Threat intelligence integration in Microsoft Sentinel
Microsoft Sentinel gives you a few ways to use threat intelligence feeds to enhance your security analysts' ability to detect and prioritize known threats:
- Use one of many available integrated threat intelligence platform (TIP) products.
- Connect to TAXII servers to take advantage of any STIX-compatible threat intelligence source.
- Connect directly to the Microsoft Defender Threat Intelligence feed.
- Make use of any custom solutions that can communicate directly with the Threat Intelligence Upload Indicators API.
- Connect to threat intelligence sources from playbooks to enrich incidents with threat intelligence information that can help direct investigation and response actions.
Tip
If you have multiple workspaces in the same tenant, such as for Managed Security Service Providers (MSSPs), it might be more cost effective to connect threat indicators only to the centralized workspace.
When you have the same set of threat indicators imported into each separate workspace, you can run cross-workspace queries to aggregate threat indicators across your workspaces. Correlate them within your MSSP incident detection, investigation, and hunting experience.
To connect to TAXII threat intelligence feeds, follow the instructions to connect Microsoft Sentinel to STIX/TAXII threat intelligence feeds, together with the data supplied by each vendor. You might need to contact the vendor directly to obtain the necessary data to use with the connector.
- Learn about Cybersixgill integration with Microsoft Sentinel.
- Connect Microsoft Sentinel to the Cybersixgill TAXII server and get access to Darkfeed. Contact azuresentinel@cybersixgill.com to obtain the API root, collection ID, username, and password.
One component of Cyware's TIP, CTIX, is to make intel actionable with a TAXII feed for your security information and event management. For Microsoft Sentinel, follow the instructions here:
- Learn how to integrate with Microsoft Sentinel
- Learn about ESET's threat intelligence offering.
- Connect Microsoft Sentinel to the ESET TAXII server. Obtain the API root URL, collection ID, username, and password from your ESET account. Then follow the general instructions and ESET's knowledge base article.
- Join FS-ISAC to get the credentials to access this feed.
- Join the H-ISAC to get the credentials to access this feed.
- Learn more about IBM X-Force integration.
- Learn more about the IntSights integration with Microsoft Sentinel @IntSights.
- Connect Microsoft Sentinel to the IntSights TAXII server. Obtain the API root, collection ID, username, and password from the IntSights portal after you configure a policy of the data that you want to send to Microsoft Sentinel.
- Learn about Kaspersky integration with Microsoft Sentinel.
- Learn about Pulsedive integration with Microsoft Sentinel.
- Learn more about Sectrio integration.
- Learn about the step-by-step process for integrating Sectrio's threat intelligence feed into Microsoft Sentinel.
- Learn about SEKOIA.IO integration with Microsoft Sentinel.
- Learn more about STIX and TAXII at ThreatConnect.
- See the TAXII services documentation at ThreatConnect.
To connect to TIP feeds, see Connect threat intelligence platforms to Microsoft Sentinel. See the following solutions to learn what other information is needed.
- To connect Agari Phishing Defense and Brand Protection, use the built-in Agari data connector in Microsoft Sentinel.
- To download ThreatStream Integrator and Extensions, and the instructions for connecting ThreatStream intelligence to the Microsoft Graph Security API, see the ThreatStream downloads page.
- Learn how AlienVault OTX makes use of Azure Logic Apps (playbooks) to connect to Microsoft Sentinel. See the specialized instructions necessary to take full advantage of the complete offering.
- EclecticIQ Platform integrates with Microsoft Sentinel to enhance threat detection, hunting, and response. Learn more about the benefits and use cases of this two-way integration.
- Filigran OpenCTI can send threat intelligence to Microsoft Sentinel via either a dedicated connector which runs in realtime, or by acting as a TAXII 2.1 server that Sentinel will poll regularly. It can also receive structured incidents from Sentinel via the Microsoft Sentinel Incident connector.
- To connect GroupIB Threat Intelligence and Attribution to Microsoft Sentinel, GroupIB makes use of Logic Apps. See the specialized instructions that are necessary to take full advantage of the complete offering.
- Push threat indicators from MISP to Microsoft Sentinel by using the Threat Intelligence Upload Indicators API with MISP2Sentinel.
- See MISP2Sentinel in Azure Marketplace.
- Learn more about the MISP Project.
- To configure Palo Alto MineMeld with the connection information to Microsoft Sentinel, see Sending IOCs to the Microsoft Graph Security API using MineMeld. Go to the "MineMeld Configuration" heading.
- Learn how Recorded Future makes use of Logic Apps (playbooks) to connect to Microsoft Sentinel. See the specialized instructions necessary to take full advantage of the complete offering.
- See the Microsoft Graph Security Threat Indicators Integration Configuration Guide for instructions to connect ThreatConnect to Microsoft Sentinel.
- See Microsoft Sentinel Connector for ThreatQ integration for support information and instructions to connect ThreatQuotient TIP to Microsoft Sentinel.
Besides being used to import threat indicators, threat intelligence feeds can also serve as a source to enrich the information in your incidents and provide more context to your investigations. The following feeds serve this purpose and provide Logic Apps playbooks to use in your automated incident response. Find these enrichment sources in the Content hub.
For more information about how to find and manage the solutions, see Discover and deploy out-of-the-box content.
- Find and enable incident enrichment playbooks for HYAS Insight in the Microsoft Sentinel GitHub repository. Search for subfolders beginning with
Enrich-Sentinel-Incident-HYAS-Insight-
. - See the HYAS Insight Logic Apps connector documentation.
- Find and enable incident enrichment playbooks for Microsoft Defender Threat Intelligence in the Microsoft Sentinel GitHub repository.
- See the Defender Threat Intelligence Tech Community blog post for more information.
- Find and enable incident enrichment playbooks for Recorded Future in the Microsoft Sentinel GitHub repository. Search for subfolders beginning with
RecordedFuture_
. - See the Recorded Future Logic Apps connector documentation.
- Find and enable incident enrichment playbooks for ReversingLabs in the Microsoft Sentinel GitHub repository.
- See the ReversingLabs TitaniumCloud Logic Apps connector documentation.
- Find and enable the incident enrichment playbooks for RiskIQ Passive Total in the Microsoft Sentinel GitHub repository.
- See more information on working with RiskIQ playbooks.
- See the RiskIQ PassiveTotal Logic Apps connector documentation.
- Find and enable incident enrichment playbooks for VirusTotal in the Microsoft Sentinel GitHub repository. Search for subfolders beginning with
Get-VTURL
. - See the VirusTotal Logic Apps connector documentation.
In this article, you learned how to connect your threat intelligence provider to Microsoft Sentinel. To learn more about Microsoft Sentinel, see the following articles:
- Learn how to get visibility into your data and potential threats.
- Get started detecting threats with Microsoft Sentinel.