Enable data connector for Microsoft Defender Threat Intelligence

  • Article
  • Applies to:
    Microsoft Sentinel in the Azure portal, Microsoft Sentinel in the Microsoft Defender portal

Bring public, open-source and high-fidelity indicators of compromise (IOCs) generated by Microsoft Defender Threat Intelligence into your Microsoft Sentinel workspace with the Defender Threat Intelligence data connectors. With a simple one-click setup, use the threat intelligence from the standard and premium Defender Threat Intelligence data connectors to monitor, alert, and hunt.

Important

The Defender Threat Intelligence data connector and the premium Defender Threat Intelligence data connector are currently in preview. See the Supplemental Terms of Use for Microsoft Azure Previews for more legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Microsoft Sentinel is now generally available within the Microsoft unified security operations platform in the Microsoft Defender portal. For more information, see Microsoft Sentinel in the Microsoft Defender portal.

For more information about the benefits of the standard and premium Defender Threat Intelligence data connectors, see Understand threat intelligence.

Prerequisites

  • To install, update, and delete standalone content or solutions in the Content hub, you need the Microsoft Sentinel Contributor role at the resource group level.
  • To configure these data connectors, you must have read and write permissions to the Microsoft Sentinel workspace.

Install the threat intelligence solution in Microsoft Sentinel

To import threat indicators into Microsoft Sentinel from standard and premium Defender Threat Intelligence, follow these steps:

  1. For Microsoft Sentinel in the Azure portal, under Content management, select Content hub.

    For Microsoft Sentinel in the Defender portal, select Microsoft Sentinel > Content management > Content hub.

  2. Find and select the Threat Intelligence solution.

  3. Select the Install/Update button.

For more information about how to manage the solution components, see Discover and deploy out-of-the-box content.

Enable the Defender Threat Intelligence data connector

  1. For Microsoft Sentinel in the Azure portal, under Configuration, select Data connectors.

    For Microsoft Sentinel in the Defender portal, select Microsoft Sentinel > Configuration > Data connectors.

  2. Find and select the Defender Threat Intelligence data connector Open connector page button.

    Screenshot that shows the Data connectors page with the Defender Threat Intelligence data connector listed.

  3. Enable the feed by selecting Connect.

    Screenshot that shows the Defender Threat Intelligence Data connector page and the Connect button.

  4. When Defender Threat Intelligence indicators start populating the Microsoft Sentinel workspace, the connector status displays Connected.

At this point, the ingested indicators are now available for use in the TI map... analytics rules. For more information, see Use threat indicators in analytics rules.

Find the new indicators on the Threat intelligence pane or directly in Logs by querying the ThreatIntelligenceIndicator table. For more information, see Work with threat indicators.

Related content

In this article, you learned how to connect Microsoft Sentinel to the Microsoft threat intelligence feed with the Defender Threat Intelligence data connector. To learn more about Defender Threat Intelligence, see the following articles: