Threat Intelligence Platforms
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Connector ID | ThreatIntelligence |
| Publisher | Microsoft |
| Used in Solutions | Threat Intelligence, Threat Intelligence (NEW) |
| Collection Method | Native |
| Connector Definition Files | template_ThreatIntelligence.json |
Microsoft Sentinel integrates with Microsoft Graph Security API data sources to enable monitoring, alerting, and hunting using your threat intelligence. Use this connector to send threat indicators to Microsoft Sentinel from your Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MindMeld, MISP, or other integrated applications. Threat indicators can include IP addresses, domains, URLs, and file hashes. For more information, see the Microsoft Sentinel documentation >.
Tables Ingested
This connector ingests data into the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
CommonSecurityLog |
✓ | ✓ | ? |
ThreatIntelIndicators |
✓ | ✓ | ? |
ThreatIntelObjects |
✓ | ✓ | ? |
ThreatIntelligenceIndicator |
✓ | ✓ | ? |
💡 Tip: Tables with Ingestion API support allow data ingestion via the Azure Monitor Data Collector API, which also enables custom transformations during ingestion.
Permissions
Resource Provider Permissions: - Workspace (Workspace): read and write permissions.
Tenant Permissions: Requires GlobalAdmin, SecurityAdmin on the workspace's tenant
Setup Instructions
⚠️ Note: These instructions were automatically generated from the connector's user interface definition file using AI and may not be fully accurate. Please verify all configuration steps in the Microsoft Sentinel portal.
1. You can connect your threat intelligence data sources to Microsoft Sentinel by either:
-
Using an integrated Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MindMeld, MISP, and others.
-
Calling the Microsoft Graph Security API directly from another application.
2. Follow These Steps to Connect your Threat Intelligence:
1) Register an application in Azure Active Directory.
2) Configure permissions and be sure to add the ThreatIndicators.ReadWrite.OwnedBy permission to the application.
3) Ask your Azure AD tenant administrator to grant consent to the application.
4) Configure your TIP or other integrated application to push indicators to Microsoft Sentinel by specifying the following:
a. The application ID and secret you received when registering the app (step 1 above).
b. Set “Microsoft Sentinel” as the target.
c. Set an action for each indicator - ‘alert’ is most relevant for Microsoft Sentinel use cases
For the latest list of integrated Threat Intelligence Platforms and detailed configuration instructions, see the full documentation.
Click on "Connect" below
Data from all regions will be sent to and stored in the workspace's region. 📋 Additional Configuration Step: This connector includes a configuration step of type
ThreatIntelligence. Please refer to the Microsoft Sentinel portal for detailed configuration options for this step.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊