├── media ├── image1.png ├── image2.png ├── image3.png ├── image4.png ├── image5.png ├── image6.png ├── image7.png ├── image8.png ├── image9.png ├── image10.png ├── image11.png ├── image12.png ├── image13.png ├── image14.png ├── image15.png ├── image16.png ├── image17.png ├── image18.png ├── image19.png ├── image20.png ├── image21.png ├── image22.png ├── image23.png ├── image24.png ├── image25.png ├── image26.png ├── image27.png ├── image28.png ├── image29.png ├── image30.png ├── image31.png ├── image32.png └── indicator.png └── README.md /media/image1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MSFT-AU-Security/SentinelCTIS/HEAD/media/image1.png -------------------------------------------------------------------------------- /media/image2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MSFT-AU-Security/SentinelCTIS/HEAD/media/image2.png -------------------------------------------------------------------------------- /media/image3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MSFT-AU-Security/SentinelCTIS/HEAD/media/image3.png -------------------------------------------------------------------------------- /media/image4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MSFT-AU-Security/SentinelCTIS/HEAD/media/image4.png -------------------------------------------------------------------------------- /media/image5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MSFT-AU-Security/SentinelCTIS/HEAD/media/image5.png -------------------------------------------------------------------------------- /media/image6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MSFT-AU-Security/SentinelCTIS/HEAD/media/image6.png -------------------------------------------------------------------------------- /media/image7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MSFT-AU-Security/SentinelCTIS/HEAD/media/image7.png -------------------------------------------------------------------------------- /media/image8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MSFT-AU-Security/SentinelCTIS/HEAD/media/image8.png -------------------------------------------------------------------------------- /media/image9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MSFT-AU-Security/SentinelCTIS/HEAD/media/image9.png -------------------------------------------------------------------------------- /media/image10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MSFT-AU-Security/SentinelCTIS/HEAD/media/image10.png -------------------------------------------------------------------------------- /media/image11.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MSFT-AU-Security/SentinelCTIS/HEAD/media/image11.png -------------------------------------------------------------------------------- /media/image12.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MSFT-AU-Security/SentinelCTIS/HEAD/media/image12.png -------------------------------------------------------------------------------- /media/image13.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MSFT-AU-Security/SentinelCTIS/HEAD/media/image13.png -------------------------------------------------------------------------------- /media/image14.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MSFT-AU-Security/SentinelCTIS/HEAD/media/image14.png -------------------------------------------------------------------------------- /media/image15.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MSFT-AU-Security/SentinelCTIS/HEAD/media/image15.png -------------------------------------------------------------------------------- /media/image16.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MSFT-AU-Security/SentinelCTIS/HEAD/media/image16.png -------------------------------------------------------------------------------- /media/image17.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MSFT-AU-Security/SentinelCTIS/HEAD/media/image17.png -------------------------------------------------------------------------------- /media/image18.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MSFT-AU-Security/SentinelCTIS/HEAD/media/image18.png -------------------------------------------------------------------------------- /media/image19.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MSFT-AU-Security/SentinelCTIS/HEAD/media/image19.png -------------------------------------------------------------------------------- /media/image20.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MSFT-AU-Security/SentinelCTIS/HEAD/media/image20.png -------------------------------------------------------------------------------- /media/image21.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MSFT-AU-Security/SentinelCTIS/HEAD/media/image21.png -------------------------------------------------------------------------------- /media/image22.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MSFT-AU-Security/SentinelCTIS/HEAD/media/image22.png -------------------------------------------------------------------------------- /media/image23.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MSFT-AU-Security/SentinelCTIS/HEAD/media/image23.png -------------------------------------------------------------------------------- /media/image24.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MSFT-AU-Security/SentinelCTIS/HEAD/media/image24.png -------------------------------------------------------------------------------- /media/image25.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MSFT-AU-Security/SentinelCTIS/HEAD/media/image25.png -------------------------------------------------------------------------------- /media/image26.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MSFT-AU-Security/SentinelCTIS/HEAD/media/image26.png -------------------------------------------------------------------------------- /media/image27.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MSFT-AU-Security/SentinelCTIS/HEAD/media/image27.png -------------------------------------------------------------------------------- /media/image28.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MSFT-AU-Security/SentinelCTIS/HEAD/media/image28.png -------------------------------------------------------------------------------- /media/image29.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MSFT-AU-Security/SentinelCTIS/HEAD/media/image29.png -------------------------------------------------------------------------------- /media/image30.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MSFT-AU-Security/SentinelCTIS/HEAD/media/image30.png -------------------------------------------------------------------------------- /media/image31.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MSFT-AU-Security/SentinelCTIS/HEAD/media/image31.png -------------------------------------------------------------------------------- /media/image32.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MSFT-AU-Security/SentinelCTIS/HEAD/media/image32.png -------------------------------------------------------------------------------- /media/indicator.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MSFT-AU-Security/SentinelCTIS/HEAD/media/indicator.png -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ![Shape3](RackMultipart20231206-1-m9abhu_html_8a38b678c4a5c97.gif) ![](RackMultipart20231206-1-m9abhu_html_b5a0844cc32217a5.png) 2 | 3 | # Bi-directional sharing of threat indicators with Microsoft Sentinel and the ACSC Cyber Threat Intelligence Sharing platform 4 | 5 | # Introduction 6 | 7 | The purpose of this document is to define detailed procedures for the configuration of Microsoft Sentinel to onboard to the Australian Cyber Security Centre (ACSC) Cyber Threat Intelligence Sharing (CTIS) platform using Microsoft Sentinel. 8 | 9 | # Background 10 | 11 | The CTIS service is only available to organisations who have signed up as a deeded ACSC Network Partner. To initiate the process to onboard to the CTIS service, please register your interest via the ACSC Partner Portal on the CTIS page. Once the initial onboarding process is completed, the CTIS Service Desk will be in contact to arrange a technical onboarding session where the following steps will be completed. Optionally, ACSC Partners can choose to contribute indicators from Sentinel to the CTIS Community. A separate set of credentials will be provisioned to contribute upon confirmation of readiness to contribute to the service. 12 | 13 | >**Note:** 14 | > 15 | >The following general rules apply to content being submitted to CTIS: 16 | >1. All contributions must meet minimum requirements for the CTIS data model, sent to Partners during onboarding. At minimum CTIS requires the following attributes: 17 | > a. Traffic Light Protocol (TLP) indicating the shareability of the indicators. Note the playbook will set a default TLP tag as a STIX marking definition, which can be fine-tuned using Labels per indicator. 18 | > b. Confidence level indicating the confidence in the accuracy of the intelligence, and can be selected during submission by the end user. 19 | >2. Please only share validated indicators that appear to be associated with malicious activity, an investigation could have many types of indicators that are not relevant to CTIS. 20 | >3. Context is key, please use description and label fields to provide additional information surrounding the incident. 21 | >4. All content submitted to CTIS is validated by a CTIS Threat Intelligence team analyst for accuracy and correlation. Please consider whether indicators may be relevant to the wider CTIS community before submission. 22 | > 23 | 24 | # Steps to complete on Microsoft Azure to Consume from CTIS 25 | 26 | 1. From the Azure portal, navigate to the Microsoft Sentinel service. 27 | 28 | ![](media/image1.png) 29 | 30 | 2. Choose the workspace to which you want to import threat indicators from the TAXII server. 31 | 32 | ![](media/image2.png) 33 | 34 | 3. Select **Content Hub** from the left toolbar, select **Threat Intelligence** from the connectors gallery, and click **Install**. 35 | 36 | ![](media/image3.png) 37 | 38 | Once installed, select **Data Connectors** from the left toolbar, select **Threat Intelligence – TAXII**, then click **Open connector page**. 39 | 40 | ![](media/image4.png) 41 | 42 | 4. Enter a friendly name for this TAXII server Collection, the API Root URL, the Collection ID, a Username, and a Password, and choose the group of indicators and the polling frequency you want. Select the Add button. 43 | 44 | ![](media/image5.png) 45 | 46 | | Parameter | Value | 47 | | :--- | :--- | 48 | | **Friendly Name** | Feed Name | 49 | | **API root URL** | Feed URL | 50 | | **Collection ID** | Feed UUID | 51 | | **Username** | Partner Username | 52 | | **Password** | Partner Password | 53 | | **Import Indicators** | At most one month old | 54 | | **Polling Frequency** | Once an hour | 55 | 56 | 57 | 5. You should receive confirmation that a connection to the TAXII server was established successfully, and you may repeat the last step above as many times as you want, to connect to multiple Collections from one or more TAXII servers. 58 | 59 | ![](media/image6.png) 60 | 61 | ![](media/image7.png) 62 | 63 | 64 | 65 | 66 | # Configuring Sentinel Playbook to Contribute to CTIS 67 | 68 | This playbook is used to configure Sentinel with the functionality to send created indicators back to CTIS. This playbook is a LogicApp script to bundle Indicators from Sentinel into a STIX package for submission to CTIS. 69 | 70 | *Note: you will need to ensure you are logged in with an account that has full access to the Azure subscription before attempting these steps.* 71 | 72 | 1. From the Azure portal, navigate to the Microsoft Sentinel service. 73 | 74 | ![](media/image1.png) 75 | 76 | 2. Choose the workspace. 77 | 78 | ![](media/image2.png) 79 | 80 | 3. Select Content Hub, search for **Australian Cyber Security Centre**, and click **Install**. The current version is **3.0.2**. 81 | 82 | ![](media/image8.png) 83 | 84 | 4. After installation is complete, click **Manage**, and on the following page, select the Logic App called _AusCtisExportTaggedIndicators_ and click **Configuration**. 85 | 86 | ![](media/image9.png) 87 | 88 | ![](media/image10.png) 89 | 90 | 5. Select the Logic App called _AusCtisExportTaggedIndicators_ and click **Create Playbook**. 91 | 92 | ![](media/image11.png) 93 | 94 | 6. Leave all the displayed fields as default, and click **Next: Parameters \>** 95 | 96 | ![](media/image12.png) 97 | 98 | 7. Enter the required parameters. Click **Next: Review and create \>** 99 | 100 | | Parameter | Value | 101 | | :--- | :--- | 102 | | **TAXIIServerRootURL** | TAXII Server URL provided by CTIS | 103 | | **TAXIIServerUsername** | Partner Username provided by CTIS | 104 | | **TAXIIServerPassword** | Partner Password provided by CTIS | 105 | | **CollectionID** | Created Partner collection UUID provided by CTIS | 106 | | **OrganizationUUID** | Organization identifier; use the value for the CollectionID provided by CTIS | 107 | | **SentinelWorkspace** | Name of your Sentinel Instance | 108 | | **Default TLP Label** | This will provide a TLP Label to all future submissions by default. You can still define a TLP per indicator through tags | 109 | 110 | ![](media/image13.png) 111 | 112 | 8. Confirm parameters and press **Create and continue to designer.** 113 | 114 | ![](media/image14.png) 115 | 116 | 9. Navigate to the Log Analytics Workpace that the Sentinel is deployed to, and navigate to **Access Control (IAM)**. Select **Add role assignment**. 117 | 118 | ![](media/image15.png) 119 | 120 | ![](media/image16.png) 121 | 122 | 10. Search for Contributor and select **Contributor**. Click **Next.** 123 | 124 | ![](media/image17.png) 125 | 126 | 11. Select **Managed Identity**, then click **Select members**. On the right side menu under Managed Identity, select **Logic App** then select **AusCtisExportTaggedIndicators**. Click **Select**, then on the main page click **Review + assign.** 127 | 128 | ![](media/image18.png) 129 | 130 | 12. In Sentinel, to create a test event, go to **Threat Intelligence**, then click **Add new**. 131 | 132 | ![](media/image19.png) 133 | 134 | 13. Add the required fields and click **Apply**. Please include a Traffic Light Protocol (TLP) colour rating for the intelligence, adhering to the TLP Protocol for sharing: 135 | [**https://www.cisa.gov/news-events/news/traffic-light-protocol-tlp-definitions-and-usage**](https://www.cisa.gov/news-events/news/traffic-light-protocol-tlp-definitions-and-usage) 136 | - Specificy the TLP as a Tag, in the format "TLP:\", for instance: 137 | - TLP:Green 138 | - TLP:Amber 139 | - TLP:Clear 140 | 141 | >**Note – CTIS will not process TLP:Red indicators** 142 | 143 | ![](media/image20.png) 144 | 145 | 14. Go to the created Logic App and click **Run Trigger**. This will push the event to CTIS. 146 | 147 | ![](media/image21.png) 148 | 149 | The Logic App runs once per day by default. 150 | 151 | **Recommendation:** CTIS packages contributions by Partners into a single STIX package. It is recommended that the playbook only be run once all Indicators have been tagged for Export by adding the AusCtisExport tag. This ensures CTIS threat analysts have contextual information to link indicators into a single campaign. If there is uncertainty, a CTIS Threat Intel Analyst will contact the submitting organisation for clarity. 152 | 153 | 154 | # Guidance for creating a new indicator to share with CTIS 155 | 156 | Indicators can be created manually in Microsoft Sentinel under **Threat management \> Threat intelligence** or you can select the **Add to TI** option for an entity from the incident investigation pages. 157 | 158 | ![](media/image22.png) 159 | 160 | 161 | ![](media/image23.png) 162 | 163 | 164 | ![](media/image26.png) 165 | 166 | 167 | 168 | ![](media/indicator.png) 169 | 170 | 171 | # Microsoft Sentinel Threat Intelligence Indicators for use with CTIS 172 | 173 | Supported types for creation through the UI: **file** , **domain-name** , **url** , **ipv4-addr** , **ipv6-addr**. Indicators with type **Multiple** or **email-addr** can be viewed but not created. 174 | Common elements: **Description, Name** , **Tags** , **Threat types** , **Revoked** , **Confidence** , **Kill chains** (Lockheed Martin), **Valid from** , **Valid until**. All optional except **Valid from**. 175 | 176 | Current use of tags (free text entry): 177 | 178 | - **TLP:** _**[value]**_, checked by the playbook for specific values otherwise a default is used. 179 | - **Incident ID:** _**[id]**_, added by Sentinel when creating an indicator from an incident, playbook currently adds this to the description. 180 | - **ACSC Export/ACSC Export Complete** , identifies indicators to be processed by the playbook and when submission is complete. 181 | 182 | >**NOTE: All indicators that are related to the same Incident in Sentinel should be submitted in a single run of the playbook. If multiple incidents are being submitted, please run the playbook once after tagging the indicators separately mapping to the Incident ID.** 183 | 184 | ![](media/image27.png) ![](media/image28.png) ![](media/image29.png) ![](media/image30.png) ![](media/image31.png) 185 | 186 | --------------------------------------------------------------------------------