Skip to main content

Cyware Threat Intelligence eXchange

Microsoft Azure Sentinel

Connector Category: Security Information and Event Management (SIEM) Tool

About Integration

Microsoft Azure Sentinel is an SIEM tool that helps security teams collect and analyze a large amount of data to identify emerging network threats. Azure Sentinel integration with CTIX helps security analysts to collect, analyze, and store security incidents and events. The incidents triggered by Azure Sentinel are further enriched using CTIX. CTIX sends information, such as tags, threat types, descriptions, confidence scores, created and modified dates, valid from and valid until dates, and more to the Azure Sentinel platform.

Use Cases 

  • Collect high-confidence real-time threat indicators or Indicators of Compromise (IoCs) to detect potential threats to your organization.

  • Send threat data to Azure Sentinel to validate alerts and receive the necessary context to take appropriate actions on the malicious indicators.

Benefits 

  • Provide visibility into the entire IT environment to better aggregate and normalize the data for efficient comparison and detection of security breaches.

  • Automate the threat response task to ensure a high-fidelity exchange of data between the applications and have all the information to make any informed decisions.

The Microsoft Azure Sentinel internal application in Intel Exchange supports the following actions:

Action Name

Description

Update Indicator

This action updates indicators of the Microsoft Azure Sentinel platform with the data retrieved from Intel Exchange.

Configure Azure Sentinel App in CTIX

Configure Azure Sentinel as an internal application in CTIX to update threat indicators on Azure Sentinel's platform.

Before you Start 

  • You must have the view and update tool integration permissions.

  • You must have the necessary authentication resources to configure Azure Sentinel.

Steps 

  1. Sign in to CTIX.

  2. Navigate to Administration, select Integration Management, and select Internal Applications under Tool Integrations.

  3. Select Security Information and Event Management System and select Microsoft Sentinel.

  4. Click Add Instance.

  5. Enter a unique name to identify the instance, such as Prod-Azure.

  6. Enter the base URL to directly connect to the application's server. A base URL is the consistent part of the website address, such as https://learn.microsoft.com/.

  7. Enter the client ID to authenticate the client or server for APIs.

  8. Enter the secret key to encrypt the communication between the servers.

  9. Enter the tenant ID assigned to your Sentinel account. A tenant ID is a unique identifier that identifies your tenant.

  10. Enter the subscription ID to identify your Azure subscription. Subscription ID is a unique alphanumeric string.

  11. Enter the name of the Azure resource group. An Azure resource group is a logical container that can associate multiple resources that you can manage as a single entity.

  12. Enter the name of the Azure workspace. An Azure workspace is a centralized place to work with all artifacts you create while using Azure Machine Learning.

  13. Select Verify SSL to verify and secure the connection between the CTIX and Azure Sentinel servers.

    If you disable this option, CTIX may configure an instance for an expired SSL certificate. This may not establish the connection properly and CTIX will not be able to notify you in case of a broken or improper connection. It is recommended to select this option.

  14. Click Save.

Enable the Update Indicator Action

After configuring the application, enable the action to update indicators on the Azure Sentinel platform.

Steps 

  1. Navigate to Administration, select Integration Management, and select Internal Applications under Tool Integrations.

  2. Select Security Information and Event Management System and select Microsoft Sentinel.

  3. Click the ellipsis on the top right corner and select Manage.

  4. Click Manage Actions and select the Update Indicators action.

  5. Enable the instance toggle switch and click Save.

Create a Rule to Update Indicators

Create a rule in CTIX to automatically update the threat indicators on the Azure Sentinel platform. You can create, update, and delete indicators on the Azure Sentinel platform using CTIX rules.

Before you Start 

  • You must have the create, view, and update rules permissions.

Steps 

  1. Navigate to Main Menu and select Rules under Actions.

  2. Click New Rule and enter a unique name to identify the rule.

  3. Select the sources and collections to poll data for the rule. You can select multiple sources and collections.

  4. Define a condition to filter the data to apply the rule.

  5. Choose the following to define an action:

    1. Select Update Indicator as the action.

    2. Select Microsoft Sentinel as the application to implement the rule.

    3. Select an account to identify the instance to run the rule.

    4. Select an operation to perform on the indicators in the Azure Sentinel platform. You can create, update, and delete indicators.

  6. Click Save.