Skip to content

New: Microsoft Sentinel TAXII integration is in technical preview.Read the integration guide

Setup Guide

This guide connects Microsoft Sentinel to the ELLIO Threat Intelligence TAXII feed.

  1. Log in to the ELLIO Platform.
  2. Open Data Feeds → Connectors and pick Microsoft Sentinel (TAXII).
  3. Generate TAXII credentials - you’ll receive a username and password.
  4. Note your assigned collection ID.

Step 2: Enable the TAXII data connector in Sentinel

Section titled “Step 2: Enable the TAXII data connector in Sentinel”
  1. In the Azure portal, navigate to your Microsoft Sentinel workspace
  2. Go to Content Hub and search for Threat Intelligence
  3. Install the Threat Intelligence solution if not already installed
  4. Go to Data connectors and find Threat Intelligence - TAXII
  5. Click Open connector page

Click Add new and fill in the following fields:

Field Value
Friendly name ELLIO Threat Intelligence
API root URL https://taxii-sentinel.integrations.ellio.tech/ellio/
Collection ID Your assigned collection ID from Step 1
Username Your TAXII username from Step 1
Password Your TAXII password from Step 1
Import indicators At most one month old (recommended) or All available for initial import
Polling frequency Once an hour or Once a day

After the first polling cycle (up to 1 hour depending on your frequency setting), verify that indicators are flowing into Sentinel.

Open Logs in your Sentinel workspace and run:

ThreatIntelIndicators
| where Data has "ELLIO"
| summarize Count = count()

You should see a non-zero count. To inspect individual indicators:

ThreatIntelIndicators
| where Data has "ELLIO"
| project TimeGenerated, ObservableValue, Confidence, Tags, ValidUntil
| order by TimeGenerated desc
| take 10

Sentinel includes built-in analytics rules that match threat indicators against your log sources. To enable them:

  1. Go to Analytics in your Sentinel workspace
  2. Search for rules containing “TI map” (e.g., “TI map IP entity to SigninLogs”)
  3. Enable the rules relevant to your data sources

These rules create incidents when traffic from or to ELLIO-flagged IPs is detected in your environment.