Threat intelligence integration in Azure Sentinel
Azure Sentinel gives you a few different ways to use threat intelligence feeds to enhance your security analysts' ability to detect and prioritize known threats.
You can use one of many available integrated threat intelligence platform (TIP) products, you can connect to TAXII servers to take advantage of any STIX-compatible threat intelligence source, and you can also make use of any custom solutions that can communicate directly with the Microsoft Graph Security tiIndicators API.
You can also connect to threat intelligence sources from playbooks, in order to enrich incidents with TI information that can help direct investigation and response actions.
If you have multiple workspaces in the same tenant, such as for Managed Service Providers (MSSPs), it may be more cost effective to connect threat indicators only to the centralized workspace.
When you have the same set of threat indicators imported into each separate workspace, you can run cross-workspace queries to aggregate threat indicators across your workspaces. Correlate them within your MSSP incident detection, investigation, and hunting experience.
TAXII threat intelligence feeds
To connect to TAXII threat intelligence feeds, follow the instructions to connect Azure Sentinel to STIX/TAXII threat intelligence feeds, together with the data supplied by each vendor linked below. You may need to contact the vendor directly to obtain the necessary data to use with the connector.
- Learn about Cybersixgill integration with Azure Sentinel @Cybersixgill
- To connect Azure Sentinel to Cybersixgill TAXII Server and get access to Darkfeed, contact Cybersixgill to obtain the API Root, Collection ID, Username and Password.
Financial Services Information Sharing and Analysis Center (FS-ISAC)
- Join FS-ISAC to get the credentials to access this feed.
Health intelligence sharing community (H-ISAC)
- Join the H-ISAC to get the credentials to access this feed.
- Learn more about the IntSights integration with Azure Sentinel @IntSights
- To connect Azure Sentinel to the IntSights TAXII Server, obtain the API Root, Collection ID, Username and Password from the IntSights portal after you configure a policy of the data you wish to send to Azure Sentinel.
Integrated threat intelligence platform products
To connect to Threat Intelligence Platform (TIP) feeds, follow the instructions to connect Threat Intelligence platforms to Azure Sentinel. The second part of these instructions calls for you to enter information into your TIP solution. See the links below for more information.
Agari Phishing Defense and Brand Protection
- To connect Agari Phishing Defense and Brand Protection, use the built-in Agari data connector in Azure Sentinel.
- To download ThreatStream Integrator and Extensions, and the instructions for connecting ThreatStream intelligence to the Microsoft Graph Security API, see the ThreatStream downloads page.
AlienVault Open Threat Exchange (OTX) from AT&T Cybersecurity
- AlienVault OTX makes use of Azure Logic Apps (playbooks) to connect to Azure Sentinel. See the specialized instructions necessary to take full advantage of the complete offering.
- EclecticIQ Platform integrates with Azure Sentinel to enhance threat detection, hunting and response. Learn more about the benefits and use cases of this two-way integration.
GroupIB Threat Intelligence and Attribution
- To connect GroupIB Threat Intelligence and Attribution to Azure Sentinel, GroupIB makes use of Azure Logic Apps. See the specialized instructions necessary to take full advantage of the complete offering.
MISP Open Source Threat Intelligence Platform
- For a sample script that provides clients with MISP instances to migrate threat indicators to the Microsoft Graph Security API, see the MISP to Microsoft Graph Security Script.
- Learn more about the MISP Project.
Palo Alto Networks MineMeld
- To configure Palo Alto MineMeld with the connection information to Azure Sentinel, see Sending IOCs to the Microsoft Graph Security API using MineMeld and skip to the MineMeld Configuration heading.
Recorded Future Security Intelligence Platform
- Recorded Future makes use of Azure Logic Apps (playbooks) to connect to Azure Sentinel. See the specialized instructions necessary to take full advantage of the complete offering.
- See the Microsoft Graph Security Threat Indicators Integration Configuration Guide for instructions to connect ThreatConnect to Azure Sentinel.
ThreatQuotient Threat Intelligence Platform
- See Microsoft Sentinel Connector for ThreatQ integration for support information and instructions to connect ThreatQuotient TIP to Azure Sentinel.
Incident enrichment sources
Besides being used to import threat indicators, threat intelligence feeds can also serve as a source to enrich the information in your incidents and provide more context to your investigations. The following feeds serve this purpose, and provide Logic App playbooks to use in your automated incident response.
- Find and enable incident enrichment playbooks for HYAS Insight in the Azure Sentinel GitHub repository. Search for subfolders beginning with "Enrich-Sentinel-Incident-HYAS-Insight-".
- See the HYAS Insight Logic App connector documentation.
Recorded Future Security Intelligence Platform
- Find and enable incident enrichment playbooks for Recorded Future in the Azure Sentinel GitHub repository. Search for subfolders beginning with "RecordedFuture_".
- See the Recorded Future Logic App connector documentation.
- Find and enable incident enrichment playbooks for ReversingLabs in the Azure Sentinel GitHub repository.
- See the ReversingLabs Intelligence Logic App connector documentation.
RiskIQ Passive Total
- Find and enable incident enrichment playbooks for RiskIQ Passive Total in the Azure Sentinel GitHub repository. Search for subfolders beginning with "Enrich-SentinelIncident-RiskIQ-".
- See more information on working with RiskIQ playbooks.
- See the RiskIQ PassiveTotal Logic App connector documentation.
- Find and enable incident enrichment playbooks for Virus Total in the Azure Sentinel GitHub repository. Search for subfolders beginning with "Get-VirusTotal" and "Get-VTURL".
- See the Virus Total Logic App connector documentation.
In this document, you learned how to connect your threat intelligence provider to Azure Sentinel. To learn more about Azure Sentinel, see the following articles.
- Learn how to get visibility into your data and potential threats.
- Get started detecting threats with Azure Sentinel.