Microsoft Sentinel Series : Connect Your Free TAXII Pulsedive and Microsoft TI

Back to my blog! Now, I will share easy step-by-step free MSTI and TAXII 2.1 Connector PulseDive to Microsoft Sentinel SIEM.

Microsoft Defender Threat Intelligence (MDTI) provides a set of indicators from https://ti.defender.microsoft.com portal at no additional cost. Then a TAXII feed refers to a stream of cyber threat intelligence data shared through the TAXII protocol. Utilizing STIX format to encapsulate detailed indicators of compromise (IoCs) such as malicious IP addresses, URLs, file hashes, and malware signatures.

By integrating these IoCs into their security systems, organizations can detect and mitigate attacks more effectively, reducing the risk of damage caused by these malicious entities.

Requirements :

• Have a Pulsedive Account
• Have Enable Microsoft Sentinel Subscriptions

Step By Steps :

1. From Microsoft Sentinel go to Content Hub
2. Install the Connector “Microsoft Defender Threat Intelligence”
3. Then go to the Microsoft Sentinel > Connector > “Microsoft Defender Threat Intelligence”
4. Click Connect and wait few minutes,
   successfully connect indicate with green color.

Connected MDTI

5. It showing to the ThreatIntelligenceIndicator table.

6. Register to https://pulsedive.com/register

7. Just fill out the register form and check your confirmation email.

Confirmation Email

8. Login and Go to Tab API > STIX/TAXII 2.1

TAXII Tab

9. Search for or scroll to Pulsedive test data. Save the Collection ID and key

10. Back to Microsoft Sentinel then Install TAXII Connector from Content Hub

11. Then on the right side, click Open Connector Page.

12. Fill the Form like example below :

• Friendly name (for server): Pulsedive
• API root URL: https://pulsedive.com/taxii2/api/
• Collection ID: [PASTE THE ID]
• Username: taxii2
• Password: [PASTE THE ID]
• Import Indicators: All available (review all available options)
• Polling frequency: Once a day

Fill the configurations

13. The TAXII connected successfully. just wait few hours or day.

Successfully connected

14. Results :

PulseDive TI TAXII Feed

Microsoft TI Feed

Query Filter by Source

ThreatIntelligenceIndicator
| where SourceSystem has "Pulsedive" 
//or you can change to "Microsoft Defender Threat Intelligence"

References :

• https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/import-pulsedive-feed-into-microsoft-sentinel/ba-p/3478953
• Microsoft Sentinel Bootcamp