Objective
Connect the abuse.ch ThreatFox TAXII feed to Sentinel, enable TI matching analytics rules, hunt for IOCs in historical data, and establish the indicator lifecycle baseline from Module 12.
Required: Sentinel workspace. Contributor role.
Step 1: Configure the TAXII data connector
Navigate to: Sentinel → Data connectors → Search "Threat intelligence - TAXII"
Click Open connector page → Add TAXII server
| Field | Value |
|---|---|
| Friendly name | abuse.ch ThreatFox |
| API root URL | https://threatfox-api.abuse.ch/api/v1/taxii2/ |
| Collection ID | Check abuse.ch documentation for current collection |
| Polling frequency | Once per hour |
| Username / Password | Leave empty (no authentication required) |
Click Add.
Step 2: Verify indicator ingestion
Wait 1-2 hours for the first poll cycle, then verify:
ThreatIntelligenceIndicator
| where TimeGenerated > ago(4h)
| where SourceSystem has "TAXII"
| summarize Count = count() by IndicatorType
| sort by Count descIf this returns results, the feed is ingesting. If zero results after 2 hours, check the data connector health page for error messages.
Step 3: Enable TI matching analytics rules
Navigate to: Sentinel → Analytics → Rule templates
Filter for "Threat Intelligence." Enable these matching rules:
| Rule template | What it matches | Priority |
|---|---|---|
| TI map IP entity to SigninLogs | IP indicators → sign-in source IPs | High |
| TI map IP entity to DeviceNetworkEvents | IP indicators → endpoint network connections | Medium |
| TI map URL entity to EmailUrlInfo | URL indicators → email URLs | High |
| TI map FileHash to DeviceFileEvents | Hash indicators → files on endpoints | Medium |
For each rule, set the minimum confidence threshold:
- SigninLogs matching: Confidence ≥ 50
- DeviceNetworkEvents matching: Confidence ≥ 70 (high-volume table, needs stricter threshold)
- EmailUrlInfo matching: Confidence ≥ 50
- DeviceFileEvents matching: Confidence ≥ 30 (hash matching is precise, lower threshold acceptable)
Step 4: Run a retroactive IOC hunt
Pick 3 IP indicators from the ingested ThreatFox feed and search your historical data:
let iocIPs = ThreatIntelligenceIndicator
| where TimeGenerated > ago(1d)
| where IndicatorType == "ipv4-addr"
| where ConfidenceScore >= 70
| take 3
| project NetworkIP;
union
(SigninLogs | where TimeGenerated > ago(90d)
| where IPAddress in (iocIPs)
| project TimeGenerated, Source="SigninLogs",
Entity=UserPrincipalName, IP=IPAddress),
(DeviceNetworkEvents | where TimeGenerated > ago(90d)
| where RemoteIP in (iocIPs)
| project TimeGenerated, Source="DeviceNetwork",
Entity=DeviceName, IP=RemoteIP)
| sort by TimeGenerated ascDocument the results — positive or negative — in the hunting campaign format from Module 12, subsection 12.6.
Step 5: Establish the indicator hygiene baseline
ThreatIntelligenceIndicator
| summarize
Total = count(),
Active = countif(Active == true),
WithExpiration = countif(isnotempty(ExpirationDateTime)),
NoExpiration = countif(isempty(ExpirationDateTime)),
HighConfidence = countif(ConfidenceScore >= 80),
LowConfidence = countif(ConfidenceScore < 50)Record these numbers. This is your Day 1 indicator baseline. Run the same query monthly to track indicator lifecycle health.
Verification checklist
- [ ] TAXII connector configured and ingesting
- [ ] ThreatIntelligenceIndicator table shows new indicators
- [ ] 4 TI matching analytics rules enabled with confidence thresholds
- [ ] Retroactive IOC hunt completed and documented
- [ ] Indicator hygiene baseline recorded
- [ ] Monthly indicator review scheduled