Threat Intelligence (Preview)

Solution: Threat Intelligence

Threat Intelligence Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	Microsoft Corporation
Support Tier	Microsoft
Support Link	https://support.microsoft.com/
Categories	domains
Version	3.1.3
Author	Microsoft - support@microsoft.com
First Published	2022-05-18
Last Updated	2026-01-27
Solution Folder	Threat Intelligence
Marketplace	Azure Marketplace · Rating: ★★☆☆☆ 2.2/5 (4 ratings) · Popularity: 🟢 High (91%)

The Threat Intelligence solution contains data connectors for import of supported STIX objects into Microsoft Sentinel, analytic rules for matching TI data with event data, workbook, and hunting queries. Threat indicators can be malicious IP's, URL's, filehashes, domains, email addresses etc.

Data Connectors
Tables Used
Content Items

Data Connectors

This solution provides 4 data connector(s) (plus 1 discovered⚠️):

🔍 Discovered: This item was discovered by scanning the solution folder but is not listed in the Solution JSON file.

Tables Used

This solution uses 27 table(s):

Table	Used By Connectors	Used By Content
`AADNonInteractiveUserSignInLogs`	-	Analytics
`ASimAuditEventLogs`	-	Analytics
`AWSCloudTrail`	-	Analytics
`AppServiceHTTPLogs`	-	Analytics
`AuditLogs`	-	Analytics
`AzureActivity`	-	Analytics
`AzureDiagnostics` 🔶	-	Analytics
`AzureNetworkAnalytics_CL` 🔶	-	Analytics
`CloudAppEvents`	-	Analytics
`CommonSecurityLog`	Threat Intelligence Platforms	Analytics
`DeviceFileEvents`	-	Analytics
`DeviceNetworkEvents`	-	Analytics
`DnsEvents`	-	Analytics
`DuoSecurityAuthentication_CL` 🔶	-	Analytics
`EmailEvents`	-	Analytics
`EmailUrlInfo`	-	Analytics
`GitHub_CL`	-	Analytics
`OfficeActivity`	-	Analytics, Hunting
`SecurityEvent`	-	Analytics, Hunting
`SigninLogs`	-	Analytics
`Syslog`	-	Analytics, Hunting
`ThreatIntelligenceIndicator`	Microsoft Defender Threat Intelligence, Premium Microsoft Defender Threat Intelligence, Threat Intelligence Platforms, Threat Intelligence Upload API (Preview), Threat intelligence - TAXII	Analytics, Hunting, Workbooks
`UrlClickEvents`	-	Analytics
`VMConnection`	-	Analytics, Hunting
`W3CIISLog`	-	Analytics
`WindowsEvent`	-	Analytics
`WireData`	-	Hunting

Internal Tables

The following 2 table(s) are used internally by this solution's content items:

Table	Used By Connectors	Used By Content
`SecurityAlert`	-	Analytics, Workbooks
`SecurityIncident`	-	Workbooks

🔶 CLv1: This table uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Content Items

This solution includes 58 content item(s):

Content Type	Count
Analytic Rules	52
Hunting Queries	5
Workbooks	1

Analytic Rules

Name	Severity	Tactics	Tables Used
Preview - TI map Domain entity to Cloud App Events	Medium	CommandAndControl	`CloudAppEvents` `ThreatIntelligenceIndicator`
Preview - TI map Email entity to Cloud App Events	Medium	InitialAccess	`CloudAppEvents` `ThreatIntelligenceIndicator`
Preview - TI map IP entity to Cloud App Events	Medium	CommandAndControl	`CloudAppEvents` `ThreatIntelligenceIndicator`
Preview - TI map URL entity to Cloud App Events	Medium	CommandAndControl	`CloudAppEvents` `ThreatIntelligenceIndicator`
TI Map Domain Entity to DeviceNetworkEvents	Medium	CommandAndControl	`DeviceNetworkEvents` `ThreatIntelligenceIndicator`
TI Map IP Entity to Azure SQL Security Audit Events	Medium	CommandAndControl	`AzureDiagnostics` `ThreatIntelligenceIndicator`
TI Map IP Entity to AzureActivity	Medium	CommandAndControl	`AzureActivity` `ThreatIntelligenceIndicator`
TI Map IP Entity to CommonSecurityLog	Medium	CommandAndControl	`CommonSecurityLog` `ThreatIntelligenceIndicator`
TI Map IP Entity to DeviceNetworkEvents	Medium	CommandAndControl	`DeviceNetworkEvents` `ThreatIntelligenceIndicator`
TI Map IP Entity to DnsEvents	Medium	CommandAndControl	`DnsEvents` `ThreatIntelligenceIndicator`
TI Map IP Entity to Duo Security	Medium	CommandAndControl	`DuoSecurityAuthentication_CL` `ThreatIntelligenceIndicator`
TI Map IP Entity to SigninLogs	Medium	CommandAndControl	`AADNonInteractiveUserSignInLogs` `SigninLogs` `ThreatIntelligenceIndicator`
TI Map IP Entity to VMConnection	Medium	CommandAndControl	`ThreatIntelligenceIndicator` `VMConnection`
TI Map IP Entity to W3CIISLog	Medium	CommandAndControl	`ThreatIntelligenceIndicator` `W3CIISLog`
TI Map URL Entity to AuditLogs	Medium	CommandAndControl	`AuditLogs` `ThreatIntelligenceIndicator`
TI Map URL Entity to DeviceNetworkEvents	Medium	CommandAndControl	`DeviceNetworkEvents` `ThreatIntelligenceIndicator`
TI Map URL Entity to EmailUrlInfo	Medium	CommandAndControl	`EmailEvents` `EmailUrlInfo` `ThreatIntelligenceIndicator`
TI Map URL Entity to OfficeActivity Data [Deprecated]	Medium	CommandAndControl	-
TI Map URL Entity to PaloAlto Data	Medium	CommandAndControl	`CommonSecurityLog` `ThreatIntelligenceIndicator`
TI Map URL Entity to SecurityAlert Data	Medium	CommandAndControl	`ThreatIntelligenceIndicator` Internal use: `SecurityAlert`
TI Map URL Entity to Syslog Data	Medium	CommandAndControl	`Syslog` `ThreatIntelligenceIndicator`
TI Map URL Entity to UrlClickEvents	Medium	CommandAndControl	`ThreatIntelligenceIndicator` `UrlClickEvents`
TI map Domain entity to Dns Events (ASIM DNS Schema)	Medium	CommandAndControl	`ThreatIntelligenceIndicator`
TI map Domain entity to DnsEvents	Medium	CommandAndControl	`DnsEvents` `ThreatIntelligenceIndicator`
TI map Domain entity to EmailEvents	Medium	InitialAccess	`EmailEvents` `ThreatIntelligenceIndicator`
TI map Domain entity to EmailUrlInfo	Medium	InitialAccess	`EmailEvents` `EmailUrlInfo` `ThreatIntelligenceIndicator`
TI map Domain entity to PaloAlto	Medium	CommandAndControl	`CommonSecurityLog` `ThreatIntelligenceIndicator`
TI map Domain entity to PaloAlto CommonSecurityLog	Medium	CommandAndControl	`CommonSecurityLog` `ThreatIntelligenceIndicator`
TI map Domain entity to SecurityAlert	Medium	CommandAndControl	`ThreatIntelligenceIndicator` Internal use: `SecurityAlert`
TI map Domain entity to Syslog	Medium	CommandAndControl	`Syslog` `ThreatIntelligenceIndicator`
TI map Domain entity to Web Session Events (ASIM Web Session schema)	Medium	CommandAndControl	`ThreatIntelligenceIndicator`
TI map Email entity to AzureActivity	Medium	InitialAccess	`AzureActivity` `ThreatIntelligenceIndicator`
TI map Email entity to EmailEvents	Medium	InitialAccess	`EmailEvents` `ThreatIntelligenceIndicator`
TI map Email entity to OfficeActivity	Medium	InitialAccess	`OfficeActivity` `ThreatIntelligenceIndicator`
TI map Email entity to PaloAlto CommonSecurityLog	Medium	InitialAccess	`CommonSecurityLog` `ThreatIntelligenceIndicator`
TI map Email entity to SecurityAlert	Medium	InitialAccess	`ThreatIntelligenceIndicator` Internal use: `SecurityAlert`
TI map Email entity to SecurityEvent	Medium	InitialAccess	`SecurityEvent` `ThreatIntelligenceIndicator` `WindowsEvent`
TI map Email entity to SigninLogs	Medium	InitialAccess	`AADNonInteractiveUserSignInLogs` `SigninLogs` `ThreatIntelligenceIndicator`
TI map File Hash to CommonSecurityLog Event	Medium	CommandAndControl	`CommonSecurityLog` `ThreatIntelligenceIndicator`
TI map File Hash to DeviceFileEvents Event	Medium	CommandAndControl	`DeviceFileEvents` `ThreatIntelligenceIndicator`
TI map File Hash to Security Event	Medium	CommandAndControl	`SecurityEvent` `ThreatIntelligenceIndicator` `WindowsEvent`
TI map IP entity to AWSCloudTrail	Medium	CommandAndControl	`AWSCloudTrail` `ThreatIntelligenceIndicator`
TI map IP entity to AppServiceHTTPLogs	Medium	CommandAndControl	`AppServiceHTTPLogs` `ThreatIntelligenceIndicator`
TI map IP entity to Azure Key Vault logs	Medium	CommandAndControl	`AzureDiagnostics` `ThreatIntelligenceIndicator`
TI map IP entity to AzureFirewall	Medium	CommandAndControl	`AzureDiagnostics` `ThreatIntelligenceIndicator`
TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)	Medium	CommandAndControl	`AzureNetworkAnalytics_CL` `ThreatIntelligenceIndicator`
TI map IP entity to DNS Events (ASIM DNS schema)	Medium	CommandAndControl	`ThreatIntelligenceIndicator`
TI map IP entity to GitHub_CL	Medium	CommandAndControl	`GitHub_CL` `ThreatIntelligenceIndicator`
TI map IP entity to Network Session Events (ASIM Network Session schema)	Medium	CommandAndControl	`ThreatIntelligenceIndicator`
TI map IP entity to OfficeActivity	Medium	CommandAndControl	`OfficeActivity` `ThreatIntelligenceIndicator`
TI map IP entity to Web Session Events (ASIM Web Session schema)	Medium	CommandAndControl	`ThreatIntelligenceIndicator`
TI map IP entity to Workday(ASimAuditEventLogs)	Medium	CommandAndControl	`ASimAuditEventLogs` `ThreatIntelligenceIndicator`

Hunting Queries

Name	Tactics	Tables Used
TI Map File Entity to OfficeActivity Event	Impact	`OfficeActivity` `ThreatIntelligenceIndicator`
TI Map File Entity to Security Event	Impact	`SecurityEvent` `ThreatIntelligenceIndicator`
TI Map File Entity to Syslog Event	Impact	`Syslog` `ThreatIntelligenceIndicator`
TI Map File Entity to VMConnection Event	Impact	`ThreatIntelligenceIndicator` `VMConnection`
TI Map File Entity to WireData Event	Impact	`ThreatIntelligenceIndicator` `WireData`

Workbooks

Name	Tables Used
ThreatIntelligence	`ThreatIntelligenceIndicator` Internal use: `SecurityAlert` `SecurityIncident`

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.1.3	20-01-2026	Updated Analytical Rule to include the missing column.
3.1.2	26-06-2025	Updated TI Map IP Entity to CommonSecurityLog Analytical Rules to exclude private ips
3.1.1	22-01-2025	Fixed feature flag configs for PMDTI, MDTI, and UploadAPI based on the new FeatureStates. Fix api-version and documentation link for UploadAPI.
3.1.0	15-01-2025	Updated feature flags for PMDTI and MDTI for GA, and Upload API for PP.
3.0.9	04-12-2024	Modified DomainEntity_EmailUrlInfo Analytic Rule to resolve memory issues
3.0.8	28-11-2024	Removed (Preview) from name for Data Connectors Microsoft Defender Threat Intelligence and Premium Microsoft Defender Threat Intelligence, make the MDTI and PMDTI data connctors available in gov solution, and update descriptions of data connectors.
3.0.7	24-10-2024	Updated Columns of Analytical Rules
3.0.6	24-09-2024	Updated Entity Mappings of Analytical Rules
3.0.5	19-08-2024	Updated isConnectedQuery for Data Connector of "Threat Intelligence Upload Indicators API".
3.0.4	22-05-2024	Updated connectivity criteria for Data Connector and added New Data Connector for Premium Microsoft Defender Threat Intelligence (Preview)
3.0.3	21-03-2024	Updated Entity Mappings of Analytical Rules
3.0.2	23-10-2023	Updated KQL of analytic rules to improve performance in large datasets
3.0.1	22-08-2023	Removed (Preview) from Name field in Analytical Rules
3.0.0	14-08-2023	Modified Analytical Rule (TI map Domain entity to SecurityAlert). Updated dynamic([1]) to dynamic([1,1]) so as to make result array of array consistent.
		Updated Hunting Queries to have descriptions that meet the 255 characters limit.