Intel 471 Malware Intelligence to Sentinel

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

This playbook ingests malware indicators from Intel 471's Titan or Verity API into Microsoft Sentinel as tiIndicator resource type.

Attribute	Value
Type	Playbook
Solution	Intel471
Source	View on GitHub

Additional Documentation

📄 Source: Intel471-ImportMalwareIntelligenceToSentinel/readme.md

Intel 471 Malware Intelligence import to Sentinel

Overview
Prerequisites
Deployment instructions
Post-deployment instructions
Querying Intel 471 Malware Intelligence data in Sentinel
Data mapping
Script for granting ThreatIndicators.ReadWrite.OwnedBy role

Overview

This playbook fetches malware intelligence indicators from the Intel 471's Titan or Verity API and ingests them using Threat Intelligence UploadStixObjects API for Microsoft Sentinel.

azuredeploy.json Azure Resource Manager template (ARM template) is responsible for building the Logic App along with the necessary connections. The ARM builds following components:

Logic App responsible for fetching the data from Titan or Verity API and ingesting them into ThreatIntelIndicators table using UploadStixObjects API.
Connection objects
Logic app to Blob storage (authorized automatically)
Logic app to Key Vault (requires manual configuration)
Logic app to Log Analytics workspace (requires manual configuration)

Prerequisites

An active account in Titan or Verity platform, which is available as part of Intel 471's subscriptions. For more information, please contact sales@intel471.com.
Titan or Verity API credentials.
Pre-existing Key Vault for securely storing Titan or Verity API credentials. Store Titan API credentials as secrets under TitanUserNameSentinel and TitanAPIKeySentinel keys, or Verity API credentials under VerityUserNameSentinel and VerityAPIKeySentinel keys.
Pre-existing Blob storage with blob container for persisting data such as cursor between the API calls.
Threat Intelligence connector enabled in Sentinel. Go to Sentinel instance → Content hub and install Threat Intelligence solution.

Deployment instructions

To deploy the Playbook, click the Deploy to Azure button. It will launch the ARM Template deployment wizard.
Provide following parameters:
- Playbook Name: Either leave the default one or change it as needed
- StorageAccountName: Name of the Storage account (see prerequisites)
- StorageAccountContainerName: Name of the blob container in the Storage account
- KeyVaultName: Name of the Key Vault (see prerequisites)
- Workspace ID: ID of the Log Analytics workspace to which the indicators will be directed
- Look Back Days: How many days of history should be pulled on the first run. Leave 0 to start from the current time
- Backend: Which backend to use to pull data from — either Titan or Verity.

Post-deployment instructions

Go to the Key Vault. Select Access control (IAM) → + Add → Add role assignment. Choose Key Vault Secrets User. On the next screen hit + Select members, search for Intel 471 and select newly created logic app. Select it and proceed with granting access rights.
Go to the selected Log Analytics workspace and repeat step 1. except grant role Microsoft Sentinel Contributor.
Optionally change the logic app's schedule's frequency in Recurrence block (the first one).

Querying Intel 471 Malware Intelligence data in Sentinel

Get first 10 ingested indicators

ThreatIntelIndicators | where SourceSystem startswith "Intel 471"  | limit 10

Look for a specific indicator

ThreatIntelIndicators | where SourceSystem startswith "Intel 471"  | where ObservableValue == "227.151.66.29"
ThreatIntelIndicators | where SourceSystem startswith "Intel 471"  | where ObservableValue == "tcp://58.68.162.115:16"
ThreatIntelIndicators | where SourceSystem startswith "Intel 471"  | where ObservableValue  == "58acf725b72ecfdbdacd532feff1c89359021e6502664147456c5b2db2a05544"

Get indicators of a specific type

```

[Content truncated...]