Connect your threat intelligence platform to Microsoft Sentinel with the upload indicators API
Many organizations use threat intelligence platform (TIP) solutions to aggregate threat indicator feeds from various sources. From the aggregated feed, the data is curated to apply to security solutions such as network devices, EDR/XDR solutions, or SIEMs such as Microsoft Sentinel. The Threat Intelligence Upload Indicators API data connector allows you to use these solutions to import threat indicators into Microsoft Sentinel. This data connector uses the Sentinel upload indicators API to ingest threat intelligence indicators into Microsoft Sentinel. For more information, see Threat Intelligence.
Important
The Microsoft Sentinel upload indicators API and Threat Intelligence Upload Indicators API data connector are in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Microsoft Sentinel is available as part of the public preview for the unified security operations platform in the Microsoft Defender portal. For more information, see Microsoft Sentinel in the Microsoft Defender portal.
Note
For information about feature availability in US Government clouds, see the Microsoft Sentinel tables in Cloud feature availability for US Government customers.
See also: Connect Microsoft Sentinel to STIX/TAXII threat intelligence feeds
Prerequisites
- In order to install, update and delete standalone content or solutions in content hub, you need the Microsoft Sentinel Contributor role at the resource group level.
- You must have read and write permissions to the Microsoft Sentinel workspace to store your threat indicators.
- You must be able to register a Microsoft Entra application.
- The Microsoft Entra application must be granted the Microsoft Sentinel contributor role at the workspace level.
Instructions
Follow these steps to import threat indicators to Microsoft Sentinel from your integrated TIP or custom threat intelligence solution:
- Register a Microsoft Entra application and record its application ID.
- Generate and record a client secret for your Microsoft Entra application.
- Assign your Microsoft Entra application the Microsoft Sentinel contributor role or equivalent.
- Enable the Threat Intelligence upload API data connector in Microsoft Sentinel.
- Configure your TIP solution or custom application.
Register a Microsoft Entra application
The default user role permissions allow users to create application registrations. If this setting has been switched to No, you'll need permission to manage applications in Microsoft Entra ID. Any of the following Microsoft Entra roles include the required permissions:
- Application administrator
- Application developer
- Cloud application administrator
For more information on registering your Microsoft Entra application, see Register an application.
Once you've registered your application, record its Application (client) ID from the application's Overview tab.
Generate and record client secret
Now that your application has been registered, generate and record a client secret.
For more information on generating a client secret, see Add a client secret.
Assign a role to the application
The upload indicators API ingests threat indicators at the workspace level and allows a least privilege role of Microsoft Sentinel contributor.
From the Azure portal, go to Log Analytics workspaces.
Select Access control (IAM).
Select Add > Add role assignment.
In the Role tab, select the Microsoft Sentinel Contributor role > Next.
On the Members tab, select Assign access to > User, group, or service principal.
Select members. By default, Microsoft Entra applications aren't displayed in the available options. To find your application, search for it by name.
Select > Review + assign.
For more information on assigning roles to applications, see Assign a role to the application.
Enable the Threat Intelligence upload indicators API data connector in Microsoft Sentinel
Enable the Threat Intelligence Upload Indicators API data connector to allow Microsoft Sentinel to receive threat indicators sent from your TIP or custom solution. These indicators are available to the Microsoft Sentinel workspace you configure.
For Microsoft Sentinel in the Azure portal, under Content management, select Content hub.
For Microsoft Sentinel in the Defender portal, select Microsoft Sentinel > Content management > Content hub.Find and select the Threat Intelligence solution.
Select the Install/Update button.
For more information about how to manage the solution components, see Discover and deploy out-of-the-box content.
The data connector is now visible in Configuration > Data Connectors. Open the data connector page to find more information on configuring your application with this API.
Configure your TIP solution or custom application
The following configuration information required by the upload indicators API:
- Application (client) ID
- Client secret
- Microsoft Sentinel workspace ID
Enter these values in the configuration of your integrated TIP or custom solution where required.
Submit the indicators to the Microsoft Sentinel upload API. To learn more about the upload indicators API, see the reference document Microsoft Sentinel upload indicators API.
Within a few minutes, threat indicators should begin flowing into your Microsoft Sentinel workspace. Find the new indicators in the Threat intelligence blade, accessible from the Microsoft Sentinel navigation menu.
The data connector status reflects the Connected status and the Data received graph is updated once indicators are submitted successfully.
Related content
In this document, you learned how to connect your threat intelligence platform to Microsoft Sentinel. To learn more about using threat indicators in Microsoft Sentinel, see the following articles.
- Understand threat intelligence.
- Work with threat indicators throughout the Microsoft Sentinel experience.
- Get started detecting threats with built-in or custom analytics rules in Microsoft Sentinel.
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for