Azure Sentinel News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
Azure Sentinel News
No Result
View All Result
Home Threat Intelligence

Using Azure Playbooks to import text-based threat indicators to Azure Sentinel

Azure Sentinel News Editor by Azure Sentinel News Editor
December 1, 2020
in Threat Intelligence
0
Microsoft is quietly becoming a cybersecurity powerhouse
6.2kViews
701 Shares Share on Facebook Share on Twitter

Introduction

Azure Sentinel provides two built in data connectors for importing threat intelligence, the Threat Intelligence – TAXII data connector, and the Threat Intelligence – Platforms data connector. These data connectors are suitable for most use cases – as explained in our previous detailed blog. However, some open source threat intelligence is shared as text-based files which cannot be accessed directly from these data connectors. This blog describes how to use Azure Sentinel Playbooks to obtain text-based threat indicators from an online source, and import them directly into the ThreatIntelligenceIndicator table where they can be used by all the built-in Sentinel analytics templates to generate security incidents.

The Playbooks described in this post were created to allow Azure Sentinel customers to import Microsoft’s COVID-19 related threat indicators published on GitHub. However, these Playbooks can easily be modified to point to any other source of a text-based indicator feed.

Playbook architecture

These Azure Sentinel Playbooks work in tandem to read indicators from a source location and import the indicators to the ThreatIntelligenceIndicator table in Logs. Let’s take a closer look at the functionality of each Playbook.

Playbook 1 (C19IndicatorProcessor)

C19IndicatorProcessor Playbook performs the following steps:

  • Triggered on a defined schedule
  • Reads the indicators from GitHub
  • Transforms the indicators from the text-based source to the appropriate tiIndicator JSON format
  • Uses the Batch action to send the indicators to the second Playbook (C19ImportToSentinel)
Figure1.jpg

Playbook 2 (C19ImportToSentinel)

C19ImportToSentinel Playbook performs the following steps:

  • Begins with a Batch Messages trigger to receive indicators sent by the first Playbook (C19IndiatorProcessor) and groups the indicators into batches of 10
  • Submits each batch of indicators to Azure Sentinel using the Microsoft Graph Security Logic App connector
Figure2.jpg

Deploy the Playbooks to Azure Sentinel

The Playbook templates can be downloaded from GitHub at this location. It is important to deploy the C19ImportToSentinel Playbook before deploying the C19IndicatorProcessor playbook. Since these Playbooks rely on the Batch action, there is a natural dependency created between the two Playbooks. The C19IndicatorProcessor Playbook has a reference to the Batch endpoint published by the C19ImportToSentinel Playbook.

Follow these steps to deploy the two Playbooks to your Azure Sentinel instance.

1.  Open the Azure portal and search for and select, Deploy a custom template.

Figure3.jpg

2.  Select, Build your own template in the editor from the list of options.

3.  In the Edit template window, replace the default JSON with the contents of the C19ImportToSentinel.json template file and select Save.

4.  In the Custom deployment window, select the Resource Group where you have your Azure Sentinel instance, and under Settings, input your user name which will be used to deploy the Playbook, and select Purchase.

Note: It is highly recommended to leave the Playbook Name to the default setting. However, if you rename the Playbook you will need to reference this new name when deploying the second Playbook.

Note: While the confirmation button is labeled Purchase, there is no charges associated with obtaining these Playbooks.

5.  After a minute or two the Playbook will be visible under Azure Sentinel Playbooks.

6.  Repeat these same steps (1-5) for the C19IndicatorProcessor Playbook with the only difference being on step (4) there is an additional option under Settings where you will input the name you used for the first Playbook you deployed.

Figure4.jpg

Once deployed there is a final configuration step to import the threat indicators. The C19ImportToSentinel includes an action to submit the indicators to Azure Sentinel using the Microsoft Graph Security API. In order to receive the indicators in your Azure Sentinel instance, you will need to enable the Threat Intelligence – Platforms data connector.

Figure5.jpg

Also, you will need to open the C19ImportToSentinel Playbook and configure the connection for the Submit multiple tiIndicators action as shown below.

Figure6.jpg

Reference:https://techcommunity.microsoft.com/t5/azure-sentinel/using-azure-playbooks-to-import-text-based-threat-indicators-to/ba-p/1383980

Azure Sentinel News Editor

Azure Sentinel News Editor

Related Posts

With new release, CrowdStrike targets Google Cloud, Azure and container adopters
Threat Intelligence

Tips for Parsing Syslog to Azure Sentinel

December 31, 2020
CRITICALSTART Adds Support for Microsoft Azure Sentinel to MDR Services
Threat Intelligence

Locate all the Preview Goodies in Your Azure Sentinel Console

December 30, 2020
Microsoft is quietly becoming a cybersecurity powerhouse
Threat Intelligence

How to Prohibit an Azure Sentinel Analyst from Editing a Playbook

December 29, 2020
Next Post
New analytics to help Azure-based Sentinel identify threats

Microsoft Fixed an Azure Security Vulnerability before Researchers Could Report It

Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

Microsoft Tunnel Makes Connecting to Corporate Apps Easier from Android and iOS

What’s new: Microsoft Teams connector in Public Preview

The Best Online Microsoft Azure Courses and Training

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Follow Us

  • 21.8M Fans
  • 81 Followers

Recommended

Introducing the Microsoft Azure Modular Datacenter

Introducing the Microsoft Azure Modular Datacenter

3 months ago
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

How to Keep Track of Your Higher Cost Azure Sentinel Tables Using KQL

2 months ago
A Deep Dive Into How to Use Azure Sentinel

A Deep Dive Into How to Use Azure Sentinel

4 months ago
KPMG Announces New Security Offering For Microsoft Azure Sentinel

KPMG Announces New Security Offering For Microsoft Azure Sentinel

4 months ago

Instagram

    Please install/update and activate JNews Instagram plugin.

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

Topics

anomaly automation Azure Azure DevOps Azure Security Center Azure Sentinel Azure Sentinel API Azure Sentinel Connector BlueVoyant Call cybersecurity Detection file GitHub Hunting Huntingy IAC incident response Incident Triage infrastructure as code Investigation jupyter LAQueryLogs MDR Microsoft microsoft 365 mssp Multitenancy Notebooks Pester Playbooks PowerShell python Records Security Sentinel Sharing SIEM signin Supply Chain teams Threat hunting Watchlists Workbooks XDR
No Result
View All Result

Highlights

New Items of Note on the Azure Sentinel GitHub Repo

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

New Search Capability for Azure Sentinel Incidents

Follow-up: Microsoft Tech Talks Practical Sentinel : A Day in the Life of a Sentinel Analyst

Changes in How Running Hunting Queries Works in Azure Sentinel

Azure Sentinel can now Analyze All Available Azure Active Directory Log Files

Trending

What’s new: Microsoft Teams connector in Public Preview
IR

How to Generate Azure Sentinel Incidents for Testing

by Azure Sentinel News Editor
February 26, 2021
0

Do you want to generate an Incident in Azure Sentinel for testing/demoing? Here’s a couple easy ways...

What’s new: Microsoft Teams connector in Public Preview

Azure Sentinel Notebooks Loses It’s Preview Tag

February 25, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

February 22, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

New Items of Note on the Azure Sentinel GitHub Repo

February 18, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

February 17, 2021

We bring you the best, latest and perfect Azure Sentinel News, Magazine, Personal Blogs, etc. Visit our landing page to see all features & demos.
LEARN MORE »

Recent News

  • How to Generate Azure Sentinel Incidents for Testing February 26, 2021
  • Azure Sentinel Notebooks Loses It’s Preview Tag February 25, 2021
  • The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting February 22, 2021

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

[mc4wp_form]

Copyright © 2020 - Azure Sentinel News

No Result
View All Result
  • Home
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence

Copyright © 2020 Azure Sentinel News