OpenCTI-Platform
MS Sentinel - TAXII Connector?
Hi All
just wondering if you have any documentation around a TAXII connector for OpenCTI and integration against MS Sentinel
for the life of me I cant find any documentation in the documentation portal
Regards Bill
As far as I know OpenCTI TAXII uses JWT tokens for authentication where as Sentinel requires username/password or no credentials, so won't work, but I'd like to be wrong one this :)
Would be nice, I dont want to build a MISP server just to use OpenCTI
Could use the CSV feeds in OpenCTI and the externaldata operator in your analytics rules, bit messy though.
Yea that would be a little bit ugh...
There's 2 ways to integrate into sentinel
Taxii connector from platform to sentinel with url, username and password
Other way is using either a script or direct integration with auth using an app registration with security graph api permissions
I'm surprised a script or platform integration hasn't been written for the community for this and especially for azure and sentinel
One other thing I was going to ask, I know opencti and misp has a connector
Does opencti have the ability to handle multiple misp connectors if I had more then one misp server?
Hello @Xebus-Systems,
We are working on a Sentinel connector now. And to answer your question, yes you can spawn as many MISP connectors as needed if you have multiple MISP instances to consume.
Kind regards, Sam
Hi @Xebus-Systems @SamuelHassine,
I got this working over Sentinel > Data connectors > Threat intelligence - TAXII.
Its not perfect, still cant see IoCs in ThreatIntelligence blade in Sentinel, but at least data can be queried over Log analytics table. Requirement here is to make sure when creating TAXII collection in OCTI, is to use filter "Indicator type: STIX", as I got note from MS developers that currently they support only this: "Sentinel only supports the ‘indicator’ type SDO (STIX Domain Object)."
@SamuelHassine Also would like to know, what kind of work are you doing now for Sentinel connector? Maybe I can help in this matter? In terms of integration over TAXII, I got additional response from MS developers; "An unrelated note, there is a warning in our logs that the server is violating the spec by not providing the X-TAXII-Date-Added-First/X-TAXII-Date-Added-Last response headers which are required." Do you think it would make sense to create feature request on your side to fix this?
@SamuelHassine how far away is the sentinel connector from a ready state?
Hi @Xebus-Systems @SamuelHassine,
I got this working over Sentinel > Data connectors > Threat intelligence - TAXII.
Its not perfect, still cant see IoCs in ThreatIntelligence blade in Sentinel, but at least data can be queried over Log analytics table. Requirement here is to make sure when creating TAXII collection in OCTI, is to use filter "Indicator type: STIX", as I got note from MS developers that currently they support only this: "Sentinel only supports the ‘indicator’ type SDO (STIX Domain Object)."
@SamuelHassine Also would like to know, what kind of work are you doing now for Sentinel connector? Maybe I can help in this matter? In terms of integration over TAXII, I got additional response from MS developers; "An unrelated note, there is a warning in our logs that the server is violating the spec by not providing the X-TAXII-Date-Added-First/X-TAXII-Date-Added-Last response headers which are required." Do you think it would make sense to create feature request on your side to fix this?
Can you share an example. API root URL Collection ID Username Password
Hi @gyaansastra , unfortunately that system has already been de-comissioned (we ran through the PoC and saw it working somehow). If you have your system I can provide small guide here for configuration of both OCTI and Sentinel if you wish.
Hi @gyaansastra , unfortunately that system has already been de-comissioned (we ran through the PoC and saw it working somehow). If you have your system I can provide small guide here for configuration of both OCTI and Sentinel if you wish.
Hi @githubroom thank your for your reply. I have configured a OpenCTI POC. But i'm struggling to connect the default TAXII connector in Sentinel with the POC environment. Appreciate your help.
Hi @gyaansastra, sorry for late response. Here are my recommendations:
- you must use HTTPS (by default OpenCTI installs without TLS support, so you have to enable it somehow or use some kind of gateway in front that provides that)
- for authentication you must create user in opencti, and use full username including domain and email ([email protected]), password must be set for user as well (I can see in my notes I had a role of TAXIIAccess set for this user, but cant remember if that was smth builtin, or if I was creating that)
- API root URL is https://ipaddress/taxii2/root
- when you create collection in opencti, you must remember that Sentinel supports only 'indicator' as type of Stix Domain Obejcts (so dont use smth like 'ipv4-addr').
Hope this helps, if not try to reach me out again. (I remember there was one bug on MS side, that in UI these indicators were not visible, you had to try to query them in LA directly with smth like this: ThreatIntelligenceIndicator | where SourceSystem == "name of your taxi connector" | order by TimeGenerated )
Hello @Xebus-Systems,
We are working on a Sentinel connector now. And to answer your question, yes you can spawn as many MISP connectors as needed if you have multiple MISP instances to consume.
Kind regards, Sam
@SamuelHassine, when will the connector with sentinel be available?
