Adding TAXII Threat Intel

To further enrich data in the Azure Sentinel workspace, we can ingest threat intel.

What is TAXII?

Trusted Automated Exchange of Intelligence Information (TAXII™) is an application protocol for exchanging CTI over HTTPS.

More information about TAXII is available here:
https://oasis-open.github.io/cti-documentation/taxii/intro

Enabling TAXII Connector in Azure Sentinel

Go to connects view and search for “TAXII”

Open the connector settings page to add TAXII servers (you can add multiple servers)

In this demo we are using free TAXII feeds from Anomali (https://www.anomali.com/resources/limo)

When the TAXII server is configured, click “Next steps”

In this step we will get recommended workbooks, sample queries and analytic rules we can use to monitor and alert on the data we ingest from the TAXII server.

Provided sample queries gives us access to the data

ThreatIntelligenceIndicator | where SourceSystem != "SecurityGraph" and SourceSystem != "Azure Sentinel" 

From the connector configuration, we can also see the related analytics rule templates

For further information, please visit:
https://docs.microsoft.com/en-us/azure/sentinel/import-threat-intelligence

Happy Hunting!

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.