I have a soft spot for STIX and TAXII.

So much so, I curated an entire Github repo dedicated to great TAXII servers and clients our community uses.

Needless to say all of our products support data exchange via STIX 2.1 over TAXII 2.1.

I was, unsurprisingly, therefore stoked to hear Microsoft announce a STIX/TAXII 2.x data Connector for Azure Sentinel in August of this year (2021).

I’ll use Obstracts for this example, but this setup will work with Vulmatch and Stixify too (with links to the documentation):

  • Obstracts: Turn any blog into structured threat intelligence.
  • Stixify: Extract machine readable intelligence from unstructured data.
  • Vulmatch: Know when software you use is vulnerable, how it is being exploited, and how to detect an attack.

It’s not quite perfect yet. Unfortunately the Connector does not support Indicator objects with Sigma rule patterns, so it won’t work with SIEM Rules yet. At present, you can use the SIEM Rules API to translate your Sigma Rules into Sentinel queries and import them directly to Sentinel.

This tutorial assumes you are on one of our product plans that includes the TAXII API.

OK, enough talking. Let’s get started.

Here are the official Microsoft Azure Sentinel docs.

API Root URL

As documented, first the API Root URL is needed to setup the Connector.

Azure Sentinel TAXII Connector setup

It’s easy to construct the Root URL. You just need your Obstracts Group UUID, obtained on the Group Management page.

Obstract Group Management UUID

The Root URL = base endpoint + group uuid

An example Root URL = https://app.obstracts.com/taxii/taxii2/c2cf3bf2-6cf2-4f62-8647-dad3afd8ca69/

You can also query the base TAXII endpoint to grab the Root URL:

curl --location --request GET 'https://app.obstracts.com/taxii/taxii2/' \
--header 'Accept: application/taxii+json;version=2.1'

You’ll get a response that looks something like this:

{
    "title": "Obstracts TAXII 2.1 Server",
    "description": "For more information please see the documentation here https://docs.obstracts.com/",
    "contact": "https://www.obstracts.com/contact/",
    "default": "https://app.obstracts.com/taxii/taxii2/",
    "api_roots": [
        "https://app.obstracts.com/taxii/taxii2/c2cf3bf2-6cf2-4f62-8647-dad3afd8ca69/"
    ]
}

Collection ID

Now we need to choose the Collection ID.

In the case of Obstracts, a Collection ID is identical to Feed UUID.

You can grab the Feed UUID / Collection ID from the Feed List page.

Obstract feed list page

Alternatively, you can query all available Collection ID’s using the Get Collections endpoint:

curl --location --request GET 'https://app.obstracts.com/taxii/taxii2/c2cf3bf2-6cf2-4f62-8647-dad3afd8ca69/collections' \
--header 'Accept: application/taxii+json;version=2.1'

Which will give a response with the Collection ID’s needed:

{
  "collections": [
    {
      "id": "8cdeab9d-188e-42b8-a896-3836d50e4ee5",
      "title": "Checkpoint Research Blog",
      "description": "https://research.checkpoint.com",
      "can_read": true,
      "can_write": false,
      "media_types": [
        "application/taxii+json;version=2.1"
      ]
    },
    {
      "id": "203c46bf-79e3-4449-b9c4-6a409f3451e6",
      "title": "FireEye Threat Research Blog",
      "description": "https://www.fireeye.com/blog/threat-research",
      "can_read": true,
      "can_write": false,
      "media_types": [
        "application/taxii+json;version=2.1"
      ]
    }
  ]
}

Other settings

Now all you need is enter:

Friendly name (for server): Will be shown against intelligence ingested, but can be anything you like API root URL: It’s easy to construct the Root URL. You just need your Obstracts Group UUID, obtained on the Group Management page in the Obstracts web app.

Collection UUID: The Collection UUID is a Feed UUID in Obstracts and can be obtained from the Feed List page in the Obstracts web app.

  • Username: your Obstracts username
  • Password: your Obstracts API key
  • Import indicators: Select, “At most one month old” (or sooner). Important: We do not allow download of indicators older than one month.
  • Polling frequency: Select, “1 hour”.

Usage

And if everything has gone to plan…

Obstract Azure Sentinel TAXII threat intelligence Connector

Why is this neat? Using existing Azure Sentinel rule templates (or your own custom rules), alerts and incidents will automatically be created based on matches of log events to your ingested threat indicators.

The only downside? In the case of Obstracts, you’ll need to add a new configuration to Sentinel for each of the Feeds you want to pull data from.

Warning: this post might be out of date

Please ensure you check the product documentation for the latest setup information for the Microsoft Azure Sentinel TAXII integration.




Join the Signals Corps on Discord

Join our public community of intelligence analysts and researchers sharing new content hourly.


Obstracts

Obstracts

Turn any blog into structured threat intelligence.

Stixify

Stixify. Extract machine readable intelligence from unstructured data.

Extract machine readable intelligence from unstructured data.


Vulmatch

Vulmatch

Know when software you use is vulnerable, how it is being exploited, and how to detect an attack.

SIEM Rules

SIEM Rules. Your detection engineering database.

View, modify, and deploy SIEM rules for threat hunting.