Connect the threat intelligence TAXII connector


Microsoft Sentinel integrates with TAXII 2.0 and 2.1 data sources to enable monitoring, alerting, and hunting using your threat intelligence. Use this connector to send threat indicators from TAXII servers to Microsoft Sentinel. Threat indicators can include IP addresses, domains, URLs, and file hashes.

In the Azure portal, navigate to Microsoft Sentinel > Data connectors and then select the Threat Intelligence - TAXII connector.

To view the connector page:

  1. Select Data connectors page.

  2. Select Threat intelligence - TAXII.

  3. select the Open connector page on the preview pane.

  4. Specify the required and optional information in the text boxes.

    • Friendly name (for server)

    • API root URL

    • Collection ID

    • Username

    • Password

  5. Select Add to enable the connection.

The list of configure TAXII servers shows the currently connected TAXII servers and the last indicator received time. The ellipse at the end of the configured server provides the option to remove the server configuration.

Screenshot of the Sentinel T A X I I Connector page.