Bring Threat Intelligence from IntSights Using TAXII Data Connector

Posted by

Azure Sentinel provides multiple ways to import threat intelligence into the product. The threat intelligence imported into Azure Sentinel makes it to the ThreatIntelligenceIndicator log analytics table and is also made available on the Threat Intelligence Blade. The imported threat intelligence can then be used in various parts of the product like hunting, investigation, analytics, workbooks, etc.


One of the ways to bring threat intelligence into Azure Sentinel is using the Threat Intelligence – TAXII Data connectors. This data connector uses the TAXII protocol for sharing data in STIX format and enables a built-in TAXII client in Azure Sentinel to import threat intelligence from TAXII 2.x servers.


 


1.png


 


Today we are announcing the availability of the IntSights TAXII Server, which allows you to get threat data from IntSights into Azure Sentinel using the Threat Intelligence – TAXII Data connector.


 


IntSights + Microsoft Azure Sentinel Solution


The IntSights and Azure Sentinel integration allows customers to gain visibility on indicators of compromise that directly target their unique digital footprints based on monitoring of thousands of sources across the clear, deep, and dark web to identify threats. With the IntSights intelligence feed, users can proactively block threats before they impact their environments and get instant visibility on those threats within Azure Sentinel.


In addition, users can leverage this integration to get enriched IOCs with additional context about the IOC like threat actor, malware, and campaign information. Users can further pivot to the IntSights Investigation module to gain additional visibility and context to protect their organizations.


 


Microsoft Azure Sentinel benefits with IntSights feed


The Azure Sentinel and IntSights integration enables analysts in the Security Operation Center (SOC) to gain visibility into thousands of indicators of compromise with contextual information. This integration also provisions dashboards in the form of Azure Sentinel workbooks detailing event data associated with the IOCs found in your environment.


This blog will walk you through the process of connecting the IntSights TAXII Server to Azure Sentinel.


 


Connecting Azure Sentinel to the IntSights TAXII Server:


To connect Azure Sentinel to the IntSights TAXII Server, obtain the API Root, Collection ID, Username and Password from the IntSights portal after you configure a policy of the data you wish to send to Azure Sentinel.


 


Enable the Threat Intelligence – TAXII data connector in Azure Sentinel


To import threat intelligence indicators into Azure Sentinel from the IntSights TAXII Server, follow these steps:



  1. Open the Azure Portal and navigate to the Azure Sentinel service.

  2. Choose the workspace where you want to import threat intelligence indicators from the IntSights TAXII Server.

  3. Select Data Connectors from the Configuration menu.

  4. Select Threat Intelligence – TAXII from the list of the data connectors and click the Open Connector page button.

  5. Now enter a Friendly name for the TAXII Server collection. This will be stamped on all the indicators as the Source of the indicator.

  6. Now enter the API Root, Collection ID, Username and Password that you obtained from IntSights.

  7. Click the Add button.


2.png


 


You should now see a confirmation on the notification dialog that the connection was established successfully. The TAXII Server will now show up in the List of the configured TAXII Servers.


 


3.png


 


View imported indicators from IntSights TAXII Server in Azure Sentinel


Now that threat intelligence indicators from the IntSights TAXII Server are being imported into Azure Sentinel, you can view them in one of the two below mentioned ways in Azure Sentinel:


 


a. The ThreatIntelligenceIndicators table in Log analytics



  1. Open the Azure portal and navigate to the Azure Sentinel service.

  2. Choose the workspace where you imported threat indicators from IntSights using the Threat Intelligence – TAXII Data connector.

  3. Select Logs from the General section of Azure Sentinel.

  4. The ThreatIntelligenceIndicator table is located under the SecurityInsights group.

  5. Use the following query to find indicators from IntSights:


         ThreatIntelligenceIndicator


         | where SourceSystem == “Friendly name of the TAXII Server”


 


b. Threat Intelligence blade under the Threat Management menu



  1. Open the Azure portal and navigate to the Azure Sentinel service.

  2. Choose the workspace where you imported threat indicators from IntSights using the Threat Intelligence – TAXII Data connector.

  3. Select Threat Intelligence from the Threat management section of Azure Sentinel.

  4. You can filter the indicators according to the Source to view the ones that you imported from IntSights. To do so, select the friendly name of the IntSights TAXII Sever you used from the Source pill filter.


 


Use imported indicators from IntSights TAXII Server in Azure Sentinel


Now that you have imported the indicators into Azure Sentinel, you can use them for matching against log sources. This can be done using the Azure Sentinel out-of-the-box analytics rules by modifying them or by creating new rules from scratch. The set of out-of-the-box analytics rules used to match threat indicators with your event data all have names beginning with, ‘TI map’ under the Analytics section in the Configuration menu. All these rule templates operate similarly with the only difference being what type of threat indicators are used (domain, email, file hash, IP address, or URL) and which event type to match against.


4.png


 


Get insights about your threat intelligence using the new IntSights Workbook


You can use the IntSights Workbook to visualize important information about the threat intelligence you have imported from the IntSights TAXII Server. This workbook provides an interactive dashboard about the threat intelligence you have imported from IntSights. The IntSights Workbook is available on the Azure Sentinel GitHub page. The name of the workbook is “IntsightsIOCWorkbook”.


You can follow the below mentioned steps to get the IntSights Workbook:



  1. Open the Azure portal and navigate to the Azure Sentinel service.

  2. Choose the workspace where you imported threat indicators from the IntSights TAXII Server.

  3. Select Workbooks from the Threat management menu.

  4. Navigate to the Templates tab and search for the workbook titled IntSights IOC Workbook.

  5. Select the Save button and choose an Azure location to store the workbook.

  6. Now select the View saved workbook button to open the workbook for viewing.


5.png


 


Send tags for indicators back to IntSights


You can send a tag to your IntSights account for every IOC that was sent by IntSights and seen in your environment so that you can further analyze the data in the IntSights platform. This can be done simply by deploying a Playbook from the Azure Sentinel GitHub.


 


Conclusion


With the IntSights and Azure Sentinel integration, you can now gain visibility on indicators of compromise from thousands of sources across the clear, deep, and dark web for advanced detection and hunting threats. You can also receive additional context about the IOCs from the IntSights feed to protect your organization against targeted threats.

This articles are republished, there may be more discussion at the original link. But if you found this helpful, you're more than welcome to let us know!

This site uses Akismet to reduce spam. Learn how your comment data is processed.