Integrating Threat Intelligence (part 2)
To read part 1, please click here
Implementing TI Connectors
A data connector is especially provided by Microsoft Sentinel for the integration with TIP solutions, hence, following are the steps involved to ingest data into Microsoft Sentinel using MineMeld as an example:
- Enabling the data connector
The data connector can be enabled as follows-
- Navigate to the Microsoft Sentinel portal and go to the Data connectors page.
- Choose the data connector for Threat Intelligence Platforms (Preview).
- Click on the Open Connector page button.
- At the top of the page, review the given Prerequisites for the data connector to make sure that the workspace as well as tenant permissions are properly configured.
- Now the configuration steps can be seen to determine the correct functioning of the data connector and then you can click on the Connect button at the bottom the page.
- Registering an app in Azure AD
An app registration in Azure AD can be created as follows:
- Navigate to Azure AD in the Azure portal and choose App registrations button.
- Select + New registration in the toolbar.
- Now give a unique name to the specific TI connector on the next screen. You can also select the default option for Who can use this application or access this API? and then select Register button.
- After the successful completion of the registration, you will see an Overview page on the screen.
- The ID values will be required while configuring your integrated TIP product or an app that uses direct integration with the Microsoft Graph Security API.
- Now you can configure API permissions for the registered application by selecting API Permissions button on the left-side menu.
- Now you will have a default permission of User.Read, select +Add a permission.
- Next select the Microsoft Graph API on the next screen.
- Select Application permissions.
- Enter Threat Indicators in the search bar and then select the ThreatIndicators.ReadWrite.OwnedBy option.
- Click Add permissions and then choose the Grant admin consent for <tenant name> button.
- A screen requesting the permission consent will pop out and you will have to click the Accept button on it.
- Now you can confirm that the permissions are successfully granted by simply looking for the green checkmarks while viewing the permissions.
- Configuring the MineMeld threat intelligence feed
The following steps are involved in the process-
- Building the VM and installing MineMeld.
- Installing the Microsoft Graph Security API extension in MineMeld.
- Configuring the extension to connect to the Microsoft Graph via the Security API.
- Confirming that data is being ingested for use by Microsoft Sentinel
The following steps will confirm that the data is being sent to Microsoft Sentinel-
- Go to the Azure portal, then Microsoft Sentinel.
- Select Logs, then expand SecurityInsights.
- Type the following command on the command window and select Run:
ThreatIntelligenceIndicator
| take 100
4. Now you will see a screen with the results.
5. The following command will tell which TIs are enabled and delivering and then select Run:
ThreatIntelligenceIndicator
| distinct SourceSystem
Now the MineMeld server is successfully configured as well as connected to the Microsoft Sentinel workspace and the TI data feeds can be seen on the logs which can be used to create new analytics and hunting queries, notebooks, and workbooks in Microsoft Sentinel.
It is recommended to continuously review that the information is relevant and updated frequently.
To read part 1, please click here
Comments
Post a Comment