Threat intelligence integration in Microsoft Sentinel

Microsoft Sentinel gives you a few different ways to use threat intelligence feeds to enhance your security analysts' ability to detect and prioritize known threats.

You can use one of many available integrated threat intelligence platform (TIP) products, you can connect to TAXII servers to take advantage of any STIX-compatible threat intelligence source, and you can also make use of any custom solutions that can communicate directly with the Microsoft Graph Security tiIndicators API.

You can also connect to threat intelligence sources from playbooks, in order to enrich incidents with TI information that can help direct investigation and response actions.


If you have multiple workspaces in the same tenant, such as for Managed Security Service Providers (MSSPs), it may be more cost effective to connect threat indicators only to the centralized workspace.

When you have the same set of threat indicators imported into each separate workspace, you can run cross-workspace queries to aggregate threat indicators across your workspaces. Correlate them within your MSSP incident detection, investigation, and hunting experience.

TAXII threat intelligence feeds

To connect to TAXII threat intelligence feeds, follow the instructions to connect Microsoft Sentinel to STIX/TAXII threat intelligence feeds, together with the data supplied by each vendor linked below. You may need to contact the vendor directly to obtain the necessary data to use with the connector.

Accenture Cyber Threat Intelligence


Cybersixgill Darkfeed

Financial Services Information Sharing and Analysis Center (FS-ISAC)

  • Join FS-ISAC to get the credentials to access this feed.

Health intelligence sharing community (H-ISAC)

IBM X-Force








Integrated threat intelligence platform products

To connect to Threat Intelligence Platform (TIP) feeds, follow the instructions to connect Threat Intelligence platforms to Microsoft Sentinel. The second part of these instructions calls for you to enter information into your TIP solution. See the links below for more information.

Agari Phishing Defense and Brand Protection

Anomali ThreatStream

AlienVault Open Threat Exchange (OTX) from AT&T Cybersecurity

EclecticIQ Platform

  • EclecticIQ Platform integrates with Microsoft Sentinel to enhance threat detection, hunting and response. Learn more about the benefits and use cases of this two-way integration.

GroupIB Threat Intelligence and Attribution

MISP Open Source Threat Intelligence Platform

Palo Alto Networks MineMeld

Recorded Future Security Intelligence Platform

ThreatConnect Platform

ThreatQuotient Threat Intelligence Platform

Incident enrichment sources

Besides being used to import threat indicators, threat intelligence feeds can also serve as a source to enrich the information in your incidents and provide more context to your investigations. The following feeds serve this purpose, and provide Logic App playbooks to use in your automated incident response.

HYAS Insight

Recorded Future Security Intelligence Platform

ReversingLabs TitaniumCloud

RiskIQ Passive Total

Virus Total

Next steps

In this document, you learned how to connect your threat intelligence provider to Microsoft Sentinel. To learn more about Microsoft Sentinel, see the following articles.