Connect Your First Threat Intelligence Feed

45-60 minutes Modules: Module 12

Objective

Connect the abuse.ch ThreatFox TAXII feed to Sentinel, enable TI matching analytics rules, hunt for IOCs in historical data, and establish the indicator lifecycle baseline from Module 12.

Required: Sentinel workspace. Contributor role.

Step 1: Configure the TAXII data connector

Navigate to: Sentinel → Data connectors → Search “Threat intelligence - TAXII”

Click Open connector page → Add TAXII server

Field	Value
Friendly name	abuse.ch ThreatFox
API root URL	https://threatfox-api.abuse.ch/api/v1/taxii2/
Collection ID	Check abuse.ch documentation for current collection
Polling frequency	Once per hour
Username / Password	Leave empty (no authentication required)

Click Add.

Step 2: Verify indicator ingestion

Wait 1-2 hours for the first poll cycle, then verify:

1
2
3
4
5
ThreatIntelligenceIndicator
| where TimeGenerated > ago(4h)
| where SourceSystem has "TAXII"
| summarize Count = count() by IndicatorType
| sort by Count desc

If this returns results, the feed is ingesting. If zero results after 2 hours, check the data connector health page for error messages.

Step 3: Enable TI matching analytics rules

Navigate to: Sentinel → Analytics → Rule templates

Filter for “Threat Intelligence.” Enable these matching rules:

Rule template	What it matches	Priority
TI map IP entity to SigninLogs	IP indicators → sign-in source IPs	High
TI map IP entity to DeviceNetworkEvents	IP indicators → endpoint network connections	Medium
TI map URL entity to EmailUrlInfo	URL indicators → email URLs	High
TI map FileHash to DeviceFileEvents	Hash indicators → files on endpoints	Medium

For each rule, set the minimum confidence threshold:

SigninLogs matching: Confidence ≥ 50
DeviceNetworkEvents matching: Confidence ≥ 70 (high-volume table, needs stricter threshold)
EmailUrlInfo matching: Confidence ≥ 50
DeviceFileEvents matching: Confidence ≥ 30 (hash matching is precise, lower threshold acceptable)

Step 4: Run a retroactive IOC hunt

Pick 3 IP indicators from the ingested ThreatFox feed and search your historical data:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
let iocIPs = ThreatIntelligenceIndicator
    | where TimeGenerated > ago(1d)
    | where IndicatorType == "ipv4-addr"
    | where ConfidenceScore >= 70
    | take 3
    | project NetworkIP;
union
    (SigninLogs | where TimeGenerated > ago(90d) 
        | where IPAddress in (iocIPs)
        | project TimeGenerated, Source="SigninLogs", 
            Entity=UserPrincipalName, IP=IPAddress),
    (DeviceNetworkEvents | where TimeGenerated > ago(90d)
        | where RemoteIP in (iocIPs)
        | project TimeGenerated, Source="DeviceNetwork", 
            Entity=DeviceName, IP=RemoteIP)
| sort by TimeGenerated asc

Document the results — positive or negative — in the hunting campaign format from Module 12, subsection 12.6.

Step 5: Establish the indicator hygiene baseline

1
2
3
4
5
6
7
8
ThreatIntelligenceIndicator
| summarize 
    Total = count(),
    Active = countif(Active == true),
    WithExpiration = countif(isnotempty(ExpirationDateTime)),
    NoExpiration = countif(isempty(ExpirationDateTime)),
    HighConfidence = countif(ConfidenceScore >= 80),
    LowConfidence = countif(ConfidenceScore < 50)

Record these numbers. This is your Day 1 indicator baseline. Run the same query monthly to track indicator lifecycle health.

Verification checklist

TAXII connector configured and ingesting
ThreatIntelligenceIndicator table shows new indicators
4 TI matching analytics rules enabled with confidence thresholds
Retroactive IOC hunt completed and documented
Indicator hygiene baseline recorded
Monthly indicator review scheduled

← All Labs