pduggusa/dugganusa-sentinel

# DugganUSA Microsoft Sentinel 连接器 **通过 TAXII 2.1 将 1M+ 威胁指标导入 Microsoft Sentinel。一键部署。** ## 部署 [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fpduggusa%2Fdugganusa-sentinel%2Fmain%2FSolution%2FData%2520Connectors%2Fdugganusa-taxii-connector.json) 或者通过 CLI 部署： ``` az deployment group create \ --resource-group YOUR_RG \ --template-file "Solution/Data Connectors/dugganusa-taxii-connector.json" \ --parameters workspaceName=YOUR_WORKSPACE apiKey=dugusa_YOUR_KEY ``` ## 功能 - 将 Sentinel 连接至 DugganUSA TAXII 2.1 端点 - 每 1/6/12/24 小时轮询（可配置） - 填充 `ThreatIntelligenceIndicator` 表 - 指标自动关联 CommonSecurityLog、Syslog、AzureActivity 等 - 包含用于 IOC 匹配与新 C2 检测的 KQL 狩猎查询 ## TAXII 2.1 端点 ``` Server: https://analytics.dugganusa.com/api/v1/stix-feed/taxii2 Collection: dugganusa-threats Auth: api-key / dugusa_YOUR_KEY (or blank for free tier) ``` ## 包含的狩猎查询 - `dugganusa-ioc-match.kql` — 将防火墙/代理日志与 DugganUSA IOC 进行关联 - `dugganusa-new-c2.kql` — 告警连接至新索引的 C2 基础设施 ## 免费 API 密钥 [analytics.dugganusa.com/stix/register](https://analytics.dugganusa.com/stix/register) — 即使没有密钥也可在限制范围内使用。 ## 属于 DugganUSA 生态系统 - [VS Code 扩展](https://marketplace.visualstudio.com/items?itemName=DugganUSALLC.dugganusa-threat-intel) - [Splunk TA](https://github.com/pduggusa/dugganusa-splunk) - [CLI 工具](https://github.com/pduggusa/dugganusa-cli) - [GitHub 动作](https://github.com/pduggusa/dugganusa-action) - [Chrome 扩展](https://github.com/pduggusa/dugganusa-chrome) - [Slack 机器人](https://github.com/pduggusa/dugganusa-slack) - [STIX 订阅源](https://analytics.dugganusa.com/api/v1/stix-feed) - [dugganusa.com](https://www.dugganusa.com) ## 许可证 MIT — [DugganUSA LLC](https://www.dugganusa.com)

标签：AMSI绕过, AzureActivity, Azure 部署, C2 检测, Chrome 扩展, CLI 工具, CommonSecurityLog, DugganUSA 生态系统, GitHub Action, IOC, KQL 查询, Microsoft Sentinel, Slack 机器人, Splunk TA, Syslog, TAXII 2.1, VS Code 扩展, 免费 API 密钥, 内容中心, 威胁情报, 威胁检测, 开发者工具, 指标匹配, 数据连接器, 日志关联, 网络安全, 自动扩充实, 逆向工具, 隐私保护