SIEM Connectors
Connectors deliver ELLIO Threat Intelligence directly into your security platform - your SIEM or MISP polls the ELLIO server on a schedule and ingests fresh indicators automatically, no manual downloads or pipeline glue required.
Browse the catalogue at Data Feeds → Connectors. Each connector has its own page where you generate and manage credentials - Microsoft Sentinel (TAXII), MISP Daily Sightings, MISP Per-IP Detail, and MISP Per-IP Detail with JA4+.
Microsoft Sentinel (TAXII)
Native TAXII 2.1 feed for Microsoft Sentinel's built-in Threat Intelligence -
TAXII data connector. Sentinel polls the ELLIO server on a schedule you
choose; ELLIO returns paginated STIX 2.1 indicators that land in your
ThreatIntelIndicators table.
What you get:
- Continuous delivery (no manual download)
- Microsoft Sentinel native ingest (no custom parser)
- SIEM-style consumption alongside your other indicator sources
Set-up walkthrough: Microsoft Sentinel TAXII - Setup Guide. Data model: STIX Data Model. Ready-to-run KQL: KQL Query Examples.
MISP Feed
Native MISP feed for any MISP instance. Subscribe once and MISP keeps a rolling 90-day window of observed attacker activity in sync - events update in place using MISP's built-in feed-sync.
What you get:
- Three feed shapes - daily sightings, per-IP rolling, and per-IP rolling with FoxIO JA4+ - pick the granularity that matches your workflow
- Native MISP tagging - TLP, ELLIO classification, Cyber Kill Chain phase, and MITRE ATT&CK techniques on every event and attribute
- Decay-aware tagging - every event carries an
ellio:decay-modeltag pointing at ELLIO's recommended 90-day curve. Configure a matching MISP decay model and the tag drives automatic scoring of aging indicators.
Set-up walkthrough: MISP Feed - Setup Guide. Decay model: MISP Decay Model. Event shape: MISP Feed Reference.
What's coming
Additional connectors are planned for other major SIEM and SOAR platforms. The catalogue page is the source of truth for what's currently available. Need a specific platform? Open a request via Support Center → Contact Support.