How to Integrate Threat Intelligence IOCs into Sentinel SIEM via Third-Party API

Tim C 0 Reputation points
2023-01-25T17:29:20.0466667+00:00

The current Sentinel user guide (https://learn.microsoft.com/en-us/azure/sentinel/) details how to integrate threat intelligence IOCs into Sentinel via 1) TAXII feed and 2) threat intelligence platform.

I am trying to ingest IOCs into Sentinel via a third-party API using a vendor-provided API URL, Access Token, and Secret Key.  The third-party IOCs are not stored on a dedicated TAXII server and do not have a corresponding Collection ID needed to set up the Microsoft TAXII feed option. The vendor threat intel portal is not a Threat Intel Platform and cannot push IOCs to the Microsoft Graph Security tilndicators API. 

What is the best way to ingest these third-party IOCs into Sentinel?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,575 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
975 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Clive Watson 5,711 Reputation points MVP
    2023-01-26T16:32:44.27+00:00

    Would a file import work for you (at least in the short term)? [https://learn.microsoft.com/en-us/azure/sentinel/indicators-bulk-file-import You can probably automate that with a Logic App.

    If this answers your question please Accept the answer. Thanks

    0 comments