Home
Threat Intelligence
Learn how Threat Intelligence quickly detects threats to OT/IoT systems and defends against cyberattacks.
Configuration
Details on how to configure Threat Intelligence.
Threat Intelligence Feed
Configuration
Configure Microsoft Sentinel
Once the Threat Intelligence - TAXII data connector is installed, you need to configure the TAXII server.

Threat Intelligence
Learn how Threat Intelligence quickly detects threats to OT/IoT systems and defends against cyberattacks.
- Introduction
  An overview of Threat Intelligence.
- Requirements
  A description of the requirements that are necessary to install and use Threat Intelligence.
- Configuration
  Details on how to configure Threat Intelligence.
  - Configure a Threat Intelligence license
    Before you can use the Threat Intelligence, you must install a license.
  - Enable automatic updates
    If you are connected to Vantage, or a Central Management Console (CMC), you can enable automatic Threat Intelligence updates.
  - Configure manual updates
    If your sensor, or Central Management Console (CMC), is not connected to the internet, you can update Threat Intelligence manually.
  - Sensor-level contents management
    By default, Threat Intelligence contents can only be managed on the top-level sensor. However, this policy can be customized to allow any sensor in the solution to add, edit, enable or disable individual contents.
  - Manage contents at sensor level
    You can change the status of the Enable local contents toggle to change how the Threat Intelligence contents are managed.
  - Threat Intelligence Feed
    - Introduction
    - Requirements
    - Configuration
      - taxii2client configuration
        Learn how to use the minimal Python library from OASIS to set up a taxii2client to interact with the TAXII server from Nozomi Networks. This includes integration for software that does not support the TAXII 2.0 protocol.
      - Configure Anomali STAXX
        Do this procedure to configure the Anomali STAXX, a free TAXII/STIX solution, for integration with the Nozomi Networks TAXII server, including setting descriptions, uniform resource locators (URLs), and authentication details.
      - Configure Microsoft Sentinel
        Once the Threat Intelligence - TAXII data connector is installed, you need to configure the TAXII server.
      - Configure ThreatQ
        Follow these steps to add and enable a new TAXII feed integration in ThreatQ, verify indicator ingestion, and monitor the integration's status through the Activity Log.
      - Configure QRadar
        Do this procedure to integrate a new TAXII feed into QRadar to enhance threat intelligence capabilities. This procedure covers adding the feed, ensuring full indicator ingestion, and monitoring the integration via the Activity Log for optimal security posture.
    - Troubleshooting
- Maintenance
  Information on how to maintain Threat Intelligence.
- Print format documentation
  A list of all the print-format documentation that is available for Threat Intelligence.

Configure Microsoft Sentinel

Once the Threat Intelligence - TAXII data connector is installed, you need to configure the TAXII server.

About this task

Microsoft Sentinel is a cloud-native security information and event management (SIEM) solution that provides intelligent security analytics. Microsoft Sentinel can interact with Trusted Automated Exchange of Indicator Information (TAXII) servers using the Threat Intelligence - TAXII data connector. For more details on Microsoft TAXII configuration, see the Microsoft documentation.

Procedure

Open Microsoft Sentinel.
Select the Threat Intelligence - TAXII data connector for Microsoft Sentinel.
In the bottom right section, select Open connector page.
The connector settings for Microsoft Sentinel show.
Use the /root/ endpoint to add each collection individually for Microsoft Sentinel.

Note:
Make sure that you use the /root/ endpoint instead of the discovery endpoint /taxii/.
To verify that the operation was successful, make sure that you can see a message on the right.

You can now access the indicators from the Threat Intelligence page.

Results

Microsoft Sentinel has now been configured.