Custom threat intelligence allows you to bring your own threat indicators and enrich alerts from Microsoft 365 Defender and Microsoft Defender for Endpoint. This can be achieved by adopting various methods that are popular among security analysts worldwide, such as configuring a custom threat intelligence connector in Microsoft Defender.
The assertion of this post is to provide a concise guide on how to set up these connectors effectively.
What is Custom Threat Intelligence?
Custom threat intelligence refers to integrating your own intelligence feeds into the Microsoft security suite. These feeds can be derived from other tools or services within your security ecosystem. By integrating these feeds, you can enrich the indicators within Microsoft 365 Defender and Microsoft Defender for Endpoint with valuable context.
Setting Up Custom Threat Intelligence Connectors
To set up a custom threat intelligence connector using Microsoft Defender for Endpoint, you will need to follow these steps:
- Step 1: Go to the Microsoft 365 security portal and navigate to ‘Settings > Advanced features’.
- Step 2: Enable ‘Custom threat intelligence’.
- Step 3: Proceed to the ‘Threat & Vulnerability Management settings page’ and locate ‘Threat intelligence connectors’. Select to ‘Add new connector’.
- Step 4: You will be asked to provide details about the platform and feed you wish to integrate. Fill in the necessary information. For example, if the feed was from Palo Alto’s MineMeld, you’ll fill in the gag URL and a token to authorise the feed.
- Step 5: After filling in the requested information, click ‘Next’ to validate your input.
- Step 6: Lastly, save the new connector.
Once your custom threat intelligence connector is saved, Microsoft Defender for Endpoint will poll for new indicators every hour, ensuring your data remains consistently updated.
An important point to note is that when using STIX/TAXII connectors, the Microsoft security suite can only ingest STIX XML formatted data and not STIX JSON.
Applying Custom Threat Intelligence
Once the custom threat intelligence connector is set up, you can then apply it to new or existing alerts. When viewing an alert, you’ll have a section in the details page that shows ‘Related threat intelligence’, such as STIX Patterns or Objects, etc.
It must be noted here that the ingestion of custom threat intelligence is not immediate – it follows a flow that includes verification and matching, which can take up to 24 hours.
Remember, using the correct technology and having a strong understanding of your organization’s threat landscape is key to effective threat intelligence. As an SC-200 Microsoft Secure Operations Analyst, you’ll be equipping your organization with valuable threat context while leveraging custom threat intelligence.
Therefore, comprehensive and regular configurations of custom threat intelligence connectors can drastically enhance your organization’s security measures and give you an edge over potential cyber threats.
Following these guidelines will help aspiring and professional security analysts in ensuring that their platforms remain secure and immune to the rapidly evolving landscape of cyber threats.
Practice Test
True or False: Custom threat intelligence connectors can be configured in Microsoft 365 Defender.
- True
- False
Answer: True
Explanation: Custom threat intelligence connectors are a feature of Microsoft 365 Defender. They can be used to integrate external threat intelligence feeds into your Defender environment.
Which of the following can be used to configure custom threat intelligence connectors?
- A. CSV files
- B. STIX files
- C. TXT files
Answer: B. STIX files
Explanation: STIX (Structured Threat Information eXpression) files are commonly used to input and exchange threat intelligence data, which can then be configured into custom threat intelligence connectors.
True or False: TCP is the protocol used by custom threat intelligence connectors to transfer data.
- True
- False
Answer: False
Explanation: HTTP or HTTPS is commonly used for data transfer in threat intelligence connectors, not TCP.
Which Microsoft service allows the creation and configuration of custom threat intelligence connectors?
- A. Azure Sentinel
- B. Microsoft Defender
- C. Microsoft Teams
Answer: A. Azure Sentinel
Explanation: Azure Sentinel offers an option to create and configure custom threat intelligence connectors, allowing for increased customization for threat intelligence.
True or False: Custom threat intelligence connectors support real-time data feeds.
- True
- False
Answer: True
Explanation: Custom threat intelligence connectors support real-time threat information feeds, which is beneficial for instant detection and response.
Which of the following options allow for the input of data to custom threat intelligence connectors?
- A. TAXII
- B. STIX
- C. Both A and B
Answer: C. Both A and B
Explanation: TAXII (Trusted Automated eXchange of Indicator Information) and STIX (Structured Threat Information eXpression) are both used for threat intelligence data input.
True or False: All custom threat intelligence connectors must be coded by the user.
- True
- False
Answer: False
Explanation: Users have the option to code their own custom threat intelligence connectors, but Microsoft also offers pre-built connectors.
Custom threat intelligence connectors can process data from…
- A. Third-party threat intelligence feeds
- B. Internal security systems
- C. Both A and B
Answer: C. Both A and B
Explanation: Custom threat intelligence connectors are able to utilize data from both third-party threat intelligence feeds and internal security systems.
True or False: Custom threat intelligence connectors allow for the customization of threat intelligence updates.
- True
- False
Answer: True
Explanation: The frequency and time of updates to threat intelligence feeds can be customized when using custom threat intelligence connectors.
Which data format is not typically used with custom threat intelligence connectors?
- A. JSON
- B. STIX
- C. XML
Answer: C. XML
Explanation: STIX and JSON are standard formats used for threat intelligence data. XML is not typically used with Azure Sentinel or Microsoft 365 Defender.
Interview Questions
What is the role of threat intelligence connectors in Microsoft’s security operations?
Threat intelligence connectors enable Microsoft security solutions to connect with external threat intelligence and import that intelligence for threat detection purposes.
How can you view the list of custom threat intelligence connectors?
You can view the list of custom threat intelligence connectors in your Microsoft 365 Security Center by navigating to Settings > Threat Intelligence > Connectors.
In which format do threat intelligence connectors generally accept threat indicators?
Threat intelligence connectors generally accept threat indicators in STIX (Structured Threat Information eXpression) format.
What are the requirements for configuring a custom threat intelligence connector in Microsoft Defender for Endpoint?
You need global administrator or security administrator permissions to configure a custom threat intelligence connector in Microsoft Defender for Endpoint.
How many custom threat intelligence connectors can you create in Microsoft 365 Defender?
You can create up to 50 custom threat intelligence connectors in Microsoft 365 Defender.
How does Microsoft 365 Defender manage duplicate threat indicators?
Microsoft 365 Defender merges duplicate threat indicators based on the value of the indicator text and indicator type. The most severe threat level and the latest expiration time will be maintained.
What happens if you disable a custom threat intelligence connector in Microsoft 365 Defender?
If you disable a custom threat intelligence connector, Microsoft 365 Defender will stop fetching new indicators from that source, but existing indicators will remain in the system until they expire.
Can you update a custom threat intelligence connector after it has been created?
Yes, you can update most properties of a custom threat intelligence connector after it has been created, except for the connector type.
How to manage the threat indicator expiration time?
The threat indicator expiration time can be updated manually within Microsoft Defender for Endpoint or can be set to automatically expire within a certain timeframe.
What type of network connections can be made using threat intelligence connectors?
Threat intelligence connectors can make HTTP/HTTPS connections to external threat intelligence sources.
What happens when the threat intelligence connector encounters an error during import?
If an error occurs during the import, the connector will record the error message along with the HTTP status code and body, and attempt to re-import the data at the next scheduled time.
What are the types of threat intelligence which can be imported using the custom threat connectors?
There are several types of threat intelligence that can be imported using the custom threat connectors, such as IP addresses, URLs, domains, and file hashes.
How will you set severity level for the custom threat intelligence?
The severity of a custom threat indicator can be manually set when importing the threat intel. However, this data will be overridden if the severity is provided in the STIX data.
Can a custom threat connector be deleted once it is created?
Yes, you can delete a custom threat connector that is no longer needed by selecting the connector and then choosing “Delete” from the options.
What happens when you reach the maximum limit of 50 custom connectors?
Once you reach the maximum limit of 50 custom connectors, you will need to delete existing connectors before you can create new ones.
extutorials.com