Increased Microsoft Sentinel benefits Using Anomali ThreatStream

This blog was co-written by Richard Phillips, Product Manager at Anomali and Rijuta Kapoor, Microsoft.


Microsoft Sentinel is a cloud-native SIEM that offers various options to import threat intelligence data and use them for hunting, investigation, analytics etc. Some of the ways to import rich threat intelligence data into Microsoft Sentinel include the Threat Intelligence - TAXII data connector and Threat Intelligence Platforms (TIP) connector.

Microsoft Sentinel was one of the early adopters of STIX/TAXII as the preferred way to import threat intelligence data. Microsoft Sentinel “Threat Intelligence -TAXII” connector uses the TAXII protocol for sharing data in STIX format. This data connector supports pulling data from TAXII 2.0 and 2.1 servers. The Threat Intelligence – TAXII data connector is essentially a built-in TAXII client in Microsoft Sentinel to import threat intelligence from TAXII 2.x servers.

Anomali ThreatStream offered integrations with Microsoft Sentinel in the past using the ThreatStream integrator and leveraging the power of the Graph Security API and TIP data connector of Microsoft Sentinel.

Today we are announcing our integration with Anomali ThreatStream, which allows you to get threat intelligence data from Anomali ThreatStream into Microsoft Sentinel using the Threat Intelligence – TAXII Data Connector.

Microsoft Sentinel benefits with Anomali ThreatStream

Anomali ThreatStream is a threat intelligence management solution that allows you to automate data collection from hundreds of threat sources, including commercial vendors, OSINT, ISACs, and more, to operationalize threat intelligence at scale.

Utilizing Anomali Macula, our built-in proprietary machine learning engine, intelligence is aggregated, scored, and categorized for real-time intelligence distribution to security controls across your entire security ecosystem. Users can choose between configuring integrations to send only high confidence, high severity observables, or observables associated with known threat actors, active malware campaigns, or a number of other Threat Models.

Pushing these filtered, prioritized observables to Sentinel via TAXII enables you to proactively correlate events within your network against high fidelity intelligence to identify threats against your organization.

Connecting Microsoft Sentinel to Anomali ThreatStream TAXII Server

To connect Microsoft Sentinel to Anomali ThreatStream’s TAXII Server, obtain the API Root, Collection ID, Username and Password from Anomali.

ThreatStream allows you to configure Saved Searches against your observables set, and these are automatically provided as TAXII collections for consumption by TAXII clients.

Once you’ve configured a saved search, navigate to the Manage Observable Searches page, and identify the ID of the desired search.

You can then use the following details to configure the TAXII data connector:

  • API Root:
  • Collection ID:
  • Username & Password: The ThreatStream Username & Password of the user who configured the saved search.

For more details on how to configure the TAXII data connector in Microsoft Sentinel, please refer to the following documentation.

Put Anomali ThreatStream to use with Microsoft Sentinel

Once the threat intelligence from Anomali ThreatStream is imported into Microsoft Sentinel, you can use it for matching against log sources. This can be done using the out-of-the-box analytic rules in Microsoft Sentinel. These completely customizable analytics rules used to match threat indicators with your event data all have names beginning with, ‘TI map’.

To learn how to enable and create analytic rules, follow the steps mentioned in this documentation.

You can also create customized dashboards using Workbooks in Sentinel to get a deeper understanding of the threat landscape covered by the Anomali ThreatStream feed.

Hope this article has helped you understand the advantages of importing the Anomali ThreatStream feed into Microsoft Sentinel and use it to protect your organization.


This blog originally appeared on Microsoft's Tech Forum.

Learn more about STIX/TAXII.

Learn more about threat intelligence platforms.



Related Content

Get the Anomali Newsletter

The latest Anomali updates and cybersecurity news, delivered straight to your inbox each month.