Skip to content

New: Microsoft Sentinel TAXII integration is in technical preview.Read the integration guide

Microsoft Sentinel TAXII Integration

The ELLIO TAXII integration delivers IP indicators from ELLIO Threat Intelligence directly into Microsoft Sentinel using the TAXII 2.1 protocol and STIX 2.1 data format.

Once connected, Sentinel polls the ELLIO feed automatically and ingests indicators into the ThreatIntelIndicators table, where they drive detection, investigation, and hunting.

  • 1M+ IP indicators updated daily from ELLIO Threat Intelligence
  • Non-spoofable indicators with confirmed TCP handshakes (high-confidence source attribution)
  • Per-indicator context: geo/ASN, network fingerprints (MuonFP, JA4, JA3), targeted ports, SSH credentials, HTTP paths, CVE references, and MITRE ATT&CK mappings
  • Lockheed Martin Cyber Kill Chain and MITRE ATT&CK tactical classification
  • Actor attribution for known scanners and research organizations
  • Automatic expiration via STIX valid_until - indicators age out after 90 days without re-observation
  1. Sentinel’s built-in Threat Intelligence - TAXII data connector polls the ELLIO TAXII server
  2. The server returns STIX 2.1 indicators in paginated responses
  3. Sentinel stores the full STIX JSON in the ThreatIntelIndicators table
  4. Built-in TI analytics rules automatically match indicators against your sign-in logs, network logs, and other data sources
  5. The ELLIO feed is updated daily - Sentinel incrementally polls for new and updated indicators using added_after
Collection ID Title Description
non-spoofable-ips Non-Spoofable IP Indicators IP addresses with confirmed TCP handshakes. High-confidence source attribution. Recommended for most deployments.
spoofable-ips Spoofable IP Indicators IP addresses without confirmed TCP handshakes. Source attribution may be unreliable. Use with caution.
  • Microsoft Sentinel workspace (Log Analytics workspace with Sentinel enabled)
  • ELLIO platform account with ELLIO Threat Intelligence Data Feed access
  • TAXII credentials from your ELLIO platform settings