Threat intelligence integration in Microsoft Sentinel
Article
Applies to:
Microsoft Sentinel in the Azure portal, Microsoft Sentinel in the Microsoft Defender portal
Microsoft Sentinel gives you a few ways to use threat intelligence feeds to enhance your security analysts' ability to detect and prioritize known threats:
Connect to threat intelligence sources from playbooks to enrich incidents with threat intelligence information that can help direct investigation and response actions.
Tip
If you have multiple workspaces in the same tenant, such as for Managed Security Service Providers (MSSPs), it might be more cost effective to connect threat indicators only to the centralized workspace.
When you have the same set of threat indicators imported into each separate workspace, you can run cross-workspace queries to aggregate threat indicators across your workspaces. Correlate them within your MSSP incident detection, investigation, and hunting experience.
TAXII threat intelligence feeds
To connect to TAXII threat intelligence feeds, follow the instructions to connect Microsoft Sentinel to STIX/TAXII threat intelligence feeds, together with the data supplied by each vendor. You might need to contact the vendor directly to obtain the necessary data to use with the connector.
Connect Microsoft Sentinel to the Cybersixgill TAXII server and get access to Darkfeed. Contact azuresentinel@cybersixgill.com to obtain the API root, collection ID, username, and password.
Cyware threat intelligence exchange (CTIX)
One component of Cyware's TIP, CTIX, is to make intel actionable with a TAXII feed for your security information and event management. For Microsoft Sentinel, follow the instructions here:
Connect Microsoft Sentinel to the ESET TAXII server. Obtain the API root URL, collection ID, username, and password from your ESET account. Then follow the general instructions and ESET's knowledge base article.
Financial Services Information Sharing and Analysis Center (FS-ISAC)
Join FS-ISAC to get the credentials to access this feed.
Health intelligence sharing community (H-ISAC)
Join the H-ISAC to get the credentials to access this feed.
Connect Microsoft Sentinel to the IntSights TAXII server. Obtain the API root, collection ID, username, and password from the IntSights portal after you configure a policy of the data that you want to send to Microsoft Sentinel.
AlienVault Open Threat Exchange (OTX) from AT&T Cybersecurity
Learn how AlienVault OTX makes use of Azure Logic Apps (playbooks) to connect to Microsoft Sentinel. See the specialized instructions necessary to take full advantage of the complete offering.
EclecticIQ Platform
EclecticIQ Platform integrates with Microsoft Sentinel to enhance threat detection, hunting, and response. Learn more about the benefits and use cases of this two-way integration.
Filigran OpenCTI
Filigran OpenCTI can send threat intelligence to Microsoft Sentinel via either a dedicated connector which runs in realtime, or by acting as a TAXII 2.1 server that Sentinel will poll regularly. It can also receive structured incidents from Sentinel via the Microsoft Sentinel Incident connector.
Learn how Recorded Future makes use of Logic Apps (playbooks) to connect to Microsoft Sentinel. See the specialized instructions necessary to take full advantage of the complete offering.
Besides being used to import threat indicators, threat intelligence feeds can also serve as a source to enrich the information in your incidents and provide more context to your investigations. The following feeds serve this purpose and provide Logic Apps playbooks to use in your automated incident response. Find these enrichment sources in the Content hub.
In this article, you learned how to connect your threat intelligence provider to Microsoft Sentinel. To learn more about Microsoft Sentinel, see the following articles: