Microsoft Sentinel & Cyberint Threat Intel Integration Guide
Microsoft Sentinel & Cyberint IOC Module Integration Guide
In today’s cybersecurity landscape, threat intelligence plays a critical role in identifying and mitigating potential threats. Microsoft Sentinel, a powerful cloud-native SIEM (Security Information and Event Management) solution, provides robust capabilities for security monitoring and incident response.
Integrating Microsoft Sentinel with Cyberint (Cyberint – Threat Intelligence & Digital Risk Protection) module enhances its ability to detect and respond to emerging threats using threat intelligence feeds.
This guide outlines the steps to integrate Cyberint’s module with Microsoft Sentinel, enabling you to leverage enriched threat intelligence data for more effective security operations.
PREQUISITES
1. Ensure you have an active Azure account with sufficient permissions to create resources
2. Active Cyberint account. (To get the API Token & URL)
This blog will guide you through the steps for integrating with Cyberint TI feeds and how to troubleshoot various issues that may arise during integration. Here is a brief summary of the steps needed
Log in to your Azure account.
Create a new Logic App
Ensure that Managed Identity for the Logic app is enabled.
Switch to Code view and paste in the JSON code
Use JSON Lint to verify and validate the Json Format.
Save the Logic App code.
Add a Switch-Case to handle HTTP action redirect status code 307.
Add steps for delay action to handle the Status code 429.
Configure the Logic App to execute daily.
Add Retry Policy if Status code 429 persists.
Grant Microsoft Sentinel Contributor Role to Logic App at the Resource Group Level.
Create a Blank logic app
1. Sign In to Azure Portal
Go to: Azure Portal
Log in with your Azure credentials.
2. Create a new Logic App
Navigate to: All services > Logic Apps
Click: + Add or + Create
Configure Basics:
Subscription: Select your Azure subscription.
Resource Group: Choose or create a new one.
Logic App Name: Enter a unique name.
Region: Choose your preferred region.
Select Type: Choose Logic App (Consumption) for pay-as-you-go pricing.
Click: Review + Create, then Create.
3. Ensure that the Logic app’s Managed Identity
Under the “Settings” section in the navigation bar, select “Identity”
Switch the “Status” slider to “On” and verify that you wish to perform this action.
You will assign role assignments later in the Blog post.
4. Switch to Code View to paste in JSON code
After activating the managed Identity, proceed to the Code view within Logic app.
Under the “Development Tools” section in the navigation bar, select “Logic app code view”
Insert the following code, making sure to substitute the elements marked in yellow with the relevant information specific to your environment.
The information you will need to gather is:
Microsoft Sentinel Subscription ID
Microsoft Sentinel Resource Group Name
Microsoft Sentinel Deployment Region
Cyberint API Token
Cyberint Environment URL
**Utilize the following code provided by CYBERINT to implement the foundational logic structure. Substitute the sections highlighted in Red with the appropriate values.
———————————————————————————————————–
———————————————————————————————————–
{
“definition”: {
“$schema”: “https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#“,
“actions”: {
“Compose”: {
“inputs”: “@split(variables(‘input’), ‘n’)”,
“runAfter”: {
“Initialize_variable”: [
“Succeeded”
]
},
“type”: “Compose”
},
“Filter_array”: {
“inputs”: {
“from”: “@outputs(‘Compose’)”,
“where”: “@not(equals(item(), ”))”
},
“runAfter”: {
“Compose”: [
“Succeeded”
]
},
“type”: “Query”
},
“Follow_redirect_http”: {
“inputs”: {
“method”: “GET”,
“uri”: “@{outputs(‘HTTP’)[‘headers’][‘location’]}”
},
“runAfter”: {
“HTTP”: [
“Failed”
]
},
“type”: “Http”
},
“For_each”: {
“actions”: {
“Parse_JSON_2”: {
“inputs”: {
“content”: “@items(‘For_each’)”,
“schema”: {
“properties”: {
“confidence”: {
“type”: “integer”
},
“description”: {
“type”: “string”
},
“detected_activity”: {
“type”: “string”
},
“ioc_type”: {
“type”: “string”
},
“ioc_value”: {
“type”: “string”
},
“observation_date”: {
“type”: “string”
},
“severity_score”: {
“type”: “integer”
}
},
“type”: “object”
}
},
“runAfter”: {},
“type”: “ParseJson”
},
“Threat_Intelligence_-_Upload_Indicators_of_Compromise_(V2)_(Preview)”: {
“inputs”: {
“body”: {
“indicators”: [
{
“confidence”: “@{body(‘Parse_JSON_2’)?[‘confidence’]}”,
“created”: “@{utcNow()}”,
“description”: “@{body(‘Parse_JSON_2’)?[‘description’]}”,
“external_references”: [],
“granular_markings”: [],
“id”: “indicator–@{guid()}”,
“indicator_types”: [
“@{body(‘Parse_JSON_2’)?[‘detected_activity’]}”
],
“kill_chain_phases”: [
{
“kill_chain_name”: “mandiant-attack-lifecycle-model”,
“phase_name”: “establish-foothold”
}
],
“labels”: [
“cyberint”
],
“lang”: “”,
“modified”: “@{utcNow()}”,
“name”: “@{body(‘Parse_JSON_2’)?[‘ioc_value’]}”,
“object_marking_refs”: [],
“pattern”: “[ipv4-addr:value = ‘@{body(‘Parse_JSON_2’)?[‘ioc_value’]}’]”,
“pattern_type”: “ipv4-addr”,
“spec_version”: “2.1”,
“type”: “indicator”,
“valid_from”: “@{body(‘Parse_JSON_2’)?[‘observation_date’]}”
}
],
“sourcesystem”: “Cyberint”
},
“host”: {
“connection”: {
“name”: “@parameters(‘$connections’)[‘azuresentinel’][‘connectionId’]”
}
},
“method”: “post”,
“path”: “/V2/ThreatIntelligence/@{encodeURIComponent(‘<Microsoft Sentinel workspaceid>’)}/UploadIndicators/”
},
“runAfter”: {
“Parse_JSON_2”: [
“Succeeded”
]
},
“type”: “ApiConnection”
}
},
“foreach”: “@body(‘Filter_array’)”,
“runAfter”: {
“Filter_array”: [
“Succeeded”
]
},
“type”: “Foreach”
},
“HTTP”: {
“inputs”: {
“cookie”: “access_token=<cyberint api token>“,
“method”: “GET”,
“queries”: {
“date”: “@{formatDateTime(utcNow(), ‘yyyy-MM-dd’)}”,
“detected_activity”: “cnc_server”,
“ioc_type”: “ipv4”
},
“uri”: “https://<cyberint environment url>/ioc/api/v1/feed/daily”
},
“runAfter”: {},
“type”: “Http”
},
“Initialize_variable”: {
“inputs”: {
“variables”: [
{
“name”: “input”,
“type”: “string”,
“value”: “@{body(‘Follow_redirect_http’)}”
}
]
},
“runAfter”: {
“Follow_redirect_http”: [
“Succeeded”
]
},
“type”: “InitializeVariable”
}
},
“contentVersion”: “1.0.0.0”,
“outputs”: {},
“parameters”: {
“$connections”: {
“defaultValue”: {},
“type”: “Object”
}
},
“triggers”: {
“Recurrence”: {
“evaluatedRecurrence”: {
“frequency”: “Week”,
“interval”: 1
},
“recurrence”: {
“frequency”: “Week”,
“interval”: 1
},
“type”: “Recurrence”
}
}
},
“parameters”: {
“$connections”: {
“value”: {
“azuresentinel”: {
“connectionId”: “/subscriptions/<azure subscriptionid>/resourceGroups/<Sentinel Resource Group Name>/providers/Microsoft.Web/connections/azuresentinel”,
“connectionName”: “azuresentinel”,
“id”: “/subscriptions/<azure subscriptionid>/providers/Microsoft.Web/locations/<deployment Region>/managedApis/azuresentinel”
}
}
}
}
}
———————————————————————————————————————————————————————————————————————-
5. Utilize Json Lint Validator
Since you have modified the JSON code, it makes sense to double check it. In a new tab or window in your browser, go to JSON Online Validator and Formatter – JSON Lint, paste in your modified code, and then click on the green “Validate JSON” button.
Fix any errors that may show up and repeat the process until the JSON passes. Copy the modified code if you made any changes back into the Logic App.
6. Save the Logic App code
In the Logic App code view page, click on the “Save” button. The Azure portal notifications bell will show that this activity is running. You can click on that to see if any errors have occurred.
7. Implement the Switch Case Action
There is an additional Switch-Case Action required (to handle the Http Action Redirect) to be added once the above code is deployed, follow below instructions to update the above logic app
In the “Development Tools” in the navigation menu, select “Logic App designer” to switch back to the graphical view. Note: You can also get to this view by clicking on the “Edit” button in the “Overview” page.
The Switch action is to be added after the HTTP action:
Use the following steps to add the needed actions
Use Add an action:
2. Search for the “Switch” action and select it:
Add Status Code value to be fetched from previous HTTP step as:
Make sure your Switch action has the “Run After” options ‘Has Failed’ & ‘Is Successful’ checked under the “Settings” tab
3. Click on Add Case button:
Add an exact status code (307) value to Case2 as shown below:
Add new HTTP Action in the case:
Search for the “HTTP” action and select it
We need to fetch the new relocated location from our previous step into this HTTP2 action by using the following string ‘@{outputs(‘HTTP’)[‘headers’][‘location’]}’ respectively as and ensure to use GET method respectively:
Open Http 2 and add string ‘@{outputs(‘HTTP’)[‘headers’][‘location’]}’:
8. Add Additional Delay action
There may be a case where the JSON receives a status code of 429. To resolve that add a for Each loop after parse JSON 2 to resolve it
Click the Add Action button that is directly under the “Parse JSON 2” action.
Search for “Delay” and select it
Set its “Count” to 5 and change the “Unit” to “Second”
More information on the status code 429 can be found at the Official Microsoft Reference links:
1.Microsoft Sentinel – Connectors | Microsoft Learn
2.https://learn.microsoft.com/en-us/azure/logic-apps/handle-throttling-problems-429-errors?tabs=consumption
9. Adjust the recurrence of the Logic App
This Logic App should run daily because Cyberint produces threat intelligence feeds every day; this is a recommended practice compared to the default weekly schedule. Optionally, a specific time of day can be selected for the Logic App to execute.
Select the “Recurrence” trigger at the beginning of the Logic App”
Change the “Interview” to “1” and the “Frequency” to “Day”
If you wish to have this Logic app run at a specific time, use the “At These Hours” and “At These Minutes” fields to specify when you want the Logic App to run as shown in the image below
10. Adding Retry Policy if Status code 429 persist:
In Case if the Logic app still fails due to 429 as depicted below, we will add a retry policy
Follow the steps to add a retry policy:
1. Navigate to Logic app Designer.
2. Get to the Threat Intelligence Upload indicator of Compromise Step in Logic app.
3. Check Settings tab as depicted:
Under Networking select the Retry Policy and select Fixed Interval
Provide the count and Interval as required (the logic app currently have 4 counts 20s of interval)
11. Grant Microsoft Sentinel Contributor Role to Logic App at the Resource Group Level
To resolve the Unauthorized issue at the last step for Logic app, the Logic App’s managed identity will need Microsoft Sentinel contributor rights. Use the following steps to grant this right:
Login to Azure portal(portal.azure.com)
Go to the Microsoft Sentinel’s Resource Group.
Navigate to “Access Control (IAM)”
4. Click on the “Add” button and select “Add role assignment”
5. Select “Microsoft Sentinel Contributor” role and then click the “Next” button at the bottom of the screen
6. Select the “Managed Identity” radio button
7. Click “Select members”
8. Select the correct Subscription
9. In the “Managed Identity” drop down, select “Logic app”
10. Find the name of the Logic App and select it.
11. Click the “Select” button at the bottom of the page.
12. Click the “Review and assign” button at the bottom of the page to assign the permission
The Logic App is now ready to be run daily to ingest the Cyberint Threat Intelligence data.
The verify that the data is being ingested, you can use the KQL below to validate.
ThreatIntelligenceIndicator
| where SourceSystem contains “Cyberint”
Microsoft Tech Community – Latest Blogs –Read More
