This chapter will explore the options available for adding Threat Intelligence (TI) feeds into Azure Sentinelt to enable the security team to have a greater understanding of the potential threats against their environment. We will explore the available TI feeds from Microsoft and other trusted industry sources, then learn how to choose the most appropriate feeds for your organization based on geography, industry, and other risk factors.
This chapter will also introduce several new topics you may not be familiar with, but we encourage you to further research to add to your SOC capabilities, including the collaborative efforts of STIX and TAXII, a TI framework and set of standards that will help organizations to contribute and benefit from the knowledge of others.
By the end of this chapter, you will know how to implement several TI feeds.
This chapter will cover the following topics:
Due to the complex nature of cybersecurity and the sophistication of modern attacks, it is difficult for any organization to keep track of the vulnerabilities and multiple ways that an attacker may compromise a system, especially if cybersecurity is not the focus of the organization. Understanding what to look for and deciding what to do when you see a system anomaly or an other potential threat is complex and time-consuming. This is where TI comes in useful.
TI is critical in fighting against adversaries and is now integrated with most security products; it provides the ability to set a list of indicators for detection and blocking malicious activities. You can subscribe to TI feeds to gain knowledge from other security professionals in the industry and create your own indicators that are specific to the environment you are operating.
If you are new to this topic, there are some new keywords and abbreviations to learn:
Note
ATT&CK™, TAXII™, and STIX™ are trademarks of The MITRE Corporation. MineMeld™ is a trademark of Palo Alto Networks.
Microsoft provides access to its own TI feeds via the tiIndicators API, and has built connectors for integration with feeds from Palo Alto Networks (MineMeld), ThreatConnect, MISP, and TAXII. You can also build your own integration to submit custom threat indicators to Azure Sentinel and Microsoft Defender ATP. For further details, review this information: https://github.com/microsoftgraph/security-api-solutions/tree/master/QuickStarts.
Once your TI sources are connected, you can create rules to generate alerts and incidents when events match threat indicators or use built-in analytics, enriched with TI. You can also correlate TI with event data via hunting queries to add contextual insights to investigations.
In the next section, we will look at the specifics of one of these recommended approaches: STIX and TAXII, which is important to understand and consider implementing within your SOC as part of designing Azure Sentinel.
The MITRE Corporation is a not-for-profit company that provides guidance in the form of frameworks and standards to assist with the development of stronger cybersecurity controls; the STIX language and TAXII protocol are some examples of this development effort.
These two standards were developed by an open community effort, sponsored by the U.S. Department of Homeland Security (DHS), in partnership with the MITRE Corporation. These are not software products, but the standards that products can use to enable automation and compatibility when sharing TI information with your security community and business partners.
As per the description provided by MITRE: STIX is a collaborative community-driven effort to define and develop a standardized language to represent structured cyber threat information. The STIX language was developed to ensure threat information can be shared, stored, and used in a consistent manner to facilitate automation and human-assisted analysis. You can read more about the STIX standard here: https://stixproject.github.io/.
The TAXII protocol was developed to provide support for TI feeds from Open Source Intelligence (OSINT) and TIP supporting this standard protocol and STIX data format. You can read more details about the TAXII protocol here: https://www.mitre.org/sites/default/files/publications/taxii.pdf.
Microsoft has developed a connector to enable integration with services using the TAXII protocol, enabling the ingestion of STIX 2.0 Threat Indicators for use in Azure Sentinel.
Public previews
Due to the nature of agile development and an ever-green cloud environment, Microsoft makes new features available first through private previews to a select few reviewers, and then releases the feature to public preview to allow wider audience participation for feedback. Your organization needs to determine whether it is acceptable to use preview features in your production tenants or restrict access to only a development/testing environment. At the time of writing, the TAXII data connector is in public preview with an expected release date of April 2020. You can check the list of available Data Connectors in your Azure Sentinel tenant to see whether it is currently available.
In the next chapter, we will review the options for intel feeds and choose which ones are right for your organization's needs.
With Azure Sentinel, you can import TIs from multiple sources to enhance the security analysts’ ability to detect and prioritize known threats and IOCs. When configured, several optional features become available within the following Azure Sentinel tools:
There are several options available to gain access to TI feeds and you may choose to generate your own indicators based on specific information gathered through internal IT investigations; this allows you to develop a unique list of indicators that are known to be specific to your organization. Depending on your industry and region, you may choose to share these with partner organizations and communities to gain specific information related to healthcare, government, energy, and so on.
You can choose to leverage direct integration with the Microsoft Graph Security tiIndicators API, which contains Microsoft’s own TI, gathered across their vast internet services landscape (such as Azure, Office 365, Xbox, and Outlook). This feature also allows you to upload your own threat indicators and to send to other Microsoft security tools for the actions of allowing, blocking, or alerting on activities, based on the signals received from the intel.
It is recommended that you also obtain TI feeds from open source platforms, such as the following:
Optionally, you can also choose to purchase additional TI feeds from solution providers. Azure Sentinel currently offers the capability to integrate with the ThreatConnect Platform, which is a TIP you can purchase separately. Other platforms are expected to be integrated in the near future; review the data connector for TIPs for any updates.
Azure Sentinel provides a data connector specifically for the integration with TIP solutions (both commercial and open source). This section will provide walk-through guidance for the steps required to ingest TI data into Azure Sentinel, using MineMeld as an example:
Note
At the time of writing, this feature is still in public preview. You can enable this solution in your Azure Sentinel workspace to gain access to these features; however, you should expect it to change as it is developed.
Let’s discuss each of these steps in detail in the following sections.
Use the following steps to enable the data connector for TIPs within the Azure Sentinel:
You should now have a working connector waiting for the TI feed data to flow in. Next, we will configure the app registration in Azure AD, which is necessary to then set up the MineMeld server.
In this section, we will create an app registration in Azure AD. This will be used by the TI server/service to run and send information to Azure Sentinel.
Note
You will need to repeat this process for each TI server/service you intend to integrate with Azure Sentinel.
Use the following steps to create an app registration in Azure AD:
Note
You can also get to this screen from the Azure portal: navigate to Azure Active Directory | App registrations | <app name> | View API Permissions | Grant admin consent for <tenant name>.
Now the app is registered in Azure AD, we can start to configure the MineMeld server, which involves setting up a new virtual machine (VM) to collect and forward the TI feeds.
With the previous steps complete, you are ready to configure the services that will send TI data to Azure Sentinel. This section will walk you through the configuration of the MineMeld threat intelligence sharing solution.
Note
If this service is not already running in your environment, you will need to configure the TIP product; this guidance is only for the Azure Sentinel connectors.
There are three steps to this process:
To carry out this procedure, you will need administrative access to the Azure Tenant and the MineMeld service.
Ideally you will already have the MineMeld VM configured and running in your environment; however, if you do not, you can find configuration instructions online via the official Palo Alto Networks website: https://live.paloaltonetworks.com/t5/MineMeld-Articles/Manually-Install-MineMeld-on-Ubuntu-16-04/ta-p/253336.
Note
Ensure you use Ubuntu version 16.04 only; other versions may not be compatible.
The following are the steps to install the API extension:
Now that the Microsoft Graph Security API extension has been set up on the MineMeld server, we can configure the Azure Sentinel connector.
The following are the steps to configure the API extension:
This concludes the configuration requirements for the MineMeld service. TI feeds should now be sent to your Azure Sentinel instance.
To confirm the data is being sent to Azure Sentinel, follow these steps:
ThreatIntelligenceIndicator
| take 100
ThreatIntelligenceIndicator
| distinct SourceSystem
You have now configured and connected the MineMeld server to your Azure Sentinel workspace and can see the TI data feeds appearing in the logs. You can now use this information to help to create new analytics and hunting queries, notebooks, and workbooks in Azure Sentinel.
We recommended regular reviews to ensure this information is both relevant and updated frequently. New TI feeds become available regularly and you don’t want to miss out on that useful information if it can help you to find new and advanced threats.
In this chapter, we explored the concept of TI, new terminology and solutions options available, and the concept of creating and sharing TI feeds as a community effort.
There are several options available for adding TI feeds into Azure Sentinel, and we know Microsoft is working to develop this even further. TI feeds will assist with the analysis and detection of unwanted behavior and potentially malicious activities. With many options to choose from, selecting the right feeds for your organization is an important part of configuring Azure Sentinel.
The next chapter introduces the Kusto Query Language (KQL), which is the powerful means to search all data collected for Azure Sentinel, including the TI data we just added.
The following resources can be used to further explore some of the topics covered in this chapter:
3.144.19.243