One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 5564426 |
| Date de publication | 2022-07-05 15:38:00 (vue: 2022-07-05 16:06:15) |
| Titre | Increased Microsoft Sentinel benefits Using Anomali ThreatStream |
| Texte | This blog was co-written by Richard Phillips, Product Manager at Anomali and Rijuta Kapoor, Microsoft.
Microsoft Sentinel is a cloud-native SIEM that offers various options to import threat intelligence data and use them for hunting, investigation, analytics etc. Some of the ways to import rich threat intelligence data into Microsoft Sentinel include the Threat Intelligence - TAXII data connector and Threat Intelligence Platforms (TIP) connector.
Microsoft Sentinel was one of the early adopters of STIX/TAXII as the preferred way to import threat intelligence data. Microsoft Sentinel “Threat Intelligence -TAXII” connector uses the TAXII protocol for sharing data in STIX format. This data connector supports pulling data from TAXII 2.0 and 2.1 servers. The Threat Intelligence – TAXII data connector is essentially a built-in TAXII client in Microsoft Sentinel to import threat intelligence from TAXII 2.x servers.
Anomali ThreatStream offered integrations with Microsoft Sentinel in the past using the ThreatStream integrator and leveraging the power of the Graph Security API and TIP data connector of Microsoft Sentinel.
Today we are announcing our integration with Anomali ThreatStream, which allows you to get threat intelligence data from Anomali ThreatStream into Microsoft Sentinel using the Threat Intelligence – TAXII Data Connector.
Microsoft Sentinel benefits with Anomali ThreatStream
Anomali ThreatStream is a threat intelligence management solution that allows you to automate data collection from hundreds of threat sources, including commercial vendors, OSINT, ISACs, and more, to operationalize threat intelligence at scale.
Utilizing Anomali Macula, our built-in proprietary machine learning engine, intelligence is aggregated, scored, and categorized for real-time intelligence distribution to security controls across your entire security ecosystem. Users can choose between configuring integrations to send only high confidence, high severity observables, or observables associated with known threat actors, active malware campaigns, or a number of other Threat Models.
Pushing these filtered, prioritized observables to Sentinel via TAXII enables you to proactively correlate events within your network against high fidelity intelligence to identify threats against your organization.
Connecting Microsoft Sentinel to Anomali ThreatStream TAXII Server
To connect Microsoft Sentinel to Anomali ThreatStream’s TAXII Server, obtain the API Root, Collection ID, Username and Password from Anomali.
ThreatStream allows you to configure Saved Searches against your observables set, and these are automatically provided as TAXII collections for consumption by TAXII clients.
Once you’ve configured a saved search, navigate to the Manage Observable Searches page, and identify the ID of the desired search.
You can then use the following details to configure the TAXII data connector:
API Root: https://api.threatstream.com/api/v1/taxii21/search_filters/
Collection ID:
Username & Password: The ThreatStream Username & Password of the user who configured the saved search.
For more details on how to configure the TAXII data connector in Microsoft Sentinel, please refer to the following documentation.
Put Anomali ThreatStream to use with Microsoft Sentinel
Once the threat intelligence from Anomali ThreatStream is imported into Microsoft Sentinel, you can use it for matching against log sources. This can be done using the out-of-the-box analytic rules in Microsoft Sentinel. These c |
| Envoyé | Oui |
| Condensat | “threat ‘ti across active actors adopters advantages against aggregated all allows also analytic analytics and rijuta announcing anomali api appeared are article associated automate automatically beginning benefits between blog box built campaigns can categorized choose client clients cloud collection collections com/api/v1/taxii21/search commercial completely confidence configure configured configuring connect connecting connector connector: consumption controls correlate covered create customizable customized dashboards data deeper desired details distribution done early ecosystem enable enables engine entire essentially etc event events feed fidelity filtered filters/ follow following following documentation format forum from get graph has have helped high hope how hundreds hunting id: identify import imported importing include including increased indicators integration integrations integrator intelligence investigation isacs kapoor known landscape learn learning leveraging log machine macula malware manage management manager map’ match matching mentioned microsoft models more names native navigate network number observable observables obtain offered offers once one only operationalize options organization originally osint other out page password password: past phillips platforms please power preferred prioritized proactively product proprietary protect protocol provided pulling pushing put real refer rich richard root root: https://api rules saved scale scored search searches security send sentinel server servers set severity sharing siem solution some sources steps stix stix/taxii supports taxii taxii” tech the taxii them then these this documentation threat threats threatstream threatstream to threatstream’s time tip today understand understanding use used user username users uses using utilizing various vendors way ways which who with microsoft within workbooks written you’ve your |
| Tags | Malware Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.