Azure Sentinel News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
Azure Sentinel News
No Result
View All Result
Home Security and Compliance

Bring threat intelligence from Sixgill using TAXII Data Connector

Azure Sentinel News Editor by Azure Sentinel News Editor
December 16, 2020
in Security and Compliance
0
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021
3.6kViews
452 Shares Share on Facebook Share on Twitter

As discussed in the blog Bring your threat intelligence to Azure Sentinel, Azure Sentinel provides various ways to import threat intelligence into the ThreatIntelligenceIndicator log analytics table from where it can be used in various parts of the product like hunting, investigation, analytics, workbooks etc.

One of the ways to bring threat intelligence into Azure Sentinel is using the Threat Intelligence – TAXII Data connector. This data connector in Azure Sentinel uses the TAXII protocol for sharing data in STIX format which is one of the most widely adopted standard for sharing threat intelligence across the industry. This data connector supports pulling data from TAXII 2.0 and 2.1 servers. The Threat Intelligence – TAXII data connector enables a built-in TAXII client in Azure Sentinel to import threat intelligence from TAXII 2.x servers.

thumbnail image 1 of blog post titled 
	
	
	 
	
	
	
				
		
			
				
						
							Bring threat intelligence from Sixgill using TAXII Data Connector

Today we are announcing the availability of the Sixgill TAXII Server which allows you to get threat intelligence data from Sixgill into Azure Sentinel using the Threat Intelligence – TAXII Data connector.

Sixgill + Microsoft Azure Sentinel Solution

The Sixgill and Azure Sentinel integration makes it easy to gain deeper visibility and advanced context of IOCs from the deep and dark web — providing an enhanced level of detection and protection for your organization. With Sixgill Darkfeed, Azure Sentinel users can proactively protect against threats with automated intelligence in real-time. Darkfeed is the most comprehensive, automated IOC solution, powered by Sixgill’s data lake of underground threat intelligence. It delivers contextual insights in real-time – straight from the Azure Sentinel dashboard.

Microsoft Azure Sentinel benefits with Sixgill Darkfeed:

Incident response security teams can automatically receive IOCs from Darkfeed (machine-to-machine) and gain unparalleled context with essential explanations of IOCs. Malware researchers can hunt for malicious indicators of compromise in organizational networks and conduct deep analysis of malware available for download on the deep and dark web. Users can then pivot to the Sixgill Investigative Portal to further investigate threat actors and contexts in order to protect their organization’s most critical assets.

This blog will walk you through the process of connecting the Sixgill TAXII Server to Azure Sentinel.

thumbnail image 2 of blog post titled 
	
	
	 
	
	
	
				
		
			
				
						
							Bring threat intelligence from Sixgill using TAXII Data Connector

Connecting Azure Sentinel to Sixgill TAXII Server

To connect Azure Sentinel to Sixgill TAXII Server, obtain the API Root, Collection ID, Username and Password from Sixgill. To obtain access to Sixgill Darkfeed via Azure Sentinel, please contact Sixgill at “azuresentinel@cybersixgill.com”.

Enable the Threat Intelligence – TAXII data connector in Azure Sentinel

To import threat intelligence indicators into Azure Sentinel from the Sixgill TAXII Server follow these steps:

  1. Open the Azure Portal and navigate to the Azure Sentinel service.
  2. Choose the workspace where you want to import threat intelligence indicators from the Sixgill TAXII Server.
  3. Select Data Connectors from the Configuration menu.
  4. Select Threat Intelligence – TAXII from the list of the data connectors and click the Open Connector page button.
  5. Now enter a Friendly name for the TAXII Server collection. This will be stamped on all the indicators as the Source of the indicator.
  6. Now enter the API Root, Collection ID, Username and Password that you obtained from the steps mentioned above from Sixgill portal.
  7. Click the Add button.
thumbnail image 3 of blog post titled 
	
	
	 
	
	
	
				
		
			
				
						
							Bring threat intelligence from Sixgill using TAXII Data Connector

You should now see a confirmation on the notification dialog that the connection was established successfully. The TAXII Server will now show up in the List of the configured TAXII Servers.

thumbnail image 4 of blog post titled 
	
	
	 
	
	
	
				
		
			
				
						
							Bring threat intelligence from Sixgill using TAXII Data Connector

View imported indicators from Sixgill TAXII Server in Azure Sentinel

Now that threat intelligence indicators from the Sixgill TAXII Server are being imported into Azure Sentinel, you can view them in one of the two below mentioned ways in Azure Sentinel:

  a. The ThreatIntelligenceIndicators table in Log analytics.

  1. Open the Azure portal and navigate to the Azure Sentinel service.
  2. Choose the workspace where you’ve imported threat indicators from Sixgill using the Threat Intelligence – TAXII Data connector.
  3. Select Logs from the General section of Azure Sentinel.
  4. The ThreatIntelligenceIndicator table is located under the SecurityInsights group.
  5. Use the following query to find indicators from Sixgill:

         ThreatIntelligenceIndicator

         | where SourceSystem == “Friendly name of the TAXII Server”

  b. Threat Intelligence blade under the Threat Management menu.

  1. Open the Azure portal and navigate to the Azure Sentinel service.
  2. Choose the workspace where you’ve imported threat indicators from Sixgill using the Threat Intelligence – TAXII Data connector.
  3. Select Threat Intelligence from the Threat management section of Azure Sentinel.
  4. You can filter the indicators according to the Source to view the ones that you imported from Sixgill. To do so, select the friendly name of the Sixgill TAXII Sever you used from the Source pill filter.

Use imported indicators from Sixgill TAXII Server in Azure Sentinel

Now that you have imported the indicators into Azure Sentinel you can use them for matching against log sources. This can be done using the Azure Sentinel out-of-the-box analytics rules by modifying them or by creating new rules from scratch. The set of out-of-the-box analytics rule used to match threat indicators with your event data all have names beginning with, ‘TI map’ under the Analytics section in Configuration menu. All these rule templates operate similarly with the only difference being what type of threat indicators are used (domain, email, file hash, IP address, or URL) and which event type to match against.

thumbnail image 5 of blog post titled 
	
	
	 
	
	
	
				
		
			
				
						
							Bring threat intelligence from Sixgill using TAXII Data Connector

With this Sixgill and Azure Sentinel integration, you can now use the IOC’s from the deep and dark web for advanced detection and hunting threats in your organization. You can also receive additional context about the IOC’s from Sixgill Darkfeed. This feed can be used by researchers to hunt for malicious IOCs in the dark web and use them for analysis and investigation to protect their organizations.

Reference:https://techcommunity.microsoft.com/t5/azure-sentinel/bring-threat-intelligence-from-sixgill-using-taxii-data/ba-p/1965440

Azure Sentinel News Editor

Azure Sentinel News Editor

Related Posts

Vectra AI and Microsoft partner on security integration
Security and Compliance

Replay Now Available – Microsoft Security Insights 036: Azure Sentinel with Rod Trent

February 8, 2021
What’s new: Microsoft Teams connector in Public Preview
Security and Compliance

eBook Available for Managing Azure Sentinel with PowerShell

January 6, 2021
Microsoft is quietly becoming a cybersecurity powerhouse
Security and Compliance

Official Azure Sentinel PowerShell Module Released

January 4, 2021
Next Post
With new release, CrowdStrike targets Google Cloud, Azure and container adopters

Best practices for designing an Azure Sentinel or Azure Security Center Log Analytics workspace

Microsoft’s Azure Defender for IoT Uses CyberX Tech

Data Connector Health - Push Notification Alerts

Microsoft and Docker collaborate on new ways to deploy containers on Azure

SolarWinds Post-Compromise Hunting with Azure Sentinel

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Follow Us

  • 21.8M Fans
  • 81 Followers

Recommended

Microsoft’s Azure Defender for IoT Uses CyberX Tech

Microsoft’s Azure Defender for IoT Uses CyberX Tech

3 months ago
New Azure VMware Solution now generally available in Asia

Microsoft Announces Azure Active Directory External Identities

3 months ago
Microsoft introduces integrated Darktrace-a-like, Azure Sentinel

Steps to Create a Cost Worthy Azure Sentinel Demo/Testing Environment

2 months ago
Open Systems integrates Microsoft Azure Sentinel into its Managed Detection and Response (MDR) Security Service

Open Systems integrates Microsoft Azure Sentinel into its Managed Detection and Response (MDR) Security Service

4 months ago

Instagram

    Please install/update and activate JNews Instagram plugin.

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

Topics

anomaly automation Azure Azure DevOps Azure Security Center Azure Sentinel Azure Sentinel API Azure Sentinel Connector BlueVoyant Call cybersecurity Detection file GitHub Hunting Huntingy IAC incident response Incident Triage infrastructure as code Investigation jupyter LAQueryLogs MDR Microsoft microsoft 365 mssp Multitenancy Notebooks Pester Playbooks PowerShell python Records Security Sentinel Sharing SIEM signin Supply Chain teams Threat hunting Watchlists Workbooks XDR
No Result
View All Result

Highlights

New Items of Note on the Azure Sentinel GitHub Repo

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

New Search Capability for Azure Sentinel Incidents

Follow-up: Microsoft Tech Talks Practical Sentinel : A Day in the Life of a Sentinel Analyst

Changes in How Running Hunting Queries Works in Azure Sentinel

Azure Sentinel can now Analyze All Available Azure Active Directory Log Files

Trending

What’s new: Microsoft Teams connector in Public Preview
IR

How to Generate Azure Sentinel Incidents for Testing

by Azure Sentinel News Editor
February 26, 2021
0

Do you want to generate an Incident in Azure Sentinel for testing/demoing? Here’s a couple easy ways...

What’s new: Microsoft Teams connector in Public Preview

Azure Sentinel Notebooks Loses It’s Preview Tag

February 25, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

February 22, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

New Items of Note on the Azure Sentinel GitHub Repo

February 18, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

February 17, 2021

We bring you the best, latest and perfect Azure Sentinel News, Magazine, Personal Blogs, etc. Visit our landing page to see all features & demos.
LEARN MORE »

Recent News

  • How to Generate Azure Sentinel Incidents for Testing February 26, 2021
  • Azure Sentinel Notebooks Loses It’s Preview Tag February 25, 2021
  • The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting February 22, 2021

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

[mc4wp_form]

Copyright © 2020 - Azure Sentinel News

No Result
View All Result
  • Home
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence

Copyright © 2020 Azure Sentinel News