You dont have javascript enabled! Please enable it! Import Free TAXII Threat Intelligence Feed To Microsoft Sentinel - CHARBEL NEMNOM - MVP | MCT | CCSP | CISM - Cloud & CyberSecurity

Import Free TAXII Threat Intelligence Feed to Microsoft Sentinel

6 Min. Read

Microsoft Sentinel lets you import threat indicators, enhancing your security analysts’ ability to detect and prioritize known threats. You can stream threat indicators to Microsoft Sentinel using one of the integrated Threat Intelligence Platform (TIP) products, connect to TAXII servers, or directly integrate with the Microsoft Graph Security Indicators API.

TAXII servers are not free; you may need to contact the vendor directly to obtain the necessary data to use with the TAXII data connector in Sentinel. However, we can use a free STIX/TAXII 2.1 server from Pulsedive to stream cyber threat intelligence data shared through the TAXII protocol.

This article illustrates all the steps to import Pulsedive, a free TAXII Threat Intelligence feed, to Microsoft Sentinel for testing, debugging, or learning about STIX and TAXII.

Introduction

Microsoft Sentinel is a cloud-native Security Information and Event Management (SIEM) system that provides a range of options for importing threat intelligence data. These options can then be used for hunting, investigation, and analytics. Some methods for importing rich threat intelligence data into Microsoft Sentinel include using the Threat Intelligence – TAXII data connector, connecting with Threat Intelligence Platforms (TIP), and importing indicators via a flat file.

For those who don’t know what Trusted Automated Exchange of Intelligence Information (TAXII) is, there is an organization called OASIS that has created STIX/TAXII. Structured Threat Information Expression (STIX) is the schema they developed for sharing Threat Intelligence (TI) data, and TAXII is the protocol over which cyber threat intelligence (CTI) is shared.

Microsoft Sentinel was an early adopter of STIX/TAXII, the preferred method for importing threat intelligence data. The “Threat Intelligence – TAXII” connector in Microsoft Sentinel uses the TAXII protocol to share data in STIX format. This connector can pull data from TAXII 2.0 and 2.1 servers. Essentially, this connector acts as a built-in TAXII client in Microsoft Sentinel, allowing for the easy import of threat intelligence from TAXII 2.0 and 2.1 servers.

The OASIS Cyber Threat Intelligence (CTI) - STIX/TAXII
[Image Credit] The OASIS Cyber Threat Intelligence (CTI)
RelatedCheck how to update Microsoft Sentinel Analytics Rules at Scale.

Prerequisites

To follow this article, you need to have the following:

1) Azure subscription – If you don’t have an Azure subscription, you can create one here for free.

2) Log Analytics workspace – To create a new workspace, follow the instructions to create a Log Analytics workspace.

3) Enable Microsoft Sentinel at no additional cost on an Azure Monitor Log Analytics workspace for the first 31 days; follow the quick onboarding process. Once Microsoft Sentinel is enabled on your Azure Monitor Log Analytics workspace, every GB of data ingested into the workspace can be retained at no charge for the first 90 days.

4) Installing Threat Intelligence Content Hub Solution (more on this below). You need the Microsoft Sentinel Contributor role at the resource group level to install, update, and delete standalone content or solutions in the content hub.

5) Connecting Microsoft Sentinel to Pulsedive TAXII Server (more on this below).

6) Enabling Threat Intelligence TAXII data connector (more on this below).

7) You must have read and write permissions to the Microsoft Sentinel workspace to store your threat indicators.

Assuming you have all the prerequisites in place, take the following steps:

Installing Threat Intelligence Content Hub Solution

Installing the threat intelligence solution from Content Hub is straightforward. As mentioned earlier, you need the Microsoft Sentinel Contributor role at the resource group level to install, update, and delete standalone content or solutions in the Content hub.

RelatedCheck how to automate Microsoft Sentinel Content Hub Updates.

1) From Microsoft Sentinel, go to the Content Hub page.

2) Install the “Threat Intelligence” Featured solution, as shown in the figure below. The solution contains 4 data connectors, 47 Analytics rules, 5 Hunting queries, and one workbook.

Install Threat Intelligence Content Hub solution
Install Threat Intelligence Content Hub solution

This solution includes four Threat Intelligence data connectors, one in the deprecation phase.

  • Threat Intelligence Upload Indicators API. Microsoft Sentinel offers a data plane API for importing threat intelligence from your Threat Intelligence Platform, such as Threat Connect, Palo Alto Networks, MineMeld, or other integrated applications.
  • Threat Intelligence – TAXII (the focus of this article).
  • Microsoft Defender Threat Intelligence (MDTI). MDTI provides a set of indicators and access to the https://ti.defender.microsoft.com portal at no additional cost, but licensing is required for the premium features of the MDTI portal and API.
  • Threat Intelligence Platforms (Being Deprecated).

These data connectors help you to import Indicators of Compromise (IOCs) from a wide variety of Threat Intelligence (TI) sources into Microsoft Sentinel. Threat indicators include IP addresses, domains, URLs, file hashes, and email addresses.

Connecting Microsoft Sentinel to Pulsedive TAXII Server

This section shows you how to connect Microsoft Sentinel to Pulsedive’s TAXII Server and obtain the API Root, Collection ID, Username, and Password from Pulsedive.

1) Open your favorite browser and sign up for a free TAXII 2.0/2.1 feed. Navigate to https://pulsedive.com/register, enter your Email ID, agree to the terms, and select Register. You will receive a registration link to your email, as shown in the figure below.

Sign up for Pulsedive
Sign up for Pulsedive

2) To confirm the registration, click on the link received in the email from Pulsedive, as shown in the figure below.

Confirm Pulsedive registration
Confirm Pulsedive registration

3) Next, you need to fill in the following details, accepting the terms, and completing the registration:

  • Username (At least 5 characters long, lowercase alphanumeric).
  • Password (Must be 12 characters long. We are not liable for weak passwords).
  • Confirm Password (Must be 12 characters long. We are not liable for weak passwords).
  • Job Title (Optional).
  • Company or Organization (Optional).
Complete Pulsedive registration
Complete Pulsedive registration

4) Next, you go to https://pulsedive.com/login and click on Login. Then, log in with your credentials and click Sign In.

Login to Pulsedive
Login to Pulsedive

5) Select </> API from the dashboard and click STIX via TAXII on the left menu, as shown in the figure below.

STIX via TAXII
STIX via TAXII

6) Scroll down to the “Query String” section on the page, copy the value given near the parameter key, and paste it into a Notepad file for later use. The value is obscured in the figure below for apparent reasons.

Query String - Key
Query String – Key

7) Then, search for or scroll to Pulsedive test data. Copy and paste the Collection ID to the Notepad file for later use in the next section.

Pulsedive test data
Pulsedive test data

Now that we have the Key and the Collection ID, the next step is to enable the TAXII data connector in Microsoft Sentinel.

Enabling Threat Intelligence TAXII Data Connector

Switch to the Microsoft Sentinel page, then select Data Connectors under the Configuration section.

1) On the data connectors page, type TAXII in the search bar, select the Threat intelligence – TAXII connector, and click on the Open connector page, as shown in the figure below.

Please note that many Threat Intelligence data connectors share the same data in the Log Analytics workspace (ThreatIntelligenceIndicator) table, and the data received count shows data that comes to the table from any connector or integration. You could get Threat Intelligence data elsewhere even if you don’t connect the TAXII connector. Thus, as shown in the figure below, the Threat Intelligence – TAXII connector shows that the Last Log Received was 2 minutes ago. Still, the status is Disconnected, and the configuration values are blank. We have enabled the other Threat Intelligence data connectors in this environment, so this behavior is expected.

Open Threat intelligence - TAXII connector
Open Threat intelligence – TAXII connector

2) In the Threat Intelligence – TAXII connector page, add the following information under the Configuration menu:

  • Friendly name (for server): Pulsedive
  • API root URL: "https://pulsedive.com/taxii2/api/"
  • Collection ID: Paste the ID that we copied from the previous step.
  • Username: “taxii2
  • Password: Paste the Key that we copied from the previous step.
  • Import Indicators: All available (review all available options)
  • Polling frequency: Once a day
Enable Threat Intelligence - TAXII connector
Enable Threat Intelligence – TAXII connector

3) Click Add and wait until the operation completes and the TAXII connected is added.

TAXII connector added
TAXII connector added

4) The list of TAXII servers (Pulsedive) should be visible, as shown in the figure below.

List of configured TAXII servers (Pulsedive)
List of configured TAXII servers (Pulsedive)

Now that we have connected and enabled the TAXII connector, the last step is to verify and view threat indicators.

Viewing Threat Indicators

All the threat intelligence data you ingest into Microsoft Sentinel will reach the Threat Intelligence Blade, as shown in the figure below. Then, we can filter by the Source (i.e., Pulsedive) and look for all Threat Indicator types we receive. This blade also reads from the Threat Intelligence table.

Threat Intelligence blade
Threat Intelligence blade

Then, through the Threat Intelligence Workbook, we can evaluate indicators onboarded (i.e., Microsoft Defender Threat Intelligence, Pulsedive), threat feeds, confidence ratings, free text search indicators across your cloud workloads, and analyze threats by geolocation, threat group, assets targeted, and more.

Threat Intelligence Workbook
Threat Intelligence Workbook

As mentioned earlier, the Threat Indicators reside in the “ThreatIntelligenceIndicator” table. This table is the basis for queries performed by other Microsoft Sentinel features, such as Analytics rules and Workbooks. To view your threat indicators with KQL, select Logs from the General section of the Microsoft Sentinel menu. Then, you can run the following KQL query on the “ThreatIntelligenceIndicator” table to see some of it.

ThreatIntelligenceIndicator
| where SourceSystem == "Pulsedive" 
//or you can change to "Microsoft Defender Threat Intelligence"
| sort by TimeGenerated

The same data we look at through the Threat Intelligence Blade and Threat Intelligence Workbook is shown in the Logs.

Threat Intelligence Indicator table
Threat Intelligence Indicator table

That’s it, there you have it. Happy Importing Free Threat Intelligence feed to Sentinel!

In Summary

In this article, we described all the steps to import Pulsedive, a free TAXII Threat Intelligence feed, to Microsoft Sentinel for testing, debugging, or learning about STIX and TAXII.

Once the threat intelligence from Pulsedive is imported into Microsoft Sentinel, you can use it to match against log sources. This can be done using the out-of-the-box analytic rules in Microsoft Sentinel. These completely customizable analytics rules, which you can use to match threat indicators with your event data, all have names beginning with ‘TI map,’ as shown in the figure below.

Threat Intelligence Analytics Rule templates
Threat Intelligence Analytics Rule templates

RelatedCheck how to enable Microsoft Sentinel Analytics Rules at Scale.

Within a Security Information and Event Management (SIEM) solution like Microsoft Sentinel, the most commonly used form of CTI is threat indicators, also known as Indicators of Compromise or IoCs. Threat indicators are data that associate observed artifacts such as URLs, file hashes, or IP addresses with known threat activity such as phishing, botnets, or malware.

This form of threat intelligence is often called tactical threat intelligence because it can be applied to security products and automation on a large scale to detect potential threats to an organization and protect against them. In Microsoft Sentinel, you can use threat indicators to help detect malicious activity observed in your environment and provide context to security investigators to help inform response decisions.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Photo of author
About the Author
Charbel Nemnom
Charbel Nemnom is a Senior Cloud Architect with 21+ years of IT experience. As a Swiss Certified Information Security Manager (ISM), CCSP, CISM, Microsoft MVP, and MCT, he excels in optimizing mission-critical enterprise systems. His extensive practical knowledge spans complex system design, network architecture, business continuity, and cloud security, establishing him as an authoritative and trustworthy expert in the field. Charbel frequently writes about Cloud, Cybersecurity, and IT Certifications.
Previous

Quick Guide to AWS Lambda Pricing

Vaulted Backup for Azure Files – Comprehensive Guide

Next

Let us know what you think, or ask a question...