Cyren Threat Intelligence for Microsoft Sentinel

Solution: CyrenThreatIntelligence

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Solutions Index

---

Attribute	Value
Publisher	Data443 Risk Mitigation, Inc.
Support Tier	Partner
Support Link	https://www.data443.com
Categories	Security - Threat Intelligence
Version	3.0.5
Author	Data443 Risk Mitigation, Inc. - support@data443.com
First Published	2025-11-16
Last Updated	2026-06-10
Solution Folder	CyrenThreatIntelligence
Marketplace	Azure Marketplace · Popularity: 🟡 Low (22%)

The Cyren Threat Intelligence solution provides the capability to ingest Cyren IP reputation and malware URL threat intelligence into Microsoft Sentinel using the Codeless Connector Framework (CCF). This solution deploys REST API poller connectors, a custom log table, data collection rules, analytics rules, and visualization workbook to help security teams detect and investigate network-based threats.

Contents

• Data Connectors
• Tables Used
• Content Items
• Additional Documentation

Data Connectors

This solution provides 1 data connector(s):

• Cyren Threat Intelligence 🔶

🔶 CLv1: This connector ingests into a table that uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Tables Used

This solution uses 1 table(s):

Table	Used By Connectors	Used By Content
Cyren_Indicators_CL 🔶	Cyren Threat Intelligence	Analytics, Workbooks

🔶 CLv1: This table uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Content Items

This solution includes 4 content item(s):

Content Type	Count
Analytic Rules	3
Workbooks	1

Analytic Rules

Name	Severity	Tactics	Tables Used
Cyren Feed Outage Detection	Medium	DefenseEvasion	Cyren_Indicators_CL
Cyren High-Risk IP Indicators	High	CommandAndControl, Impact	Cyren_Indicators_CL
Cyren High-Risk URL Indicators	High	InitialAccess, Execution	Cyren_Indicators_CL

Workbooks

Name	Tables Used
CyrenThreatIntelligenceDashboard	Cyren_Indicators_CL

Additional Documentation

📄 Source: CyrenThreatIntelligence/README.md

Overview

The Cyren Threat Intelligence solution provides real-time IP reputation and malware URL feeds to detect and block malicious infrastructure. This solution deploys CCF (Codeless Connector Framework) data connectors and visualization workbooks to help security teams identify and respond to network-based threats.

What's Included

Data Connectors (2)

• Cyren IP Reputation - RestApiPoller connector for IP threat intelligence
• Cyren Malware URLs - RestApiPoller connector for malicious URL intelligence

Workbooks (2)

• Cyren Threat Intelligence - Overview dashboard with key metrics
• Cyren Threat Intelligence (Enhanced) - Advanced analytics and threat hunting views

Infrastructure

• Data Collection Endpoint (DCE)
• Data Collection Rules (DCRs) for both feeds
• Custom Log Analytics table (Cyren_Indicators_CL)
• User-Assigned Managed Identity for secure authentication
• Optional Azure Key Vault integration for JWT token storage

Prerequisites

Before deploying this solution, ensure you have:

1. Microsoft Sentinel Workspace

   • Active Microsoft Sentinel workspace
   • Contributor permissions on the workspace

2. Cyren API Credentials

   • JWT Token for IP Reputation feed
   • JWT Token for Malware URLs feed
   • Obtain these from Cyren Portal

3. Azure Permissions

   • Contributor role on the resource group
   • Permission to create managed identities
   • Permission to assign RBAC roles

Deployment

Option 1: Azure Portal (Recommended)

1. Navigate to Microsoft Sentinel → Content Hub

2. Search for "Cyren Threat Intelligence"

3. Click Install

4. Follow the deployment wizard:

   • Basics: Select subscription, resource group, and workspace
   • Data Connectors: Enter your Cyren JWT tokens
   • Security Options: (Optional) Enable Key Vault for secure token storage
   • Workbooks: Choose which workbooks to deploy

5. Click Review + Create → Create

Option 2: ARM Template Deployment

# Set your parameters
$subscriptionId = "your-subscription-id"
$resourceGroupName = "your-resource-group"
$workspaceName = "your-sentinel-workspace"
$cyrenIPJwtToken = "your-ip-reputation-jwt-token"
$cyrenMalwareJwtToken = "your-malware-urls-jwt-token"

# Deploy the solution
az deployment group create \
  --subscription $subscriptionId \
  --resource-group $resourceGroupName \
  --template-file mainTemplate.json \
  --parameters workspace=$workspaceName \
               cyrenIPJwtToken=$cyrenIPJwtToken \
               cyrenMalwareJwtToken=$cyrenMalwareJwtToken \
               deployConnectors=true \
               deployWorkbooks=true

Option 3: Automated PowerShell Script (DEPLOY-Cyren-CCF-Clean.ps1)

[Content truncated...]

Release Notes

Version | Date Modified (DD-MM-YYYY)| ChangeHistory |------------|-------------------------------|-------------------------------------------------------------------------------------------| | 3.0.5 | 29-05-2026 | DCR transform fix: ip_s is now populated only for IP-type indicators (type == "ip"). Malware URL indicators previously stored their UUID identifier in ip_s; that column is now empty for URL rows, which keeps the malicious URL in url_s and prevents non-IP values from appearing in IP queries. | | 3.0.4 | 12-03-2026 | Optional tokens: Made both JWT tokens (IP Reputation and Malware URL) optional with conditional deployment. Customers can now install either feed or both based on their subscription — connectors are only deployed for tokens that are provided. Added helper text to UI indicating tokens are optional. Updated labels to "(Optional)" and placeholder to "Leave empty if not purchased". | | 3.0.3 | 13-02-2026 | Duplicate ingestion fix: Increased count from 100→1000 to fetch all indicators in a single page (Cyren IP Reputation feed contains ~800 indicators, Malware URLs ~200). Increased queryWindowInMin from 15→360 minutes (6 hours) since threat intelligence feeds are relatively static. These two changes eliminate the primary cause of duplicate data ingestion — repeated multi-page fetches of the same indicator set on short polling intervals. See PR #13603 for prior paging-type fix context. | | 3.0.2 | 11-02-2026 | Fixed CCF paging duplication bug: Changed from Offset paging to PersistentToken paging to prevent duplicate data ingestion when Cyren API startOffset exceeds initial offset. Added DCR transform filter for time-based deduplication. | | 3.0.1 | 27-01-2026 | Cost optimization: Changed from offset-based paging to time-based filtering (startTime/endTime) to prevent historical data re-ingestion. Updated queryWindowInMin to 120 minutes per MS reviewer recommendation. | | 3.0.0 | 16-11-2025 | Initial Cyren Threat Intelligence CCF solution package, including all connector and ARM templates. |

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Solutions Index