Azure Sentinel — MineMeld. Bring Your Own Threat Intelligence feeds

Antonio Formato

May 13, 2019·7 min read

How to correlate Threat Intelligence provided by external parties with internal information collected by a SIEM — Azure Sentinel

This article is the 3rd in my Microsoft security integrations serie. It started with a post about Microsoft Intelligence Security Graph and Security API, then I posted an article about Microsoft Defender ATP and MineMeld integration.

Now I’d like to share how to bring your threat intelligence feeds into Azure Sentinel.

The most important use case is about enriching your streamed data into Azure Sentinel with the threat intelligence feeds that you use across your organization. This lets you check and prioritize your alerts, correlating them with threat intelligence information that you own, manage and trust.

For example, if you get an alert from a specific IP address, domain, url or file, your threat intelligence provider will be able to let you know if that IP address, domain or url was found to be malicious and/or linked to a known threat campain.

Azure Sentinel is Microsoft’s cloud-native SIEM — Security Information Event Management — and SOAR — Security Orchestration Automated Response — that provides intelligent security analytics. It can easily collects data from all cloud and/or on-premises assets: Office 365, Azure resources, and other clouds. The core capabilities are:

1. Collect data at cloud scale across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds.
2. Detect previously undetected threats, and minimize false positives using Microsoft’s analytics and threat intelligence.
3. Investigate threats with artificial intelligence, and hunt for suspicious activities at scale.
4. Respond to incidents rapidly with built-in orchestration and automation of common tasks.

Azure Sentinel comes with a number of connectors for Microsoft solutions. In addition, there are built-in connectors to the broader security ecosystem for not-Microsoft solutions. You can also use common event format, Syslog or REST-API to connect your data sources with Azure Sentinel as well.

If you are interested in understanding built-in connector availability and configuration, the updated list and documentation is here.

I’d like to focus on Threat Intelligence data connector, with particular reference to Palo Alto Networks MineMeld integration.

MineMeld, by Palo Alto Networks, is an open source Threat Intelligence processing framework. MineMeld can be used to collect, aggregate and filter indicators from a variety of sources and make them available for consumption to peers or to the Palo Alto Networks security platforms.

MineMeld can be used to aggregate multiple threat intelligence feeds and push them to Microsoft Intelligence Security Graph. I will focus on leveraging TI integration, with particular reference to Azure Sentinel. Injecting TI information into a SIEM is particularry useful as it opens up several possibilities in terms of new use cases implementation. By using Threat Intelligence integrated into SIEM tool, organizations can gain better visibility into their threat landscape, providing the needed context for monitoring and determining the actions of bad actors.

In order to connect MineMeld to Azure Sentinel, the main steps are:

1. Create custom Azure Active Directory application
2. Install MineMeld — ISG (Intelligence Security Graph)extension
3. Configure Miners to aggregate Threat Indicators (optional)
4. Configure Azure Sentinel extension

The main configuration tasks are:

1. Create custom Azure Active Directory application:

• On portal.azure.com → Azure AD → AppRegistration, click on “New registration” and fill all fieds (notice redirect url is required to proceed with registration, but it is not used in this scenario)

• Once Azure AD “Azure Sentinel — MineMeld” app has been created, take note of Application ID and Tenant ID.

• Inside Azure AD app just created → API Permission → Select “Microsoft Graph” and in Application Permission and select “ThreatIndicators.ReadWrite.OwnedBy”

• Click on “Grant Consent”. It’s required to grant consent for the requested permissions

• Create a new client secret in “Certificate” & Secrets”

2. Install MineMeld — ISG (Intelligence Security Graph)extension

• On MineMeld, “System” → “Extensions” enter GitHub repository (https://github.com/PaloAltoNetworks/minemeld-msgraph-secapi.git), click “Retrieve”, select “Master” and click “Install”.

• Enable the extention and restart MineMeld services

3. Configure Miners to aggregate Threat Indicators (Italian CertPA in my example)

• In MineMeld “Config” → Add a node and search “itcert”

• Notice CERT_PA miner nodes

4. Configure Azure Sentinel extension

• In MineMeld “Config” → “Prototypes” → “Browse prototypes” and search “Microsoft_isg.Output”, click “Clone”

• Define node’s name.

• On Minemeld → CONFIG → select Azure Sentinel output node, click on “Input” and select your aggregator nodes

• Click “Commit” and wait for services restart
• Edit Azure Sentinel node properties in “Nodes” → “Settings” providing: CLIENT ID (Azure AD Application ID), CLIENT SECRET: (Client Secret), TENANT ID (Azure AD Identifier). Select Azure Sentinel in Target Product.

Now it’s time to enable Threat Intelligence connector in Azure Sentinel. The prerequisite is using Global administrator or Security Administrator Azure AD Role User.

• In Azure Sentinel → Data Connector click on “Threat Intelligence”

• Click on “Connect” to grant permission to your Threat Intelligence Provider. This connection enables you to incorporate indicators containing various types of observables such as IP address, domain, URL and file hash to search and create custom alerts rules in Azure Sentinel.

Now MineMeld will start to stream Indicators to Azure Sentinel. You can inputi TI indicators for use in Dashboards, hunting and alert rules

Using Kusto query language you can now run some queries to verify everything is working as expected. Indicators can be found on “ThreatIntelligenceIndicator” table under “SecurityInsight”.

Run simple queries to get latest pushed indicators:

Get latest 50 IoCs

ThreatIntelligenceIndicator

| limit 50

IoCs types distibution

ThreatIntelligenceIndicator

| summarize count() by Description

| sort by Description asc | render piechart

IoCs types over time

ThreatIntelligenceIndicator

| summarize count() by TimeGenerated, Description

| sort by Description asc | render timechart

Now you will be able to correlate TI provided by external parties with internal information collected by Azure Sentinel. From a defender point of view, you will have a better vision of attacks in their context and you can proactively defend your organization against emerging threats.

In next articles I’ll write something about Threat Intelligence use cases in Azure Sentinel and security automation processes. Stay tuned :)

References:

Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer.