Sending IOCs to the Microsoft Graph Security API using MineMeld

Printer Friendly Page

Sending IOCs to the Microsoft Graph Security API using MineMeld

MineMeld can be used to aggregate multiple threat intelligence feeds and extend to your Microsoft Security products via the Microsoft Graph Security API. Azure Sentinel is one of the first Microsoft Security products to ingest IOCs from the Graph Security API for use in alerting and hunting.

The Microsoft Graph Security API supports the following types of Indicators of Compromise (IOCs):

  • Email
  • File
  • IP address
  • URL
  • Domain

There are three steps to connecting MineMeld to the Microsoft Graph Security API:

  1. First, you will need to create an Application in Azure Active Directory. You will assign permissions to this application to access Microsoft Graph APIs. The MineMeld Output Node will be use the credentials tied to the application you created to connect to the Microsoft Graph.
  2. You will then install the Microsoft Graph Security API extension in MineMeld
  3. Finally, you will configure the extension to connect to the Microsoft Graph via the Security API.

 

Azure Active Directory Configuration

  1. Login on Azure Portal – portal.azure.com
  2. Go to Azure Active Directory
  3. Navigate to Enterprise Applications – App Registrations and click on New Application RegistrationNew application Registration
  1. The Application name will not be used or surfaced as part of this integration, but we recommend you name this to Palo Alto Networks MineMeld or something similar so you can use the correct credentials when you setup your MineMeld output node.
  2. Set the Application type to “Web App / API”
  3. The Sign-on URL is not used, but you still need to put something into this field. create

    Please note, the Application ID and Object ID will be used to configure both the threat feed in your Microsoft Graph Security API tenant and the MineMeld extension.

     apoplication ID

  1. Under Settings go to “Required Permissions” and click on “Add”permissions
  1. Select Microsoft Graph as an API. You can find this by typing “graph” in the search box.graph
  2. Under “Application Permissions “select “Manage threat indicators this app creates or owns”access
  1. Click “Select” and then click “Done”
  2. Click “Grant permissions” and click “Yes”permissions
  3. Under “App Registrations” in the app, under “Settings” go to “Keys” and create a new key with an expiration date. Click on “Save” and copy the value of the key and save it in your noteskeys9.png
  1. Copy the “Application ID” that you will need laterApplication ID
  1. Copy the Tenant ID from Azure Active Directory Properties (Directory ID) Tenant ID

 

MineMeld Configuration

  1. On MineMeld, go under “System” and “Extensions”. Glick on the Git icon Extensions
  1. Put the URL of the Github repo: https://github.com/PaloAltoNetworks/minemeld-msgraph-secapi.gitGitHub
  1. Select the version (Master) and click “Install” install
    The installation should complete shortly afterwards:active
  2. Click on the enable button and confirm:confirm
    The extension will activate shortly, and the API gateway will resent as part of this activation.activation

 

Integration Configuration

  1. In MineMeld, go to Config - Prototypesprototypes
  1. In the search box type “Microsoft”. Find “Microsoft_graph_secapi.output” and click on it.find
  2. Click on “Clone”clone

 

  1. Name for the node and collect it to the Input nodes you want it to use (Threat Intel feeds).nodes
    NOTE: to understand the concepts of input nodes and what to connect to this, refer to Minemeld documentation
  2. Click OK OK
  1. Click on CommitCommit
  2. Under Nodes, select the node you created (MicrosoftGraphSecAPI in this example) and look at the SETTINGS page. Edit Client_ID (Azure Application ID), client_secret (Azure Application secret key) and Tenant_ID (Azure Active Directory ID) 24.png
  1. Select the Microsoft services you want to share this Threat Intelligence with by clicking on “Target Product”. NOTE: As of April 2019, Azure Sentinel is the only service capable of consuming third-party threat intelligence.25.png

Testing

Azure Sentinel can be used to validate this is setup correctly. Please review these instructions for turning on Threat Intelligence in Azure Sentinel. NOTE: The MineMeld extension currently specifies the Azure Sentinel service, so that is already done for you.

Once you have this setup, you can review the indicators in the logs section:Logs section

Labels (1)
Ask Questions Get Answers Join the Live Community
Version history
Revision #:
5 of 5
Last update:
‎04-30-2019 07:52 PM
Updated by: