Skip to main content

Cyware Threat Intelligence eXchange

Microsoft Sentinel

Connector Category: Security Information and Event Management (SIEM) Tool

About Integration

Microsoft Sentinel is an SIEM tool that helps security teams collect and analyze a large amount of data to identify emerging network threats. Microsoft Sentinel integration with CTIX helps security analysts collect, analyze, and store security incidents and events. The incidents triggered by Microsoft Sentinel are further enriched using CTIX. CTIX sends information, such as tags, threat types, descriptions, confidence scores, created and modified dates, valid from and valid until dates, and more to the Microsoft Sentinel platform.

Use Cases 

  • Collect high-confidence real-time threat indicators or Indicators of Compromise (IoCs) to detect potential threats to your organization.

  • Send threat data to Microsoft Sentinel to validate alerts and receive the necessary context to take appropriate actions on the malicious indicators.

Benefits 

  • Provide visibility into the entire IT environment to better aggregate and normalize the data for efficient comparison and detection of security breaches.

  • Automate the threat response task to ensure a high-fidelity exchange of data between the applications and have all the information to make any informed decisions.

The Microsoft Sentinel internal application in Intel Exchange supports the following actions:

Action Name

Description

Update Indicator 

This action updates indicators of the Microsoft Sentinel platform with the data retrieved from Intel Exchange.

Configure Microsoft Sentinel in CTIX

Configure Microsoft Sentinel as an internal application in CTIX to update threat indicators on Microsoft Sentinel's platform.

Before you Start 

  • You must have the view and update tool integration permissions.

  • You must have the necessary authentication resources to configure Microsoft Sentinel.

Steps 

  1. Sign in to Intel Exchange.

  2. Go to Administration > Integration Management, and select Internal Applications under Tool Integrations.

  3. In Security Information and Event Management System, select Microsoft Sentinel.

  4. Click Add Instance.

    • Enter a unique name to identify the instance, such as Prod-Azure.

    • Enter the base URL to directly connect to the application's server. A base URL is the consistent part of the website address, such as https://learn.microsoft.com/.

    • Enter the client ID to authenticate the client or server for APIs.

    • Enter the secret key to encrypt the communication between the servers.

    • Enter the tenant ID assigned to your Sentinel account. A tenant ID is a unique identifier that identifies your tenant.

    • Enter the subscription ID to identify your Azure subscription. Subscription ID is a unique alphanumeric string.

    • Enter the name of the Azure resource group. An Azure resource group is a logical container that can associate multiple resources that you can manage as a single entity.

    • Enter the name of the Azure workspace. An Azure workspace is a centralized place to work with all artifacts you create while using Azure Machine Learning.

    • Select Verify SSL to verify and secure the connection between the CTIX and Microsoft Sentinel servers. If you disable this option, CTIX may configure an instance for an expired SSL certificate. This may not establish the connection properly and CTIX will not be able to notify you in case of a broken or improper connection. It is recommended to select this option.

  5. Click Save.

Enable the Update Indicator Action

After configuring the application, enable the action to update indicators on the Microsoft Sentinel platform.

Steps 

  1. Go to Administration, select Integration Management, and select Internal Applications under Tool Integrations.

  2. Select Security Information and Event Management System and select Microsoft Sentinel.

  3. Click the vertical ellipsis and select Manage.

  4. Click Manage Actions and select the Update Indicators action.

  5. Turn on the toggle and click Save.

Create Rule to Manage Indicators

Create a rule in CTIX to automatically update the threat indicators on the Microsoft Sentinel platform. You can create, update, and delete indicators on the Microsoft Sentinel platform using CTIX rules.

Note

This action updates only indicators in Microsoft Sentinel. If you run a rule on a report that includes indicators and other object types, the action will be performed only on the indicators.

Before you Start 

  • You must have the create, view, and update rules permissions.

Steps 

  1. Go to Main Menu and select Rules under Actions.

  2. Click New Rule and enter a unique name to identify the rule.

  3. Select the sources and collections to poll data for the rule. You can select multiple sources and collections.

  4. Define a condition to filter the data to apply the rule.

  5. Choose the following to define an action:

    1. Action: Select Update Indicator as the action.

    2. Application: Select Microsoft Sentinel as the application to implement the rule.

    3. Account: Select an account to identify the instance to run the rule.

    4. TLP Version: Select the TLP version associated with the rule.  If you choose TLP version 2.0, it may not be displayed correctly in Microsoft Sentinel.

    5. Indicator Operation: Select an operation to perform on the indicators in the Microsoft Sentinel platform. You can create, update, and delete indicators.

      • Create: Sends the following fields to Microsoft Sentinel when creating indicators: TLP, Description, Revoked, STIX ID, Valid Until, Tags, Threat Types, Confidence, Kill Chain Phases, Valid From, Created, Value, Name, Source, and Created By Refs.

        Note

        The description is only sent during the initial creation and is not updated later.

        The source always remains as CTIX.

      • Update: The following fields are updated: Valid Until, Confidence Score, Threat Types (indicator_type), Tags, and Revoked. You can specify whether to replace or append tags in the Value field.

        • Selecting Replace Tags will overwrite all existing tags in Microsoft Sentinel with the tags associated with the indicator.

        • Selecting Append Tags will update the tags associated with the indicator to the existing tags in Microsoft Sentinel without replacing them.

      • Delete: Removes the specified indicator from Microsoft Sentinel.

  6. Click Save.