MineMeld can be used to aggregate multiple threat intelligence feeds and extend to your Microsoft Security products via the Microsoft Graph Security API. Azure Sentinel is one of the first Microsoft Security products to ingest IOCs from the Graph Security API for use in alerting and hunting.
There are three steps to connecting MineMeld to the Microsoft Graph Security API:
First, you will need to create an Application in Azure Active Directory. You will assign permissions to this application to access Microsoft Graph APIs. The MineMeld Output Node will be use the credentials tied to the application you created to connect to the Microsoft Graph.
You will then install the Microsoft Graph Security API extension in MineMeld
Finally, you will configure the extension to connect to the Microsoft Graph via the Security API.
Azure Active Directory Configuration
Login on Azure Portal – portal.azure.com
Go to Azure Active Directory
Navigate to Enterprise Applications – App Registrations and click on New Application Registration
The Application name will not be used or surfaced as part of this integration, but we recommend you name this to Palo Alto Networks MineMeld or something similar so you can use the correct credentials when you setup your MineMeld output node.
Set the Application type to “Web App / API”
The Sign-on URL is not used, but you still need to put something into this field.
Please note, the Application ID and Object ID will be used to configure both the threat feed in your Microsoft Graph Security API tenant and the MineMeld extension.
Under Settings go to “Required Permissions” and click on “Add”
Select Microsoft Graph as an API. You can find this by typing “graph” in the search box.
Under “Application Permissions “select “Manage threat indicators this app creates or owns”
Click “Select” and then click “Done”
Click “Grant permissions” and click “Yes”
Under “App Registrations” in the app, under “Settings” go to “Keys” and create a new key with an expiration date. Click on “Save” and copy the value of the key and save it in your notes
Copy the “Application ID” that you will need later
Copy the Tenant ID from Azure Active Directory Properties (Directory ID)
On MineMeld, go under “System” and “Extensions”. Glick on the Git icon
Select the version (Master) and click “Install” The installation should complete shortly afterwards:
Click on the enable button and confirm: The extension will activate shortly, and the API gateway will resent as part of this activation.
In MineMeld, go to Config - Prototypes
In the search box type “Microsoft”. Find “Microsoft_graph_secapi.output” and click on it.
Click on “Clone”
Name for the node and collect it to the Input nodes you want it to use (Threat Intel feeds). NOTE: to understand the concepts of input nodes and what to connect to this, refer to Minemeld documentation
Click on Commit
Under Nodes, select the node you created (MicrosoftGraphSecAPI in this example) and look at the SETTINGS page. Edit Client_ID (Azure Application ID), client_secret (Azure Application secret key) and Tenant_ID (Azure Active Directory ID)
Select the Microsoft services you want to share this Threat Intelligence with by clicking on “Target Product”. NOTE: As of April 2019, Azure Sentinel is the only service capable of consuming third-party threat intelligence.
Azure Sentinel can be used to validate this is setup correctly. Please review these instructions for turning on Threat Intelligence in Azure Sentinel. NOTE: The MineMeld extension currently specifies the Azure Sentinel service, so that is already done for you.
Once you have this setup, you can review the indicators in the logs section: