Microsoft Sentinel TAXII Integration
Technical Preview
This integration is currently in technical preview. The data schema may change in the future based on customer feedback. The current schema version is guaranteed to be supported until March 31, 2027 or later based on customer feedback.
The ELLIO Threat Intelligence TAXII integration delivers IP indicators from the ELLIO Deception Network directly into Microsoft Sentinel using the industry-standard TAXII 2.1 protocol and STIX 2.1 data format.
Once connected, Sentinel automatically polls the ELLIO feed and ingests threat indicators into the ThreatIntelIndicators table, where they can be used for automated detection, investigation, and hunting.
What You Get
- 1M+ IP indicators updated daily from the ELLIO Deception Network
- Non-spoofable indicators with confirmed TCP handshakes (high-confidence source attribution)
- Rich context per indicator: geo/ASN, network fingerprints (MuonFP, JA4, JA3), targeted ports, SSH credentials, HTTP paths, CVE references, and MITRE ATT&CK mappings
- Lockheed Martin Cyber Kill Chain and MITRE ATT&CK tactical classification
- Actor attribution for known scanners and research organizations
- Automatic expiration via STIX
valid_until-indicators age out after 90 days without re-observation
How It Works
- Sentinel's built-in Threat Intelligence - TAXII data connector polls the ELLIO TAXII server
- The server returns STIX 2.1 indicators in paginated responses
- Sentinel stores the full STIX JSON in the
ThreatIntelIndicatorstable - Built-in TI analytics rules automatically match indicators against your sign-in logs, network logs, and other data sources
- The ELLIO feed is updated daily -Sentinel incrementally polls for new and updated indicators using
added_after
Available Collections
| Collection ID | Title | Description |
|---|---|---|
non-spoofable-ips | Non-Spoofable IP Indicators | IP addresses with confirmed TCP handshakes. High-confidence source attribution. Recommended for most deployments. |
spoofable-ips | Spoofable IP Indicators | IP addresses without confirmed TCP handshakes. Source attribution may be unreliable. Use with caution. |
Prerequisites
- Microsoft Sentinel workspace (Log Analytics workspace with Sentinel enabled)
- ELLIO platform account with ELLIO Threat Intelligence Data Feed access
- TAXII credentials from your ELLIO platform settings
Next Steps
- Setup Guide -Connect Sentinel to the ELLIO TAXII feed
- STIX Data Model -Understand the indicator structure and extension fields
- KQL Query Examples -Query and analyze ELLIO indicators in Sentinel