Connect your threat intelligence platform to Microsoft Sentinel with the Upload Indicators API

Many organizations use threat intelligence platform (TIP) solutions to aggregate threat indicator feeds from various sources. From the aggregated feed, the data is curated to apply to security solutions such as network devices, EDR/XDR solutions, or security information and event management (SIEM) solutions such as Microsoft Sentinel. By using the Threat Intelligence Upload Indicators API, you can use these solutions to import threat indicators into Microsoft Sentinel.

The Upload Indicators API ingests threat intelligence indicators into Microsoft Sentinel without the need for the data connector. The data connector only mirrors the instructions for connecting to the API endpoint described in this article and the API reference document Microsoft Sentinel Upload Indicators API.

Screenshot that shows the threat intelligence import path.

For more information about threat intelligence, see Threat intelligence.

Important

The Microsoft Sentinel Threat Intelligence Upload Indicators API is in preview. See the Supplemental Terms of Use for Microsoft Azure Previews for more legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Microsoft Sentinel is generally available within Microsoft's unified security operations platform in the Microsoft Defender portal. For preview, Microsoft Sentinel is available in the Defender portal without Microsoft Defender XDR or an E5 license. For more information, see Microsoft Sentinel in the Microsoft Defender portal.

For more information, see Connect Microsoft Sentinel to STIX/TAXII threat intelligence feeds.

Note

For information about feature availability in US Government clouds, see the Microsoft Sentinel tables in Cloud feature availability for US Government customers.

Prerequisites

  • To install, update, and delete standalone content or solutions in the Content hub, you need the Microsoft Sentinel Contributor role at the resource group level. You don't need to install the data connector to use the API endpoint.
  • You must have read and write permissions to the Microsoft Sentinel workspace to store your threat indicators.
  • You must be able to register a Microsoft Entra application.
  • Your Microsoft Entra application must be granted the Microsoft Sentinel Contributor role at the workspace level.

Instructions

Follow these steps to import threat indicators to Microsoft Sentinel from your integrated TIP or custom threat intelligence solution:

  1. Register a Microsoft Entra application, and then record its application ID.
  2. Generate and record a client secret for your Microsoft Entra application.
  3. Assign your Microsoft Entra application the Microsoft Sentinel Contributor role or the equivalent.
  4. Configure your TIP solution or custom application.

Register a Microsoft Entra application

The default user role permissions allow users to create application registrations. If this setting was switched to No, you need permission to manage applications in Microsoft Entra. Any of the following Microsoft Entra roles include the required permissions:

  • Application administrator
  • Application developer
  • Cloud application administrator

For more information on registering your Microsoft Entra application, see Register an application.

After you register your application, record its application (client) ID from the application's Overview tab.

Generate and record a client secret

Now that your application is registered, generate and record a client secret.

Screenshot that shows client secret generation.

For more information on generating a client secret, see Add a client secret.

Assign a role to the application

The Upload Indicators API ingests threat indicators at the workspace level and allows a least-privilege role of Microsoft Sentinel Contributor.

  1. From the Azure portal, go to Log Analytics workspaces.

  2. Select Access control (IAM).

  3. Select Add > Add role assignment.

  4. On the Role tab, select the Microsoft Sentinel Contributor role, and then select Next.

  5. On the Members tab, select Assign access to > User, group, or service principal.

  6. Select members. By default, Microsoft Entra applications aren't displayed in the available options. To find your application, search for it by name.

    Screenshot that shows the Microsoft Sentinel Contributor role assigned to the application at the workspace level.

  7. Select Review + assign.

For more information on assigning roles to applications, see Assign a role to the application.

Install the Threat Intelligence Upload Indicators API data connector in Microsoft Sentinel (optional)

Install the Threat Intelligence Upload Indicators API data connector to see the API connection instructions from your Microsoft Sentinel workspace.

  1. For Microsoft Sentinel in the Azure portal, under Content management, select Content hub.
    For Microsoft Sentinel in the Defender portal, select Microsoft Sentinel > Content management > Content hub.

  2. Find and select the Threat Intelligence solution.

  3. Select the Install/Update button.

    For more information about how to manage the solution components, see Discover and deploy out-of-the-box content.

  4. The data connector is now visible in Configuration > Data connectors. Open the Data connectors page to find more information on how to configure your application with this API.

    Screenshot that shows the Data connectors page with the Upload Indicators API data connector listed.

Configure your threat intelligence platform solution or custom application

The following configuration information is required by the Upload Indicators API:

  • Application (client) ID
  • Client secret
  • Microsoft Sentinel workspace ID

Enter these values in the configuration of your integrated TIP or custom solution where required.

  1. Submit the indicators to the Microsoft Sentinel Upload Indicators API. To learn more about the Upload Indicators API, see Microsoft Sentinel Upload Indicators API.

  2. Within a few minutes, threat indicators should begin flowing into your Microsoft Sentinel workspace. Find the new indicators on the Threat intelligence pane, which is accessible from the Microsoft Sentinel menu.

  3. The data connector status reflects the Connected status. The Data received graph is updated after indicators are submitted successfully.

    Screenshot that shows the Upload Indicators API data connector in the Connected state.

In this article, you learned how to connect your TIP to Microsoft Sentinel. To learn more about using threat indicators in Microsoft Sentinel, see the following articles: