แก้ไข

แชร์ผ่าน


Threat Intelligence Upload Indicators API (Preview) connector for Microsoft Sentinel

Microsoft Sentinel offers a data plane API to bring in threat intelligence from your Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MineMeld, MISP, or other integrated applications. Threat indicators can include IP addresses, domains, URLs, file hashes and email addresses. For more information, see the Microsoft Sentinel documentation.

This is autogenerated content. For changes, contact the solution provider.

Connector attributes

Connector attribute Description
Log Analytics table(s) ThreatIntelligenceIndicator
Data collection rules support Not currently supported
Supported by Microsoft Corporation

Query samples

All Threat Intelligence APIs Indicators

ThreatIntelligenceIndicator 
| where SourceSystem !in ('SecurityGraph', 'Azure Sentinel', 'Microsoft Sentinel')
| sort by TimeGenerated desc

Vendor installation instructions

You can connect your threat intelligence data sources to Microsoft Sentinel by either:

Using an integrated Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MineMeld, MISP, and others.

Calling the Microsoft Sentinel data plane API directly from another application.

  • Note: The 'Status' of the connector will not appear as 'Connected' here, because the data is ingested by making an API call.

Follow These Steps to Connect to your Threat Intelligence:

  1. Get Microsoft Entra ID Access Token

[concat('To send request to the APIs, you need to acquire Azure Active Directory access token. You can follow instruction in this page: /azure/databricks/dev-tools/api/latest/aad/app-aad-token#get-an-azure-ad-access-token

  • Notice: Please request AAD access token with scope value: ', variables('management'), '.default')]
  1. Send indicators to Sentinel

You can send indicators by calling our Upload Indicators API. For more information about the API, click here.

HTTP method: POST

Endpoint: https://api.ti.sentinel.azure.com/workspaces/[WorkspaceID]/threatintelligenceindicators:upload?api-version=2022-07-01

WorkspaceID: the workspace that the indicators are uploaded to.

Header Value 1: "Authorization" = "Bearer [Microsoft Entra ID Access Token from step 1]"

Header Value 2: "Content-Type" = "application/json"

Body: The body is a JSON object containing an array of indicators in STIX format.

Next steps

For more information, go to the related solution in the Azure Marketplace.