Setup Guide
This guide walks you through connecting Microsoft Sentinel to the ELLIO Threat Intelligence TAXII feed.
Step 1: Get Your TAXII Credentials
- Log in to the ELLIO Platform
- Navigate to Settings > Integrations > Microsoft Sentinel
- Generate TAXII credentials - you will receive a username and password
- Note your assigned collection ID
Step 2: Enable the TAXII Data Connector in Sentinel
- In the Azure portal, navigate to your Microsoft Sentinel workspace
- Go to Content Hub and search for Threat Intelligence
- Install the Threat Intelligence solution if not already installed
- Go to Data connectors and find Threat Intelligence - TAXII
- Click Open connector page
Step 3: Configure the TAXII Connection
Click Add new and fill in the following fields:
| Field | Value |
|---|---|
| Friendly name | ELLIO Deception Network |
| API root URL | https://taxii-sentinel.integrations.ellio.tech/ellio/ |
| Collection ID | Your assigned collection ID from Step 1 |
| Username | Your TAXII username from Step 1 |
| Password | Your TAXII password from Step 1 |
| Import indicators | At most one month old (recommended) or All available for initial import |
| Polling frequency | Once an hour or Once a day |
Step 4: Verify Indicator Ingestion
After the first polling cycle (up to 1 hour depending on your frequency setting), verify that indicators are flowing into Sentinel.
Open Logs in your Sentinel workspace and run:
ThreatIntelIndicators
| where Data has "ELLIO"
| summarize Count = count()
You should see a non-zero count. To inspect individual indicators:
ThreatIntelIndicators
| where Data has "ELLIO"
| project TimeGenerated, ObservableValue, Confidence, Tags, ValidUntil
| order by TimeGenerated desc
| take 10
Step 5: Enable Analytics Rules
Sentinel includes built-in analytics rules that match threat indicators against your log sources. To enable them:
- Go to Analytics in your Sentinel workspace
- Search for rules containing "TI map" (e.g., "TI map IP entity to SigninLogs")
- Enable the rules relevant to your data sources
These rules automatically create incidents when traffic from or to ELLIO-flagged IPs is detected in your environment.