To further enrich data in the Azure Sentinel workspace, we can ingest threat intel.
What is TAXII?
Trusted Automated Exchange of Intelligence Information (TAXII™) is an application protocol for exchanging CTI over HTTPS.
More information about TAXII is available here:
https://oasis-open.github.io/cti-documentation/taxii/intro
Enabling TAXII Connector in Azure Sentinel
Go to connects view and search for “TAXII”
Open the connector settings page to add TAXII servers (you can add multiple servers)
In this demo we are using free TAXII feeds from Anomali (https://www.anomali.com/resources/limo)
When the TAXII server is configured, click “Next steps”
In this step we will get recommended workbooks, sample queries and analytic rules we can use to monitor and alert on the data we ingest from the TAXII server.
Provided sample queries gives us access to the data
ThreatIntelligenceIndicator | where SourceSystem != "SecurityGraph" and SourceSystem != "Azure Sentinel"
From the connector configuration, we can also see the related analytics rule templates
For further information, please visit:
https://docs.microsoft.com/en-us/azure/sentinel/import-threat-intelligence
Happy Hunting!
