Microsoft Sentinel TAXII Integration
The ELLIO TAXII integration delivers IP indicators from ELLIO Threat Intelligence directly into Microsoft Sentinel using the TAXII 2.1 protocol and STIX 2.1 data format.
Once connected, Sentinel polls the ELLIO feed automatically and ingests
indicators into the ThreatIntelIndicators table, where they drive detection,
investigation, and hunting.
What you get
Section titled “What you get”- 1M+ IP indicators updated daily from ELLIO Threat Intelligence
- Non-spoofable indicators with confirmed TCP handshakes (high-confidence source attribution)
- Per-indicator context: geo/ASN, network fingerprints (MuonFP, JA4, JA3), targeted ports, SSH credentials, HTTP paths, CVE references, and MITRE ATT&CK mappings
- Lockheed Martin Cyber Kill Chain and MITRE ATT&CK tactical classification
- Actor attribution for known scanners and research organizations
- Automatic expiration via STIX
valid_until- indicators age out after 90 days without re-observation
How it works
Section titled “How it works”- Sentinel’s built-in Threat Intelligence - TAXII data connector polls the ELLIO TAXII server
- The server returns STIX 2.1 indicators in paginated responses
- Sentinel stores the full STIX JSON in the
ThreatIntelIndicatorstable - Built-in TI analytics rules automatically match indicators against your sign-in logs, network logs, and other data sources
- The ELLIO feed is updated daily - Sentinel incrementally polls for new and updated indicators using
added_after
Available collections
Section titled “Available collections”| Collection ID | Title | Description |
|---|---|---|
non-spoofable-ips |
Non-Spoofable IP Indicators | IP addresses with confirmed TCP handshakes. High-confidence source attribution. Recommended for most deployments. |
spoofable-ips |
Spoofable IP Indicators | IP addresses without confirmed TCP handshakes. Source attribution may be unreliable. Use with caution. |
Prerequisites
Section titled “Prerequisites”- Microsoft Sentinel workspace (Log Analytics workspace with Sentinel enabled)
- ELLIO platform account with ELLIO Threat Intelligence Data Feed access
- TAXII credentials from your ELLIO platform settings
Next steps
Section titled “Next steps”- Setup Guide - connect Sentinel to the ELLIO TAXII feed
- STIX Data Model - the indicator structure and extension fields
- KQL Query Examples - query and analyze ELLIO indicators in Sentinel