Unit 42 Palo Alto integration with SIEM particularly ?

Shashanksinha — Tue, 23 Apr 2024 20:41:21 GMT

How can we integrate Unit 42 Palo Alto with SIEM particularly Microsoft Sentinel?

Regards,

Shashank

Re: Unit 42 Palo Alto integration with SIEM particularly ?

nsinghvirk — Fri, 26 Apr 2024 15:04:34 GMT

Thanks for reaching out on LiveCommunity!

Can you please confirm what is your requirement? Because unit 42 is a threat research and incident response team. To know about the unit 42 services please reach out to your sales/account representative.

Re: Unit 42 Palo Alto integration with SIEM particularly ?

ShemSargent — Thu, 13 Feb 2025 15:22:46 GMT

Navigate to https://stix2.unit42.org. Create an account with email address (username) and password. (I created an API key, but I'm not sure that's necessary. It doesn't get used to authenticate from Sentinel.) Note the following details:

Description	TAXII Discovery Service URL	TAXII API root	TAXII Collection ID
Unit 42 Adversary Playbooks	https://stix2.unit42.org/taxii/	playbooks	[playbooks GUID]
Unit 42 Reports	https://stix2.unit42.org/taxii/	reports	[reports GUID]

Navigate to https://stix2.unit42.org/taxii/ and authenticate with the same username and password. Observe the api_roots in the JSON response:

{ "api_roots": [ "https://stix2.unit42.org/playbooks/", "https://stix2.unit42.org/reports/" ], "contact": "https://unit42.paloaltonetworks.com/", "default": "https://stix2.unit42.org/playbooks/", "description": "Indicators from Palo Alto Networks Unit 42", "host": "https://stix2.unit42.org/", "title": "Unit 42 TAXII 2.0 Server" }

In Microsoft Sentinel, ensure the Threat Intelligence solution is enabled. Ensure the Threat intelligence - TAXII connector is installed and open its connector page. Configure two TAXII servers with the following information:

Friendly name (for server): Unit42Reports
API root URL: https://stix2.unit42.org/reports/
Collection ID: [reports GUID]
Username: [Unit 42 account username]
Password: [Unit 42 account password]
Import indicators: [choose best option for your context]
Polling frequency: [choose best option for your context]

Friendly name (for server): Unit42AdversaryPlaybooks
API root URL: https://stix2.unit42.org/playbooks/
Collection ID: [playbooks GUID]
Username: [Unit 42 account username]
Password: [Unit 42 account password]
Import indicators: [choose best option for your context]
Polling frequency: [choose best option for your context]

topic Re: Unit 42 Palo Alto integration with SIEM particularly ? in Cortex XDR Discussions

Unit 42 Palo Alto integration with SIEM particularly ?

Re: Unit 42 Palo Alto integration with SIEM particularly ?

Re: Unit 42 Palo Alto integration with SIEM particularly ?