Microsoft Sentinel Series : Connect Your Free TAXII Pulsedive and Microsoft TI
Back to my blog! Now, I will share easy step-by-step free MSTI and TAXII 2.1 Connector PulseDive to Microsoft Sentinel SIEM.
Microsoft Defender Threat Intelligence (MDTI) provides a set of indicators from https://ti.defender.microsoft.com portal at no additional cost. Then a TAXII feed refers to a stream of cyber threat intelligence data shared through the TAXII protocol. Utilizing STIX format to encapsulate detailed indicators of compromise (IoCs) such as malicious IP addresses, URLs, file hashes, and malware signatures.
By integrating these IoCs into their security systems, organizations can detect and mitigate attacks more effectively, reducing the risk of damage caused by these malicious entities.
Requirements :
- Have a Pulsedive Account
- Have Enable Microsoft Sentinel Subscriptions
Step By Steps :
- From Microsoft Sentinel go to Content Hub
- Install the Connector “Microsoft Defender Threat Intelligence”
- Then go to the Microsoft Sentinel > Connector > “Microsoft Defender Threat Intelligence”
- Click Connect and wait few minutes,
successfully connect indicate with green color.
5. It showing to the ThreatIntelligenceIndicator table.
6. Register to https://pulsedive.com/register
7. Just fill out the register form and check your confirmation email.
8. Login and Go to Tab API > STIX/TAXII 2.1
9. Search for or scroll to Pulsedive test data. Save the Collection ID and key
10. Back to Microsoft Sentinel then Install TAXII Connector from Content Hub
11. Then on the right side, click Open Connector Page.
12. Fill the Form like example below :
- Friendly name (for server):
Pulsedive
- API root URL:
https://pulsedive.com/taxii2/api/
- Collection ID:
[PASTE THE ID]
- Username:
taxii2
- Password:
[PASTE THE ID]
- Import Indicators: All available (review all available options)
- Polling frequency: Once a day
13. The TAXII connected successfully. just wait few hours or day.
14. Results :
Query Filter by Source
ThreatIntelligenceIndicator
| where SourceSystem has "Pulsedive"
//or you can change to "Microsoft Defender Threat Intelligence"
References :