Threat Intelligence Upload API (Preview)
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
| Attribute | Value |
|---|---|
| Connector ID | ThreatIntelligenceUploadIndicatorsAPI |
| Publisher | Microsoft |
| Used in Solutions | Threat Intelligence (NEW) |
| Collection Method | Unknown |
| Connector Definition Files | template_ThreatIntelligenceUploadIndicators_ForGov.json |
| Microsoft Learn | View on Learn |
Microsoft Sentinel offers a data plane API to bring in threat intelligence from your Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MineMeld, MISP, or other integrated applications. Threat indicators can include IP addresses, domains, URLs, file hashes and email addresses. For more information, see the Microsoft Sentinel documentation.
Tables Ingested
This connector ingests data into the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
ThreatIntelIndicators |
✓ | ✓ | ✗ |
ThreatIntelObjects |
✓ | ✓ | ? |
💡 Tip: Tables with Ingestion API support allow data ingestion via the Azure Monitor Data Collector API, which also enables custom transformations during ingestion.
Permissions
Resource Provider Permissions:
- Workspace (Workspace): write permissions are required.
Setup Instructions
⚠️ Note: These instructions were automatically generated from the connector's user interface definition file using AI and may not be fully accurate. Please verify all configuration steps in the Microsoft Sentinel portal.
1. You can connect your threat intelligence data sources to Microsoft Sentinel by either:
Using an integrated Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MineMeld, MISP, and others.
Calling the Microsoft Sentinel data plane API directly from another application.
- Note: The 'Status' of the connector will not appear as 'Connected' here, because the data is ingested by making an API call.
2. Follow These Steps to Connect to your Threat Intelligence:
1. Get Microsoft Entra ID Access Token
To send request to the APIs, you need to acquire Microsoft Entra ID access token. You can follow instruction in this page: https://docs.microsoft.com/azure/databricks/dev-tools/api/latest/aad/app-aad-token#get-an-azure-ad-access-token
- Notice: Please request Microsoft Entra ID access token with scope value:
Fairfax: https://management.usgovcloudapi.net/.default
Mooncake: https://management.chinacloudapi.cn/.default
2. Send STIX objects to Sentinel
You can send the supported STIX object types by calling our Upload API. For more information about the API, click here.
HTTP method: POST
Endpoint: Fairfax: https://api.ti.sentinel.azure.us/workspaces/[WorkspaceID]/threatintelligence-stix-objects:upload?api-version=2024-02-01-preview Mooncake: https://api.ti.sentinel.azure.cn/workspaces/[WorkspaceID]/threatintelligence-stix-objects:upload?api-version=2024-02-01-preview
WorkspaceID: the workspace that the STIX objects are uploaded to.
Header Value 1: "Authorization" = "Bearer [Microsoft Entra ID Access Token from step 1]"
Header Value 2: "Content-Type" = "application/json"
Body: The body is a JSON object containing an array of STIX objects.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊