Outgoing feed - Microsoft Azure Sentinel Outgoing Feed#
Note
This article describes how to configure outgoing feeds for a particular feed source. To see how to configure outgoing feeds in general, see Create and configure outgoing feeds.
Specifications |
|
---|---|
Transport type |
Microsoft Azure Sentinel Outgoing Feed |
Content type |
Microsoft Azure Sentinel JSON model |
Published data |
See Map EclecticIQ Platform entities to Microsoft Azure Sentinel Indicators. |
Requirements#
Your Microsoft Azure tenant ID.
A Microsoft Azure user to set up the service application. Required to Grant admin consent for your tenant.
This user should have one of these roles:
Global Administrator
Application Administrator
A service application.
This provides you with a
client_id
andclient_secret
for setting up the outgoing feed. See Set up service application on Azure.Enable the Threat Intelligence Platform data connector in Microsoft Sentinel. For more information, see Microsoft documentation: https://learn.microsoft.com/en-us/azure/sentinel/connect-threat-intelligence-tip#enable-the-threat-intelligence-platforms-data-connector-in-microsoft-sentinel
Set up service application on Azure#
Before setting up an outgoing feed with the Microsoft Azure Sentinel Outgoing Feed transport type, you must:
Register a service application in Azure.
The outgoing feed connects to your Azure Sentinel workspace using this service application.
Obtain
client_id
andclient_secret
from your new service application.You need the
client_id
andclient_secret
to Configure the outgoing feed.Assign
ThreatIndicators.ReadWrite.OwnedBy
permisisons to your service application.(Optional) Assign user or group to service application.
These steps are documented in the official Microsoft Azure Sentinel documentation.
Once done, Configure the outgoing feed.
Configure the outgoing feed#
Create or edit an outgoing feed.
Under Transport and content, fill out these fields:
Note
Required fields are marked with an asterisk (*).
Field
Description
Transport type*
Select Microsoft Azure Sentinel Outgoing Feed from the drop-down menu.
Content type*
Select Microsoft Azure Sentinel JSON model from the drop-down menu.
Datasets*
Select one or more existing datasets from the drop-down menu. The menu only displays datasets that contain observables supported by the Transport type you’ve selected.
See Supported observable types for more information.
Update strategy*
Select an update strategy.
See Update strategies for Microsoft Azure Sentinel for more information.
Supported update strategies:
DIFF
APPEND
REPLACE
API URL*
https://graph.microsoft.com/beta/
Client ID*
Enter the
client_id
for your service application.See Set up service application on Azure for more information.
Client Secret*
Enter the
client_secret
for your service application.See Set up service application on Azure for more information.
Tenant ID*
Enter the tenant ID of the tenant that your Azure Sentinel workspace is located on.
Store your changes by selecting Save.
Map EclecticIQ Platform entities to Microsoft Azure Sentinel Indicators#
When the outgoing feed runs, it looks through the selected dataset(s) and collects entities that have one or more of the selected observable types attached to them. These entities are then translated into tiIndicator objects that we send to the target Azure Sentinel instance.
Each tiIndicators object only allows an indicator to represent one observable. This means that entities which have more than one attached observable creates one indicator per observable found in the dataset(s).
The following table describes how data from EclecticIQ Platform is translated into a format that the Azure Sentinel instance can ingest:
Field name |
JSON field |
From EclecticIQ JSON |
Description |
Example |
---|---|---|---|---|
Action |
|
N/A |
Default for tiIndicator object. |
|
Target Product |
|
N/A |
Default for tiIndicator object. |
|
External ID |
|
|
ID of EclecticIQ entity. |
|
Description |
|
|
Indicator description containing title of packaged EclecticIQ entity. |
|
TLP Level |
|
See TLP mapping table. |
– |
|
Confidence |
|
– |
|
|
Severity |
|
– |
|
|
Threat Type |
|
– |
|
|
Expiration |
|
|
Date and time when entity or observable half-life expires. |
|
Last Reported |
|
|
Date and time indicator was observed. |
|
Tags |
|
|
See Tag mapping table. |
|
Kill Chain |
|
|
Derive kill chain phase name from tags; See also Tag mapping table. |
Reconnaissance |
File Hash Type |
|
See File hash type table. |
If indicator has a file hash, get type of file hash here. |
|
Network Source ASN |
|
|
If indicator has an ASN, set ASN value here. |
|
Domain Name |
|
|
If indicator has a domain, set domain name here. |
|
Email Sender Address |
|
|
If indicator has an email address, set email address name here. |
|
Email Source Domain |
|
Extract domain from |
If indicator has an email address, derive domain from email address. |
|
Email Subject |
|
|
If indicator has an email subject, set email subject. |
|
File Name |
|
|
If indicator has a file, set file name here. |
|
File Hash Value |
|
|
If indicator has a file hash type, set value of file hash here. |
|
Network IPv4 |
|
|
If indicator has an IPv4 address, set value of IPv4 address here. |
|
Network IPv6 |
|
|
If indicator has an IPv6 address, set value of IPv6 address here. |
|
File Mutex Name |
|
|
If indicator has a named mutex, set name of mutex here. |
|
Network Port |
|
|
If indicator has a port, set value of port here. |
|
URL |
|
|
If indicator has a URL or URI, set value of URL/URI here. |
|
Is Active |
|
N/A |
Default for tiIndicator object. |
|
Example outgoing feed JSON submission#
Where:
EIQ_ENTITY_ID
is an EclecticIQ Platform entity identifier in the format:<EclecticIQ_Platform_URL><entity_type>-<uuid>
For example:
{https://tip.example.com}indicator-14975dea-86cd-4211-a5f8-9c2e4daab69a
EIQ_OBSERVABLE_ID
is an EclecticIQ Platform observable identifier in the format<observable_type>:<observable_value>
For example:
email:user@example.com
$EIQ_ENTITY_ID: {
$EIQ_OBSERVABLE_ID: {
'action': 'value',
'targetProduct': 'value',
'externalId': 'value',
'description': 'value',
'tlpLevel': 'value',
'confidence': 0,
'severity': 0,
'threatType': 'value',
'expirationDateTime': 'value',
'lastReportedDateTime': 'value',
'tags': ['tag name', 'tag name 2'],
'killChain': ['tag name', 'tag name 2'],
'fileHashType': 'value',
'networkSourceAsn': 'value',
'domainName': 'value',
'emailSenderAddress': 'value',
'emailSourceDomain': 'value',
'emailSubject': 'value',
'fileName': 'value',
'fileHashValue': 'value',
'networkIPv4': 'value',
'networkIPv6': 'value',
'fileMutexName': 'value',
'networkPort': 'value',
'url': 'value',
'isActive': true
}
}
Mapping tables#
Some field values in EclecticIQ Platform must be translated to match the values that Azure Sentinel expects when we submit an indicator using the outgoing feed.
For example, a confidence value
of High
in
an EclecticIQ Platform entity
is translated to 100
when the entity is submitted as a
Microsoft Azure Sentinel indicator.
Map EclecticIQ entity TLP values to Azure Sentinel indicator TLP values#
EclecticIQ Platform field |
Azure Sentinel field |
|
---|---|---|
Field name |
“TLP Color” |
“TLP Level” |
JSON field |
|
|
Description |
EclecticIQ TLP |
Azure Sentinel indicator TLP |
---|---|---|
TLP White |
|
|
TLP Green |
|
|
TLP Amber |
|
|
TLP Red |
|
|
Map EclecticIQ entity confidence values to Azure Sentinel indicator confidence values#
EclecticIQ Platform field |
Azure Sentinel field |
|
---|---|---|
Field name |
“Confidence” |
“Confidence” |
JSON field |
|
|
Description |
EclecticIQ confidence |
Azure Sentinel indicator confidence |
---|---|---|
No set confidence level (default) |
|
|
Low confidence |
|
|
Medium confidence |
|
|
High confidence |
|
|
Map EclecticIQ observable maliciousness values to Azure Sentinel indicator maliciousness values#
EclecticIQ Platform field |
Azure Sentinel field |
|
---|---|---|
Field name |
“Maliciousness” |
“Severity” |
JSON field |
|
|
Description |
EclecticIQ maliciousness |
Azure Sentinel indicator maliciousness |
---|---|---|
Safe (default) |
Safe |
|
Low maliciousness |
Low |
|
Medium maliciousness |
Medium |
|
High maliciousness |
High |
|
Map EclecticIQ indicator type values to Azure Sentinel indicator type values#
EclecticIQ Platform field |
Azure Sentinel field |
|
---|---|---|
Field name |
“Types” |
“Threat Type” |
JSON field |
|
|
Description |
EclecticIQ indicator types |
Azure Sentinel indicator types |
---|---|---|
Malicious E-mail |
|
|
IP Watchlist |
|
|
File Hash Watchlist |
|
|
Domain Watchlist |
|
|
URL Watchlist |
|
|
Malware Artifacts |
|
|
C2 |
|
|
Anonymization |
|
|
Exfiltration |
|
|
Host Characteristics |
|
|
Compromised PKI Certificate |
|
|
Login Name |
|
|
IMEI Watchlist |
|
|
IMSI Watchlist |
|
|
Map EclecticIQ observable type (hash) to Azure Sentinel indicator hash type#
EclecticIQ Platform field |
Azure Sentinel field |
|
---|---|---|
Field name |
“Type” |
“File Hash Type” |
JSON field |
|
|
Description |
EclecticIQ hash type |
Azure Sentinel indicator hash type |
---|---|---|
MD5 hash |
|
|
SHA1 hash |
|
|
SHA256 hash |
|
|
Map EclecticIQ tag name to Azure Sentinel indicator tag name#
EclecticIQ Platform field |
Azure Sentinel field |
|
---|---|---|
Field name |
“Tags” |
“Tags” |
JSON field |
|
|
Description |
EclecticIQ indicator tag name |
Azure Sentinel indicator tag name |
---|---|---|
Actions on Objectives |
|
|
Command and Control |
|
|
Delivery |
|
|
Exploitation |
|
|
Installation |
|
|
Reconnaissance Artifacts |
|
|
Weaponization |
|
|
Supported observable types#
This outgoing feed supports the following observable types:
email
email-subject
sha1
sha256
md5
mutex
file
domain
ipv4
ipv6
uri
port
asn
Update strategies for Microsoft Azure Sentinel#
The update strategy you set for the outgoing feed determines how the extension updates indicators that originate from that going feed on your Azure Sentinel instance.
Note
Each observable type in the dataset creates one indicator for Azure Sentinel.
If an observable is updated on EclecticIQ Platform, it is treated as a new indicator.
- REPLACE:
The REPLACE update strategy removes all indicators that have been previously sent by the outgoing feed. Then, it uploads all indicators, old and new, to the Azure Sentinel instance.
The feed does the following:
Gets all indicator IDs of entities with supported observables in the selected dataset(s).
Determines the indicator IDs that have been previously sent to the Azure Sentinel instance up to the last time the feed was run.
Deletes those indicators on the Azure Sentinel instance.
Updates the Azure Sentinel instance with all indicators from the dataset(s).
- APPEND:
The APPEND update strategy only updates the Azure Sentinel instance with indicators that have been added to the dataset(s) since the last time the feed was run.
It does not remove indicators from Azure Sentinel when entities or observables are removed from the selected dataset(s).
The feed does the following:
Determines the indicator IDs for entities and observables that have been added to the dataset(s) since the last time the feed was run.
Updates the Azure Sentinel instance with the new indicators.
- DIFF:
The DIFF update strategy determines the indicators that have been added and removed to the dataset(s) since the last time the feed was run. Then, on the Azure Sentinel instance, the feed adds the new indicators and deletes indicators that have been removed from the dataset(s).
The feed does the following:
Determines the indicator IDs for entities and observables that have been removed from the dataset(s) or have expired since the last time the feed was run.
Determines the indicator IDs of entities and observables that have been added to the dataset(s) since the last run.
Updates the Azure Sentinel instance with the new indicators.
Deletes indicators that have been removed from the dataset(s), or have expired.