How to Integrate Threat Intelligence IOCs into Sentinel SIEM via Third-Party API

Tim C 0 Reputation points
2023-01-25T17:29:20.0466667+00:00

The current Sentinel user guide (https://learn.microsoft.com/en-us/azure/sentinel/) details how to integrate threat intelligence IOCs into Sentinel via 1) TAXII feed and 2) threat intelligence platform.

I am trying to ingest IOCs into Sentinel via a third-party API using a vendor-provided API URL, Access Token, and Secret Key.  The third-party IOCs are not stored on a dedicated TAXII server and do not have a corresponding Collection ID needed to set up the Microsoft TAXII feed option. The vendor threat intel portal is not a Threat Intel Platform and cannot push IOCs to the Microsoft Graph Security tilndicators API. 

What is the best way to ingest these third-party IOCs into Sentinel?

Microsoft Security | Microsoft Graph
Microsoft Security | Microsoft Sentinel
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Clive Watson 7,866 Reputation points MVP Volunteer Moderator
    2023-01-26T16:32:44.27+00:00

    Would a file import work for you (at least in the short term)? [https://learn.microsoft.com/en-us/azure/sentinel/indicators-bulk-file-import You can probably automate that with a Logic App.

    If this answers your question please Accept the answer. Thanks

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.