Cyren Threat Intelligence for Microsoft Sentinel
Solution: CyrenThreatIntelligence
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Publisher | Data443 Risk Mitigation, Inc. |
| Support Tier | Partner |
| Support Link | https://www.data443.com |
| Categories | domains |
| Version | 3.0.3 |
| Author | Data443 Risk Mitigation, Inc. - support@data443.com |
| First Published | 2025-11-16 |
| Last Updated | 2026-03-16 |
| Solution Folder | CyrenThreatIntelligence |
| Marketplace | Azure Marketplace · Popularity: ⚪ Very Low (0%) |
The Cyren Threat Intelligence solution provides the capability to ingest Cyren IP reputation and malware URL threat intelligence into Microsoft Sentinel using the Codeless Connector Framework (CCF). This solution deploys REST API poller connectors, a custom log table, data collection rules, analytics rules, and visualization workbook to help security teams detect and investigate network-based threats.
Contents
Data Connectors
This solution provides 1 data connector(s):
🔶 CLv1: This connector ingests into a table that uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g.
_s,_d,_b,_t,_g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.
Tables Used
This solution uses 1 table(s):
| Table | Used By Connectors | Used By Content |
|---|---|---|
Cyren_Indicators_CL 🔶 |
Cyren Threat Intelligence | Analytics, Workbooks |
🔶 CLv1: This table uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g.
_s,_d,_b,_t,_g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.
Content Items
This solution includes 4 content item(s):
| Content Type | Count |
|---|---|
| Analytic Rules | 3 |
| Workbooks | 1 |
Analytic Rules
| Name | Severity | Tactics | Tables Used |
|---|---|---|---|
| Cyren Feed Outage Detection | Medium | DefenseEvasion | Cyren_Indicators_CL |
| Cyren High-Risk IP Indicators | High | CommandAndControl, Impact | Cyren_Indicators_CL |
| Cyren High-Risk URL Indicators | High | InitialAccess, Execution | Cyren_Indicators_CL |
Workbooks
| Name | Tables Used |
|---|---|
| CyrenThreatIntelligenceDashboard | Cyren_Indicators_CL |
Additional Documentation
📄 Source: CyrenThreatIntelligence/README.md
Overview
The Cyren Threat Intelligence solution provides real-time IP reputation and malware URL feeds to detect and block malicious infrastructure. This solution deploys CCF (Codeless Connector Framework) data connectors and visualization workbooks to help security teams identify and respond to network-based threats.
What's Included
Data Connectors (2)
- Cyren IP Reputation - RestApiPoller connector for IP threat intelligence
- Cyren Malware URLs - RestApiPoller connector for malicious URL intelligence
Workbooks (2)
- Cyren Threat Intelligence - Overview dashboard with key metrics
- Cyren Threat Intelligence (Enhanced) - Advanced analytics and threat hunting views
Infrastructure
- Data Collection Endpoint (DCE)
- Data Collection Rules (DCRs) for both feeds
- Custom Log Analytics table (
Cyren_Indicators_CL) - User-Assigned Managed Identity for secure authentication
- Optional Azure Key Vault integration for JWT token storage
Prerequisites
Before deploying this solution, ensure you have:
-
Microsoft Sentinel Workspace - Active Microsoft Sentinel workspace - Contributor permissions on the workspace
-
Cyren API Credentials - JWT Token for IP Reputation feed - JWT Token for Malware URLs feed - Obtain these from Cyren Portal
-
Azure Permissions - Contributor role on the resource group - Permission to create managed identities - Permission to assign RBAC roles
Deployment
Option 1: Azure Portal (Recommended)
- Navigate to Microsoft Sentinel → Content Hub
- Search for "Cyren Threat Intelligence"
- Click Install
-
Follow the deployment wizard: - Basics: Select subscription, resource group, and workspace - Data Connectors: Enter your Cyren JWT tokens - Security Options: (Optional) Enable Key Vault for secure token storage - Workbooks: Choose which workbooks to deploy
-
Click Review + Create → Create
Option 2: ARM Template Deployment
# Set your parameters
$subscriptionId = "your-subscription-id"
$resourceGroupName = "your-resource-group"
$workspaceName = "your-sentinel-workspace"
$cyrenIPJwtToken = "your-ip-reputation-jwt-token"
$cyrenMalwareJwtToken = "your-malware-urls-jwt-token"
# Deploy the solution
az deployment group create \
--subscription $subscriptionId \
--resource-group $resourceGroupName \
--template-file mainTemplate.json \
--parameters workspace=$workspaceName \
cyrenIPJwtToken=$cyrenIPJwtToken \
cyrenMalwareJwtToken=$cyrenMalwareJwtToken \
deployConnectors=true \
deployWorkbooks=true
Option 3: Automated PowerShell Script (DEPLOY-Cyren-CCF-Clean.ps1)
[Content truncated...]
Release Notes
Version | Date Modified (DD-MM-YYYY)| ChangeHistory
|------------|-------------------------------|-------------------------------------------------------------------------------------------|
| 3.0.4 | 12-03-2026 | Optional tokens: Made both JWT tokens (IP Reputation and Malware URL) optional with conditional deployment. Customers can now install either feed or both based on their subscription — connectors are only deployed for tokens that are provided. Added helper text to UI indicating tokens are optional. Updated labels to "(Optional)" and placeholder to "Leave empty if not purchased". |
| 3.0.3 | 13-02-2026 | Duplicate ingestion fix: Increased count from 100→1000 to fetch all indicators in a single page (Cyren IP Reputation feed contains ~800 indicators, Malware URLs ~200). Increased queryWindowInMin from 15→360 minutes (6 hours) since threat intelligence feeds are relatively static. These two changes eliminate the primary cause of duplicate data ingestion — repeated multi-page fetches of the same indicator set on short polling intervals. See PR #13603 for prior paging-type fix context. |
| 3.0.2 | 11-02-2026 | Fixed CCF paging duplication bug: Changed from Offset paging to PersistentToken paging to prevent duplicate data ingestion when Cyren API startOffset exceeds initial offset. Added DCR transform filter for time-based deduplication. |
| 3.0.1 | 27-01-2026 | Cost optimization: Changed from offset-based paging to time-based filtering (startTime/endTime) to prevent historical data re-ingestion. Updated queryWindowInMin to 120 minutes per MS reviewer recommendation. |
| 3.0.0 | 16-11-2025 | Initial Cyren Threat Intelligence CCF solution package, including all connector and ARM templates. |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊