Bring Threat Intelligence from IntSights Using TAXII Data Connector
Published Jan 20 2021 01:47 PM 122K Views
Microsoft

Azure Sentinel provides multiple ways to import threat intelligence into the product. The threat intelligence imported into Azure Sentinel makes it to the ThreatIntelligenceIndicator log analytics table and is also made available on the Threat Intelligence Blade. The imported threat intelligence can then be used in various parts of the product like hunting, investigation, analytics, workbooks, etc.

One of the ways to bring threat intelligence into Azure Sentinel is using the Threat Intelligence – TAXII Data connectors. This data connector uses the TAXII protocol for sharing data in STIX format and enables a built-in TAXII client in Azure Sentinel to import threat intelligence from TAXII 2.x servers.

 

1.png

 

Today we are announcing the availability of the IntSights TAXII Server, which allows you to get threat data from IntSights into Azure Sentinel using the Threat Intelligence – TAXII Data connector.

 

IntSights + Microsoft Azure Sentinel Solution

The IntSights and Azure Sentinel integration allows customers to gain visibility on indicators of compromise that directly target their unique digital footprints based on monitoring of thousands of sources across the clear, deep, and dark web to identify threats. With the IntSights intelligence feed, users can proactively block threats before they impact their environments and get instant visibility on those threats within Azure Sentinel.

In addition, users can leverage this integration to get enriched IOCs with additional context about the IOC like threat actor, malware, and campaign information. Users can further pivot to the IntSights Investigation module to gain additional visibility and context to protect their organizations.

 

Microsoft Azure Sentinel benefits with IntSights feed

The Azure Sentinel and IntSights integration enables analysts in the Security Operation Center (SOC) to gain visibility into thousands of indicators of compromise with contextual information. This integration also provisions dashboards in the form of Azure Sentinel workbooks detailing event data associated with the IOCs found in your environment.

This blog will walk you through the process of connecting the IntSights TAXII Server to Azure Sentinel.

 

Connecting Azure Sentinel to the IntSights TAXII Server:

To connect Azure Sentinel to the IntSights TAXII Server, obtain the API Root, Collection ID, Username and Password from the IntSights portal after you configure a policy of the data you wish to send to Azure Sentinel.

 

Enable the Threat Intelligence – TAXII data connector in Azure Sentinel

To import threat intelligence indicators into Azure Sentinel from the IntSights TAXII Server, follow these steps:

  1. Open the Azure Portal and navigate to the Azure Sentinel service.
  2. Choose the workspace where you want to import threat intelligence indicators from the IntSights TAXII Server.
  3. Select Data Connectors from the Configuration menu.
  4. Select Threat Intelligence – TAXII from the list of the data connectors and click the Open Connector page button.
  5. Now enter a Friendly name for the TAXII Server collection. This will be stamped on all the indicators as the Source of the indicator.
  6. Now enter the API Root, Collection ID, Username and Password that you obtained from IntSights.
  7. Click the Add button.

2.png

 

You should now see a confirmation on the notification dialog that the connection was established successfully. The TAXII Server will now show up in the List of the configured TAXII Servers.

 

3.png

 

View imported indicators from IntSights TAXII Server in Azure Sentinel

Now that threat intelligence indicators from the IntSights TAXII Server are being imported into Azure Sentinel, you can view them in one of the two below mentioned ways in Azure Sentinel:

 

a. The ThreatIntelligenceIndicators table in Log analytics

  1. Open the Azure portal and navigate to the Azure Sentinel service.
  2. Choose the workspace where you imported threat indicators from IntSights using the Threat Intelligence – TAXII Data connector.
  3. Select Logs from the General section of Azure Sentinel.
  4. The ThreatIntelligenceIndicator table is located under the SecurityInsights group.
  5. Use the following query to find indicators from IntSights:

         ThreatIntelligenceIndicator

         | where SourceSystem == "Friendly name of the TAXII Server"

 

b. Threat Intelligence blade under the Threat Management menu

  1. Open the Azure portal and navigate to the Azure Sentinel service.
  2. Choose the workspace where you imported threat indicators from IntSights using the Threat Intelligence – TAXII Data connector.
  3. Select Threat Intelligence from the Threat management section of Azure Sentinel.
  4. You can filter the indicators according to the Source to view the ones that you imported from IntSights. To do so, select the friendly name of the IntSights TAXII Sever you used from the Source pill filter.

 

Use imported indicators from IntSights TAXII Server in Azure Sentinel

Now that you have imported the indicators into Azure Sentinel, you can use them for matching against log sources. This can be done using the Azure Sentinel out-of-the-box analytics rules by modifying them or by creating new rules from scratch. The set of out-of-the-box analytics rules used to match threat indicators with your event data all have names beginning with, ‘TI map’ under the Analytics section in the Configuration menu. All these rule templates operate similarly with the only difference being what type of threat indicators are used (domain, email, file hash, IP address, or URL) and which event type to match against.

4.png

 

Get insights about your threat intelligence using the new IntSights Workbook

You can use the IntSights Workbook to visualize important information about the threat intelligence you have imported from the IntSights TAXII Server. This workbook provides an interactive dashboard about the threat intelligence you have imported from IntSights. The IntSights Workbook is available on the Azure Sentinel GitHub page. The name of the workbook is “IntsightsIOCWorkbook”.

You can follow the below mentioned steps to get the IntSights Workbook:

  1. Open the Azure portal and navigate to the Azure Sentinel service.
  2. Choose the workspace where you imported threat indicators from the IntSights TAXII Server.
  3. Select Workbooks from the Threat management menu.
  4. Navigate to the Templates tab and search for the workbook titled IntSights IOC Workbook.
  5. Select the Save button and choose an Azure location to store the workbook.
  6. Now select the View saved workbook button to open the workbook for viewing.

5.png

 

Send tags for indicators back to IntSights

You can send a tag to your IntSights account for every IOC that was sent by IntSights and seen in your environment so that you can further analyze the data in the IntSights platform. This can be done simply by deploying a Playbook from the Azure Sentinel GitHub.

 

Conclusion

With the IntSights and Azure Sentinel integration, you can now gain visibility on indicators of compromise from thousands of sources across the clear, deep, and dark web for advanced detection and hunting threats. You can also receive additional context about the IOCs from the IntSights feed to protect your organization against targeted threats.

Version history
Last update:
‎Jan 20 2021 01:47 PM
Updated by: