to Azure Sentinel

The most widely adopted industry standard for the transmission of threat intelligence is a combination of the STIX data format and the TAXII protocol. If your organization receives threat indicators from solutions that support the current STIX/TAXII version (2.0 or 2.1), you can use the Threat Intelligence - TAXII data connector to bring your threat indicators into Azure Sentinel. This connector enables a built-in TAXII client in Azure Sentinel to import threat intelligence from TAXII 2.x servers.

TAXII import path

Learn more about Threat Intelligence in Azure Sentinel, and specifically about the TAXII threat intelligence feeds that can be integrated with Azure Sentinel.

Prerequisites

  • You must have read and write permissions to the Azure Sentinel workspace to store your threat indicators.
  • You must have a TAXII 2.0 or TAXII 2.1 API Root URI and Collection ID.

Instructions

Follow these steps to import STIX formatted threat indicators to Azure Sentinel from a TAXII server:

  1. Get the TAXII server API Root and Collection ID

  2. Enable the Threat Intelligence - TAXII data connector in Azure Sentinel

Get the TAXII server API Root and Collection ID

TAXII 2.x servers advertise API Roots, which are URLs that host Collections of threat intelligence. You can usually find the API Root and the Collection ID in the documentation pages of the threat intelligence provider hosting the TAXII server.

Note

In some cases, the provider will only advertise a URL called a Discovery Endpoint. You can use the cURL utility to browse the discovery endpoint and request the API Root, as detailed below.

Enable the Threat Intelligence - TAXII data connector in Azure Sentinel

To import threat indicators into Azure Sentinel from a TAXII server, follow these steps:

  1. From the Azure portal, navigate to the Azure Sentinel service.

  2. Choose the workspace to which you want to import threat indicators from the TAXII server.

  3. Select Data connectors from the menu, select Threat Intelligence - TAXII from the connectors gallery, and select the Open connector page button.

  4. Enter a friendly name for this TAXII server Collection, the API Root URL, the Collection ID, a Username (if required), and a Password (if required), and choose the group of indicators and the polling frequency you want. Select the Add button.

    Configure TAXII servers

You should receive confirmation that a connection to the TAXII server was established successfully, and you may repeat the last step above as many times as you want, to connect to multiple Collections from one or more TAXII servers.

Within a few minutes, threat indicators should begin flowing into this Azure Sentinel workspace. You can find the new indicators in the Threat intelligence blade, accessible from the Azure Sentinel navigation menu.

Find the API Root

Here's an example of how to use the cURL command line utility, which is provided in Windows and most Linux distributions, to discover the API Root and browse the Collections of a TAXII server, given only the discovery endpoint. Using the discovery endpoint of the Anomali Limo ThreatStream TAXII 2.0 server, you can request the API Root URI and then the Collections.

  1. From a browser, navigate to the ThreatStream TAXII 2.0 server discovery endpoint at https://limo.anomali.com/taxii to retrieve the API Root. Authenticate with the username and password guest.

    You will receive the following response:

    {
        "api_roots":
        [
            "https://limo.anomali.com/api/v1/taxii2/feeds/",
            "https://limo.anomali.com/api/v1/taxii2/trusted_circles/",
            "https://limo.anomali.com/api/v1/taxii2/search_filters/"
        ],
        "contact": "info@anomali.com",
        "default": "https://limo.anomali.com/api/v1/taxii2/feeds/",
        "description": "TAXII 2.0 Server (guest)",
        "title": "ThreatStream Taxii 2.0 Server"
    }
    
  2. Use the cURL utility and the API Root (https://limo.anomali.com/api/v1/taxii2/feeds/) from the previous response, appending "collections/" to the API Root to browse the list of Collection IDs hosted on the API Root:

    curl -u guest https://limo.anomali.com/api/v1/taxii2/feeds/collections/
    

    After authenticating again with the password "guest", you will receive the following response:

    {
        "collections":
        [
            {
                "can_read": true,
                "can_write": false,
                "description": "",
                "id": "107",
                "title": "Phish Tank"
            },
            {
                "can_read": true,
                "can_write": false,
                "description": "",
                "id": "135",
                "title": "Abuse.ch Ransomware IPs"
            },
            {
                "can_read": true,
                "can_write": false,
                "description": "",
                "id": "136",
                "title": "Abuse.ch Ransomware Domains"
            },
            {
                "can_read": true,
                "can_write": false,
                "description": "",
                "id": "150",
                "title": "DShield Scanning IPs"
            },
            {
                "can_read": true,
                "can_write": false,
                "description": "",
                "id": "200",
                "title": "Malware Domain List - Hotlist"
            },
            {
                "can_read": true,
                "can_write": false,
                "description": "",
                "id": "209",
                "title": "Blutmagie TOR Nodes"
            },
            {
                "can_read": true,
                "can_write": false,
                "description": "",
                "id": "31",
                "title": "Emerging Threats C&C Server"
            },
            {
                "can_read": true,
                "can_write": false,
                "description": "",
                "id": "33",
                "title": "Lehigh Malwaredomains"
            },
            {
                "can_read": true,
                "can_write": false,
                "description": "",
                "id": "41",
                "title": "CyberCrime"
            },
            {
                "can_read": true,
                "can_write": false,
                "description": "",
                "id": "68",
                "title": "Emerging Threats - Compromised"
            }
        ]
    }
    

You now have all the information you need to connect Azure Sentinel to one or more TAXII server Collections provided by Anomali Limo.

API Root (https://limo.anomali.com/api/v1/taxii2/feeds/) Collection ID
Phish Tank 107
Abuse.ch Ransomware IPs 135
Abuse.ch Ransomware Domains 136
DShield Scanning IPs 150
Malware Domain List - Hotlist 200
Blutmagie TOR Nodes 209
Emerging Threats C&C Server 31
Lehigh Malwaredomains 33
CyberCrime 41
Emerging Threats - Compromised 68

Next steps

In this document, you learned how to connect Azure Sentinel to threat intelligence feeds using the TAXII protocol. To learn more about Azure Sentinel, see the following articles.