Security Incident Response

If you think you have or know you have a Security Incident please fill in the form and our experienced Onevinn CSIRT team will reach out shortly.
 
The team has long experience in supporting customers in Incident Response and Compromised Recovery.
 
Keep calm and we will be with you shortly!

Adding TAXII Threat Intel

To further enrich data in the Azure Sentinel workspace, we can ingest threat intel.

What is TAXII?

Trusted Automated Exchange of Intelligence Information (TAXII™) is an application protocol for exchanging CTI over HTTPS.

More information about TAXII is available here:
https://oasis-open.github.io/cti-documentation/taxii/intro

Enabling TAXII Connector in Azure Sentinel

Go to connects view and search for “TAXII”

Open the connector settings page to add TAXII servers (you can add multiple servers)

In this demo we are using free TAXII feeds from Anomali (https://www.anomali.com/resources/limo)

When the TAXII server is configured, click “Next steps”

In this step we will get recommended workbooks, sample queries and analytic rules we can use to monitor and alert on the data we ingest from the TAXII server.

Provided sample queries gives us access to the data

ThreatIntelligenceIndicator | where SourceSystem != "SecurityGraph" and SourceSystem != "Azure Sentinel" 

From the connector configuration, we can also see the related analytics rule templates

For further information, please visit:
https://docs.microsoft.com/en-us/azure/sentinel/import-threat-intelligence

Happy Hunting!