Threat Intelligence Upload Indicators API (Preview) connector for Microsoft Sentinel
Microsoft Sentinel offers a data plane API to bring in threat intelligence from your Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MineMeld, MISP, or other integrated applications. Threat indicators can include IP addresses, domains, URLs, file hashes and email addresses. For more information, see the Microsoft Sentinel documentation.
This is autogenerated content. For changes, contact the solution provider.
Connector attributes
| Connector attribute | Description |
|---|---|
| Log Analytics table(s) | ThreatIntelligenceIndicator |
| Data collection rules support | Not currently supported |
| Supported by | Microsoft Corporation |
Query samples
All Threat Intelligence APIs Indicators
ThreatIntelligenceIndicator
| where SourceSystem !in ('SecurityGraph', 'Azure Sentinel', 'Microsoft Sentinel')
| sort by TimeGenerated desc
Vendor installation instructions
You can connect your threat intelligence data sources to Microsoft Sentinel by either:
Using an integrated Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MineMeld, MISP, and others.
Calling the Microsoft Sentinel data plane API directly from another application.
- Note: The 'Status' of the connector will not appear as 'Connected' here, because the data is ingested by making an API call.
Follow These Steps to Connect to your Threat Intelligence:
- Get Microsoft Entra ID Access Token
[concat('To send request to the APIs, you need to acquire Azure Active Directory access token. You can follow instruction in this page: /azure/databricks/dev-tools/api/latest/aad/app-aad-token#get-an-azure-ad-access-token
- Notice: Please request AAD access token with scope value: ', variables('management'), '.default')]
- Send indicators to Sentinel
You can send indicators by calling our Upload Indicators API. For more information about the API, click here.
HTTP method: POST
Endpoint:
https://api.ti.sentinel.azure.com/workspaces/[WorkspaceID]/threatintelligenceindicators:upload?api-version=2022-07-01
WorkspaceID: the workspace that the indicators are uploaded to.
Header Value 1: "Authorization" = "Bearer [Microsoft Entra ID Access Token from step 1]"
Header Value 2: "Content-Type" = "application/json"
Body: The body is a JSON object containing an array of indicators in STIX format.
Next steps
For more information, go to the related solution in the Azure Marketplace.