Setup Guide
This guide connects Microsoft Sentinel to the ELLIO Threat Intelligence TAXII feed.
Step 1: Get your TAXII credentials
Section titled “Step 1: Get your TAXII credentials”- Log in to the ELLIO Platform.
- Open Data Feeds → Connectors and pick Microsoft Sentinel (TAXII).
- Generate TAXII credentials - you’ll receive a username and password.
- Note your assigned collection ID.
Step 2: Enable the TAXII data connector in Sentinel
Section titled “Step 2: Enable the TAXII data connector in Sentinel”- In the Azure portal, navigate to your Microsoft Sentinel workspace
- Go to Content Hub and search for Threat Intelligence
- Install the Threat Intelligence solution if not already installed
- Go to Data connectors and find Threat Intelligence - TAXII
- Click Open connector page
Step 3: Configure the TAXII connection
Section titled “Step 3: Configure the TAXII connection”Click Add new and fill in the following fields:
| Field | Value |
|---|---|
| Friendly name | ELLIO Threat Intelligence |
| API root URL | https://taxii-sentinel.integrations.ellio.tech/ellio/ |
| Collection ID | Your assigned collection ID from Step 1 |
| Username | Your TAXII username from Step 1 |
| Password | Your TAXII password from Step 1 |
| Import indicators | At most one month old (recommended) or All available for initial import |
| Polling frequency | Once an hour or Once a day |
Step 4: Verify indicator ingestion
Section titled “Step 4: Verify indicator ingestion”After the first polling cycle (up to 1 hour depending on your frequency setting), verify that indicators are flowing into Sentinel.
Open Logs in your Sentinel workspace and run:
ThreatIntelIndicators| where Data has "ELLIO"| summarize Count = count()You should see a non-zero count. To inspect individual indicators:
ThreatIntelIndicators| where Data has "ELLIO"| project TimeGenerated, ObservableValue, Confidence, Tags, ValidUntil| order by TimeGenerated desc| take 10Step 5: Enable analytics rules
Section titled “Step 5: Enable analytics rules”Sentinel includes built-in analytics rules that match threat indicators against your log sources. To enable them:
- Go to Analytics in your Sentinel workspace
- Search for rules containing “TI map” (e.g., “TI map IP entity to SigninLogs”)
- Enable the rules relevant to your data sources
These rules create incidents when traffic from or to ELLIO-flagged IPs is detected in your environment.