While this blog is specifically about using AlienVault OTX, one could use this same methodology with most any API based data source. But what if you have a source of indicators or other enrichment data that you want to use in Azure Sentinel but no connector to ingest it with? While Ofer Shezaf has written a great blog post about creating custom connectors and Ian Hellen wrote up an outstanding blog about using OTX data in Jupyter Notebooks in Sentinel, this blog post is going to expand upon their work by walking through adding a custom Sentinel Playbook (Azure Logic App) to connect to Alien Vault’s Open Threat Exchange (OTX) REST API to ingest threat indicators for use in hunting and alerts. One of the key capabilities of Azure Sentinel has always been its ability to work with data from multiple sources including Threat Indicator Providers who can provide their data directly into the environment via the Microsoft Security Graph.
#Alienvault otx taxii feed password
Enter the password for the certificate.**UPDATE** : Please note, to enable this capability in Sentinel, you will need to ensure that you've enabled the " Threat Intelligence Platforms" data connector. If required, drop the certificate for accessing the TAXII server into this field. Enter the password for accessing the TAXII server.
Enter the username for accessing the TAXII server. As required, an subscription ID to send to the TAXII provider in the poll request. (The collections available depend on your threat intel provider.) If you leave this field blank, all indicators will be queried.) You can optionally enter a comma-separated list of the specific collections of indicators that you want to retrieve. Note that on subsequent updates, CSE will only consider data added to the feed since the last time it was polled. By default, the first time you populate the list, CSE will look for all data from the feed for all time. You can use this option to tell CSE how many days of data to fetch the first time you populate your list of indicators. If desired, specify a default TTL that will take effect for Indicators that don’t have a defined expiration. Enter the frequency at which you want to poll the feed for updates. Enter the URL for the feed provider’s TAXII discovery service endpoint.
#Alienvault otx taxii feed how to
For a more detailed explanation of how to use threat intelligence information in rules, see Threat Intelligence in the About CSE Rules topic. To leverage the information in a rule, you can extend your custom rule expression, or add a Rule Turning Expression to a built-in rule. The built-in rules that come with CSE will also automatically create a Signal for any Record with a match from your threat feed. Because the threat intel information is persisted within Records, you can reference it downstream in both rules and search. When there is a “match”, for instance when an IP address in a Record matches an IP address that the feed says is malicious, CSE adds relevant information to that Record. How does that work? CSE compares incoming Records with information from the threat feed. The integration allows you to enrich incoming Records with threat intel information, and leverage that information in CSE Rules. At the configured interval, CSE uses the discovery service to look up the URL of the poll service, and then sends poll requests to that service, which then returns the indicators to CSE.
To integrate CSE with a TAXII feed, you configure the URL of the TAXII provider’s discovery service and a polling interval. If you are integrating Cloud SIEM with Anomali Threatstream, see Generating Your Own Threat Intelligence Feeds in ThreatStream on the Anomali blog.
If you are integrating Cloud SIEM with the Cybersecurity & Information Security Agency (CISA) TAXII feed, see the CISA AIS TAXII Server Connection Guide and Automated Indicator Sharing.To integrate with a TAXII feed, consult the documentation for the feed.
0 kommentar(er)
