Azure Sentinel — MineMeld. Bring Your Own Threat Intelligence feeds

How to correlate Threat Intelligence provided by external parties with internal information collected by a SIEM — Azure Sentinel

This article is the 3rd in my Microsoft security integrations serie. It started with a post about Microsoft Intelligence Security Graph and Security API, then I posted an article about Microsoft Defender ATP and MineMeld integration.

Now I’d like to share how to bring your threat intelligence feeds into Azure Sentinel.

The most important use case is about enriching your streamed data into Azure Sentinel with the threat intelligence feeds that you use across your organization. This lets you check and prioritize your alerts, correlating them with threat intelligence information that you own, manage and trust.

For example, if you get an alert from a specific IP address, domain, url or file, your threat intelligence provider will be able to let you know if that IP address, domain or url was found to be malicious and/or linked to a known threat campain.

Azure Sentinel is Microsoft’s cloud-native SIEM Security Information Event Management — and SOAR Security Orchestration Automated Response — that provides intelligent security analytics. It can easily collects data from all cloud and/or on-premises assets: Office 365, Azure resources, and other clouds. The core capabilities are:

Azure Sentinel comes with a number of connectors for Microsoft solutions. In addition, there are built-in connectors to the broader security ecosystem for not-Microsoft solutions. You can also use common event format, Syslog or REST-API to connect your data sources with Azure Sentinel as well.

If you are interested in understanding built-in connector availability and configuration, the updated list and documentation is here.

I’d like to focus on Threat Intelligence data connector, with particular reference to Palo Alto Networks MineMeld integration.

Image for post
Image for post
Azure Sentinel main dashboard

MineMeld, by Palo Alto Networks, is an open source Threat Intelligence processing framework. MineMeld can be used to collect, aggregate and filter indicators from a variety of sources and make them available for consumption to peers or to the Palo Alto Networks security platforms.

MineMeld can be used to aggregate multiple threat intelligence feeds and push them to Microsoft Intelligence Security Graph. I will focus on leveraging TI integration, with particular reference to Azure Sentinel. Injecting TI information into a SIEM is particularry useful as it opens up several possibilities in terms of new use cases implementation. By using Threat Intelligence integrated into SIEM tool, organizations can gain better visibility into their threat landscape, providing the needed context for monitoring and determining the actions of bad actors.

In order to connect MineMeld to Azure Sentinel, the main steps are:

The main configuration tasks are:

  • On portal.azure.com → Azure AD → AppRegistration, click on “New registration” and fill all fieds (notice redirect url is required to proceed with registration, but it is not used in this scenario)
Image for post
Image for post
Azure AD — registrer a new app
  • Once Azure AD “Azure Sentinel — MineMeld” app has been created, take note of Application ID and Tenant ID.
Image for post
Image for post
App Details
  • Inside Azure AD app just created → API Permission → Select “Microsoft Graph” and in Application Permission and select “ThreatIndicators.ReadWrite.OwnedBy
Image for post
Image for post
API Permission
Image for post
Image for post
Microsoft Graph API — Threat Indicators permissions
  • Click on “Grant Consent”. It’s required to grant consent for the requested permissions
Image for post
Image for post
Grant consent on behalf of app user
  • Create a new client secret in “Certificate” & Secrets”
Image for post
Image for post
Secret generation

2. Install MineMeld — ISG (Intelligence Security Graph)extension

Image for post
Image for post
Install extention from GIT
  • Enable the extention and restart MineMeld services

3. Configure Miners to aggregate Threat Indicators (Italian CertPA in my example)

  • In MineMeld “Config” → Add a node and search “itcert”
Image for post
Image for post
  • Notice CERT_PA miner nodes
Image for post
Image for post
MineMeld nodes

4. Configure Azure Sentinel extension

  • In MineMeld “Config” → “Prototypes” → “Browse prototypes” and search “Microsoft_isg.Output”, click “Clone”
Image for post
Image for post
Node for Microsoft ASG API
  • Define node’s name.
Image for post
Image for post
Add Azure Sentinel output node
  • On Minemeld → CONFIG → select Azure Sentinel output node, click on “Input” and select your aggregator nodes
Image for post
Image for post
Configuring Azure Sentinel input nodes
  • Click “Commit” and wait for services restart
  • Edit Azure Sentinel node properties in “Nodes” → “Settings” providing: CLIENT ID (Azure AD Application ID), CLIENT SECRET: (Client Secret), TENANT ID (Azure AD Identifier). Select Azure Sentinel in Target Product.
Image for post
Image for post
Node configuration

Now it’s time to enable Threat Intelligence connector in Azure Sentinel. The prerequisite is using Global administrator or Security Administrator Azure AD Role User.

  • In Azure Sentinel → Data Connector click on “Threat Intelligence”
Image for post
Image for post
Data Connector- Threat Intelligence
  • Click on “Connect” to grant permission to your Threat Intelligence Provider. This connection enables you to incorporate indicators containing various types of observables such as IP address, domain, URL and file hash to search and create custom alerts rules in Azure Sentinel.
Image for post
Image for post
Grant Permission to your threat intelligence provider

Now MineMeld will start to stream Indicators to Azure Sentinel. You can inputi TI indicators for use in Dashboards, hunting and alert rules

Using Kusto query language you can now run some queries to verify everything is working as expected. Indicators can be found on “ThreatIntelligenceIndicator” table under “SecurityInsight”.

Run simple queries to get latest pushed indicators:

Get latest 50 IoCs

ThreatIntelligenceIndicator

| limit 50

Image for post
Image for post
Simple Query #1
Image for post
Image for post
Simple query #1 — indicator detail

IoCs types distibution

ThreatIntelligenceIndicator

| summarize count() by Description

| sort by Description asc | render piechart

Image for post
Image for post
Indicators by Description — pie chart

IoCs types over time

ThreatIntelligenceIndicator

| summarize count() by TimeGenerated, Description

| sort by Description asc | render timechart

Image for post
Image for post
Indicators by Description over time

Now you will be able to correlate TI provided by external parties with internal information collected by Azure Sentinel. From a defender point of view, you will have a better vision of attacks in their context and you can proactively defend your organization against emerging threats.

Written by

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store