Threat Intelligence Upload Indicators API (Preview) connector for Microsoft Sentinel
Microsoft Sentinel offer a data plane API to bring in threat intelligence from your Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MineMeld, MISP, or other integrated applications. Threat indicators can include IP addresses, domains, URLs, file hashes and email addresses.
Connector attributes
| Connector attribute | Description |
|---|---|
| Log Analytics table(s) | ThreatIntelligenceIndicator |
| Data collection rules support | Not currently supported |
| Supported by | Microsoft Corporation |
Query samples
All Threat Intelligence APIs Indicators
ThreatIntelligenceIndicator
| where SourceSystem !in ('SecurityGraph', 'Azure Sentinel', 'Microsoft Sentinel')
| sort by TimeGenerated desc
Vendor installation instructions
You can connect your threat intelligence data sources to Microsoft Sentinel by either:
Using an integrated Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MineMeld, MISP, and others.
Calling the Microsoft Sentinel data plane API directly from another application.
Follow These Steps to Connect to your Threat Intelligence:
Get Microsoft Entra access token
To send request to the APIs, you need to acquire Microsoft Entra access token. You can follow instruction in this page: Get Microsoft Entra tokens for users by using MSAL.
- Notice: Please request Microsoft Entra access token with appropriate scope value.
You can send indicators by calling our Upload Indicators API. For more information about the API, click here.
HTTP method: POST
Endpoint: https://sentinelus.azure-api.net/workspaces/[WorkspaceID]/threatintelligenceindicators:upload?api-version=2022-07-01
WorkspaceID: the workspace that the indicators are uploaded to.
Header Value 1: "Authorization" = "Bearer [AAD Access Token from step 1]"
Header Value 2: "Content-Type" = "application/json"
Body: The body is a JSON object containing an array of indicators in STIX format.'title : 2. Send indicators to Sentinel'
Next steps
For more information, go to the related solution in the Azure Marketplace.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for