Threat Intelligence (NEW)
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Publisher | Microsoft Corporation |
| Support Tier | Microsoft |
| Support Link | https://support.microsoft.com/ |
| Categories | domains |
| Version | 3.0.13 |
| Author | Microsoft - support@microsoft.com |
| First Published | 2025-04-02 |
| Last Updated | 2026-04-15 |
| Solution Folder | Threat Intelligence (NEW) |
| Marketplace | Azure Marketplace · Popularity: 🟢 High (95%) |
Microsoft Sentinel has recently improved its threat intelligence hunting experience by incorporating support for STIX objects like Threat Actor, Attack Pattern, Identity, and Relationship. As a result, we have updated our TI Solutions to leverage the new ThreatIntelIndicator table. Work with STIX objects and indicators to enhance threat intelligence and threat hunting in Microsoft Sentinel (Preview) - Microsoft Sentinel | Microsoft Learn.
The Threat Intelligence solution contains data connectors for import of supported STIX objects into Microsoft Sentinel, analytic rules for matching TI data with event data, workbook, and hunting queries. Threat indicators can be malicious IP's, URL's, filehashes, domains, email addresses etc.
Contents
Data Connectors
This solution provides 5 data connector(s) (plus 1 discovered⚠️):
- Microsoft Defender Threat Intelligence
- Premium Microsoft Defender Threat Intelligence
- Threat Intelligence Platforms
- Threat intelligence - TAXII
- Threat intelligence - TAXII Export (Preview)
- Threat Intelligence Upload API (Preview) ⚠️
🔍 Discovered: This item was discovered by scanning the solution folder but is not listed in the Solution JSON file.
Tables Used
This solution uses 29 table(s):
Internal Tables
The following 3 table(s) are used internally by this solution's content items:
| Table | Used By Connectors | Used By Content |
|---|---|---|
SecurityAlert |
- | Analytics, Workbooks |
SecurityIncident |
- | Workbooks |
ThreatIntelIndicators |
Microsoft Defender Threat Intelligence, Premium Microsoft Defender Threat Intelligence, Threat Intelligence Platforms, Threat Intelligence Upload API (Preview), Threat intelligence - TAXII | Analytics, Hunting, Workbooks |
🔶 CLv1: This table uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g.
_s,_d,_b,_t,_g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.
Content Items
This solution includes 59 content item(s):
| Content Type | Count |
|---|---|
| Analytic Rules | 52 |
| Hunting Queries | 5 |
| Workbooks | 1 |
| Parsers | 1 |
Analytic Rules
Hunting Queries
| Name | Tactics | Tables Used |
|---|---|---|
| TI Map File Entity to OfficeActivity Event | Impact | OfficeActivityInternal use: ThreatIntelIndicators |
| TI Map File Entity to Security Event | Impact | SecurityEventInternal use: ThreatIntelIndicators |
| TI Map File Entity to Syslog Event | Impact | SyslogInternal use: ThreatIntelIndicators |
| TI Map File Entity to VMConnection Event | Impact | VMConnectionInternal use: ThreatIntelIndicators |
| TI Map File Entity to WireData Event | Impact | Internal use:ThreatIntelIndicators |
Workbooks
| Name | Tables Used |
|---|---|
| ThreatIntelligenceNew | Internal use:SecurityAlertSecurityIncidentThreatIntelIndicators |
Parsers
| Name | Description | Tables Used |
|---|---|---|
| ThreatIntelIndicatorsv2 | - | Internal use:ThreatIntelIndicators (read) |
Release Notes
| Version | Date Modified (DD-MM-YYYY) | Change History |
|---|---|---|
| 3.0.17 | 02-04-2026 | Updated TI map Domain entity to SecurityAlert analytic rule with deduplication and filters |
| 3.0.16 | 25-03-2026 | Optimized TI map Domain entity to EmailUrlInfo analytic rule with deduplication and filters |
| 3.0.15 | 09-03-2026 | Update IPEntity_DuoSecurity Analytic Rule |
| 3.0.14 | 16-02-2026 | Added Analytic Rule for URL IOC |
| 3.0.13 | 27-01-2026 | Updated package to include latest query changes. |
| 3.0.12 | 23-12-2025 | Replaces the 'AlertPriority' field with 'Severity' in the IPEntity_AppServiceHTTPLogs analytic rule and updates all related references. |
| 3.0.11 | 02-12-2025 | Update Threat Intelligence package and release notes |
| 3.0.10 | 20-11-2025 | Update Syntax for IPEntity_CloudAppEvents_Updated.yaml Rule |
| 3.0.9 | 07-11-2025 | Updated EmailEntity_CloudAppEvents_Updated.yaml to adjust lookback periods to match the query period and frequency. |
| 3.0.8 | 18-10-2025 | Update IPEntity_AzureFirewall.yaml to use Resource specific tables rather than AzureDiagnostics |
| 3.0.7 | 16-10-2025 | Added new connector for Threat Intelligence TAXII export and now available in public preview. |
| 3.0.6 | 08-09-2025 | Fixed the problem related to the Workbook query |
| 3.0.5 | 03-09-2025 | Support for a new data type, ThreatIntelObjects, across multiple Threat Intelligence Data Connector templates |
| 3.0.4 | 08-08-2025 | Updated Data Connectors and Analytic Rules to ensures consistency and likely aligns with updated connector schemas or naming conventions |
| 3.0.3 | 25-07-2025 | Added several new Data Connectors for Microsoft Sentinel, aimed at enhancing threat intelligence integration capabilities |
| 3.0.2 | 10-07-2025 | Improve kql query efficiency and accuracy |
| 3.0.1 | 17-04-2025 | Updated entity mappings of Analytic Rules |
| 3.0.0 | 02-04-2025 | Initial solution release |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊