Integrating Threat Intelligence (part 2)

By Ashwin Venugopal -

 




To read part 1, please click here


Implementing TI Connectors

A data connector is especially provided by Microsoft Sentinel for the integration with TIP solutions, hence, following are the steps involved to ingest data into Microsoft Sentinel using MineMeld as an example:

  • Enabling the data connector

The data connector can be enabled as follows-
  1. Navigate to the Microsoft Sentinel portal and go to the Data connectors page.
  2. Choose the data connector for Threat Intelligence Platforms (Preview).
  3. Click on the Open Connector page button.
  4. At the top of the page, review the given Prerequisites for the data connector to make sure that the workspace as well as tenant permissions are properly configured.
  5. Now the configuration steps can be seen to determine the correct functioning of the data connector and then you can click on the Connect button at the bottom the page. 

  • Registering an app in Azure AD

An app registration in Azure AD can be created as follows:
  1. Navigate to Azure AD in the Azure portal and choose App registrations button.
  2. Select + New registration in the toolbar. 
  3. Now give a unique name to the specific TI connector on the next screen. You can also select the default option for Who can use this application or access this API? and then select Register button.
  4. After the successful completion of the registration, you will see an Overview page on the screen.
  5. The ID values will be required while configuring your integrated TIP product or an app that uses direct integration with the Microsoft Graph Security API.
  6. Now you can configure API permissions for the registered application by selecting API Permissions button on the left-side menu.
  7. Now you will have a default permission of User.Read, select +Add a permission.
  8. Next select the Microsoft Graph  API on the next screen.
  9. Select Application permissions.
  10. Enter Threat Indicators in the search bar and then select the ThreatIndicators.ReadWrite.OwnedBy option.
  11. Click Add permissions and then choose the Grant admin consent for <tenant name> button.
  12. A screen requesting the permission consent will pop out and you will have to click the Accept button on it. 
  13. Now you can confirm that the permissions are successfully granted by simply looking for the green checkmarks while viewing the permissions.  

  • Configuring the MineMeld threat intelligence feed 

The following steps are involved in the process-
  1. Building the VM and installing MineMeld.
  2. Installing the Microsoft Graph Security API extension in MineMeld.
  3. Configuring the extension to connect to the Microsoft Graph via the Security API.

  • Confirming that data is being ingested for use by Microsoft Sentinel

The following steps will confirm that the data is being sent to Microsoft Sentinel-
  1. Go to the Azure portal, then Microsoft Sentinel.
  2. Select Logs, then expand SecurityInsights.
  3. Type the following command on the command window and select Run:
     ThreatIntelligenceIndicator
     | take 100

      4. Now you will see a screen with the results.
      5. The following command will tell which TIs are enabled and delivering and then select Run:

     ThreatIntelligenceIndicator
     | distinct SourceSystem

Now the MineMeld server is successfully configured as well as connected to the Microsoft Sentinel workspace and the TI data feeds can be seen on the logs which can be used to create new analytics and hunting queries, notebooks, and workbooks in Microsoft Sentinel.

It is recommended to continuously review that the information is relevant and updated frequently.





To read part 1, please click here




Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different...
Read more

Deployment (Part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Azure Resources Microsoft Sentinel needs following resources to be created: Subscription (if a dedicated subscription(s) will be used) Resource group(s) Log Analytics workspace(s) Automation rules/playbook Alert rules Workbooks Microsoft Sentinel offers hundreds of alert rules, workbooks, and automation playbook templates along with hunting scripts. The templates can be used to activate/deploy schedule alerts, create customized dashboards, create automation playbooks and perform threat-hunting activities. Generally, once deployed, the resources created have to be adjusted to match the existing environment, configure local credentials, etc. Methods of deployment: Manual- Administrator can manually configures the Microsoft Sentinel resources with the help of Azure portal. Any manual process has the inherent risks of human operator error, lack of compliance with potential change control procedures, and u...
Read more

Deployment (Part 2)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 3, please click  here Microsoft Sentinel Content Hub Content in Microsoft Sentinel includes any of the following types: Data connectors offer log ingestion from different sources into Microsoft Sentinel. Parsers give log formatting/transformation into ASIM formats, supporting usage across various Microsoft Sentinel content types and scenarios. Workbooks provide monitoring, visualization, and interactively with data in Microsoft Sentinel, highlighting meaningful insights for users.  Analytics rules give alerts that point to relevant SOC actions via incidents.  Hunting Queries are used by SOC teams to proactively hunt for threats in Microsoft Sentinel. Notebooks help SOC teams in using advanced hunting features in Jupyter and Azure Notebooks. Watchlists support the ingestion of specific data for enhanced threat detection and reduced alert fatigue.  Playbooks and Azure Logic Apps Custom Connectors provide featu...
Read more