This chapter covers the integration and use of threat intelligence in Microsoft Sentinel, a core component of the SC-200 exam. You will learn how to import, manage, and leverage threat intelligence indicators (IOCs) to enhance detection and response. Threat intelligence topics appear in roughly 15-20% of exam questions, particularly in the context of data connectors, analytics rules, and automation. Mastery of this area is essential for passing the Sentinel domain.
Jump to a section
Imagine a global police network where each station shares wanted posters of known criminals. When a local officer spots a person matching a poster, they immediately detain them and report back. In Microsoft Sentinel, threat intelligence indicators (IOCs) are like those wanted posters—they contain identifying details like IP addresses, domain names, or file hashes. Sentinel subscribes to feeds from trusted sources (e.g., Microsoft, third-party vendors, open-source communities) similar to how police stations receive posters from Interpol or the FBI. These indicators are stored in a central database (the Threat Intelligence platform) and are automatically matched against incoming logs. When a match occurs, Sentinel generates an alert—just like an officer making an arrest. The key is that the system doesn't just passively hold posters; it actively compares every new piece of data (log entry) against the entire collection of posters. This enables proactive threat detection rather than reactive analysis. The analogy extends to indicator expiration: just as wanted posters are withdrawn when a criminal is caught or the warrant expires, TI indicators have a confidence score and expiration date to prevent stale detections. Without this network, each station would only know local criminals, missing cross-border patterns—mirroring how organizations without integrated TI miss attacks seen elsewhere.
What Is Threat Intelligence in Microsoft Sentinel?
Threat intelligence (TI) in Microsoft Sentinel refers to the ability to import, store, and use structured threat indicators from various sources to detect, prioritize, and respond to threats. These indicators—such as IP addresses, domains, URLs, file hashes, and email addresses—are matched against log data ingested into Sentinel. When a match occurs, it generates an alert or incident, enabling security teams to act quickly.
Why Threat Intelligence Matters for Sentinel
Sentinel is a SIEM and SOAR platform; TI transforms it from a reactive log analyzer into a proactive threat detection system. Without TI, you rely solely on behavioral analytics and signatures you create. With TI, you leverage the collective knowledge of the global security community. For example, if a known malicious IP address connects to your network, Sentinel can alert you immediately, even if no other suspicious behavior is observed.
How Threat Intelligence Works Internally
TI in Sentinel operates through a multi-step pipeline:
1. Ingestion: TI data is ingested via data connectors. Sentinel supports connectors for: - Microsoft Defender Threat Intelligence (MDTI) – premium TI from Microsoft - Threat Intelligence – TAXII – for STIX/TAXII feeds (e.g., from Anomali, AlienVault OTX) - Threat Intelligence Platforms (TIP) – via API connectors (e.g., MISP, Palo Alto Networks) - Custom connectors using Log Analytics API or Logic Apps
Each connector creates a table named ThreatIntelligenceIndicator in the Log Analytics workspace. The schema is based on the STIX 2.0 standard, including fields like SourceSystem, IndicatorType, ThreatType, ConfidenceScore, ExpirationDateTime, and Tags.
Storage and Normalization: Indicators are stored in a normalized format. Sentinel indexes key fields for fast lookup. Each indicator has a lifetime (default 30 days if not specified) and a confidence score (0-100). Indicators with low confidence (e.g., <30) may be ignored by default analytics rules.
Matching: When log data is ingested, Sentinel performs real-time matching against TI indicators. This is done via analytics rules that use the ThreatIntelligenceIndicator table in KQL queries. For example, a rule might join SigninLogs with ThreatIntelligenceIndicator on the IP address field. The matching is performed at query time, not at ingestion, which means there is a slight delay (typically a few minutes) between indicator arrival and detection.
Alert Generation: If a match is found, Sentinel creates an alert with a severity based on the indicator's Severity field (Low, Medium, High, Critical) and a link to the threat intelligence source. The alert can be automatically escalated to an incident via automation rules.
Key Components and Defaults
- ThreatIntelligenceIndicator table: Contains all ingested indicators. Key columns:
- IndicatorType: e.g., "ipv4-addr", "domain-name", "file", "url"
- Pattern: The actual value, e.g., "203.0.113.5"
- ThreatType: e.g., "malicious-activity", "command-and-control"
- ConfidenceScore: integer 0-100
- ExpirationDateTime: datetime; if null, defaults to 30 days from ingestion
- Tags: array of strings for categorization
- Default analytics rule: Microsoft Sentinel provides a built-in rule called "TI Map IP Entity To AzureActivity" (and similar for other entity types). These rules are disabled by default; you must enable them and configure the TI source.
- Data retention: TI indicators are subject to the workspace retention policy (default 90 days for interactive retention, then archived). However, it's recommended to use a longer retention (e.g., 1 year) for TI.
Configuration and Verification
To configure TI:
1. Navigate to Sentinel > Threat Management > Threat Intelligence.
2. Click Add to create a new TI data connector.
- For TAXII: Enter the API root URL, collection ID, username/password (if required), and polling interval (default every 5 minutes).
- For MDTI: Simply enable the connector; no additional configuration needed.
3. After connection, indicators appear in the ThreatIntelligenceIndicator table. Verify with a KQL query:
ThreatIntelligenceIndicator
| where SourceSystem == "ThreatIntelligence"
| summarize count() by IndicatorTypeEnable the built-in analytics rules under Analytics > Rule templates. Search for "TI map" and enable the relevant rules.
Interaction with Related Technologies
Analytics Rules: TI is most effective when combined with scheduled analytics rules that join TI indicators with other data sources. For example, a rule can join CommonSecurityLog with ThreatIntelligenceIndicator on source IP to detect C2 traffic.
Automation: Playbooks can be triggered by TI matches. For instance, a playbook can automatically block an IP on a firewall or isolate a compromised device.
Hunting: TI indicators can be used in hunting queries to proactively search for threats. The ThreatIntelligenceIndicator table is available for custom KQL queries.
Workbooks: Sentinel provides a "Threat Intelligence" workbook that visualizes indicator sources, types, and matches over time.
Performance Considerations
Ingesting too many indicators (e.g., millions) can impact query performance and increase costs. Best practices:
Use only high-confidence indicators (ConfidenceScore > 70).
Set appropriate expiration times; expired indicators are automatically excluded from matching.
Use tags to filter indicators in analytics rules (e.g., only use indicators tagged with "critical").
Use TAXII collections that are curated rather than raw open-source feeds.
Exam-Relevant Details
TAXII connector: Supports STIX 1.x and 2.x. The default polling interval is 5 minutes, but can be configured from 1 minute to 24 hours.
MDTI connector: Premium; provides access to Microsoft's own TI, including reputation scores and context.
Custom TI: You can upload indicators via CSV or API using the ThreatIntelligenceIndicator table's ingestion API.
Indicator expiration: Default 30 days if not set. Expired indicators are not matched.
Confidence score: Used by analytics rules to filter; rules can be configured to only match indicators above a threshold.
Common Pitfalls
Not enabling the analytics rules: Many candidates forget that TI connectors alone do nothing; you must enable the matching rules.
Using too many low-confidence indicators: This leads to false positives and alert fatigue.
Ignoring expiration: Stale indicators cause missed detections or false positives if they match legitimate traffic after the threat is neutralized.
Summary of Mechanism
Threat intelligence in Sentinel is a data ingestion and matching pipeline. Indicators are ingested via connectors into a normalized table (ThreatIntelligenceIndicator). Analytics rules run scheduled queries (e.g., every 5 minutes) that join this table with other logs. When a match occurs, an alert is generated. The system relies on STIX/TAXII standards for interoperability. Key exam topics include connector types, table schema, default values, and the necessity of enabling analytics rules.
Select a Threat Intelligence Connector
In the Azure portal, navigate to Microsoft Sentinel and select your workspace. Under 'Content management', choose 'Content hub' and search for 'Threat Intelligence'. You'll see connectors like 'Microsoft Defender Threat Intelligence', 'Threat Intelligence - TAXII', and 'Threat Intelligence Platform'. Click 'Install' for the desired connector. This step is critical because the connector determines the source of your indicators. For the exam, remember that TAXII connectors require an API root URL and collection ID, while MDTI is a simple toggle. After installation, the connector appears under 'Data connectors'.
Configure the Connector
Open the connector and click 'Open connector page'. For TAXII, enter the API root URL (e.g., 'https://otx.alienvault.com/taxii'), collection ID, username/password if required, and polling interval (default 5 minutes). For MDTI, just click 'Connect'. The connector will start ingesting indicators into the 'ThreatIntelligenceIndicator' table. You can verify ingestion by running a KQL query: `ThreatIntelligenceIndicator | take 10`. Note that it may take up to 15 minutes for the first batch to appear. The polling interval is a key exam detail—default 5 minutes for TAXII, but can be set as low as 1 minute.
Enable Built-in Analytics Rules
Go to 'Analytics' under 'Configuration'. Click 'Rule templates' and search for 'TI map'. You'll see templates like 'TI Map IP Entity To AzureActivity' and 'TI Map Domain Entity To DnsEvents'. Select the ones relevant to your data sources and click 'Create rule'. In the rule wizard, you must specify the data source (e.g., 'AzureActivity') and the entity mapping (e.g., 'IP' -> 'Source IP'). Accept the default query or customize it. The rule will run every 5 minutes by default. This step is often forgotten—without enabling these rules, TI indicators are never matched against logs.
Verify TI Matches in Incidents
After enabling the rules, wait for the next run (up to 5 minutes). Then go to 'Incidents'. Any matches will appear as incidents with a title like 'TI map IP entity to AzureActivity'. The incident includes the matched indicator, the log source, and a link to the threat intelligence source. You can also use the 'Hunting' module to query for matches manually: `_GetWatchlist('ThreatIntelligenceIndicator') | join ...`. This verification step ensures the pipeline is working. Common issues include mismatched entity types (e.g., IP vs. domain) or insufficient permissions.
Monitor and Optimize TI Usage
Use the 'Threat Intelligence' workbook to monitor indicator health. Check the 'Indicator Count' and 'Active Indicators' over time. If you see too many low-confidence indicators, adjust the connector settings or create an automation rule to filter out indicators with ConfidenceScore < 30. Also, set appropriate expiration dates—indicators that never expire can cause false positives. For performance, consider using only curated feeds. In the exam, know that you can also upload custom indicators via CSV using the 'Threat Intelligence' blade's 'Add indicator' button.
Enterprise Scenario 1: SOC Using Open-Source TI
A mid-sized company uses Microsoft Sentinel with the TAXII connector to ingest indicators from AlienVault OTX. They configured the connector to poll every 10 minutes and enabled the 'TI Map IP Entity To AzureActivity' rule. One day, a user's Azure AD sign-in matched an IP address that was flagged as a known C2 server. The incident was automatically created and assigned to a Tier 2 analyst. The analyst used the indicator's context (provided by OTX) to determine that the IP was associated with a phishing campaign. The company then blocked the IP on their firewall via a playbook. The key lesson: TI allowed detection of a threat that behavioral analytics missed. However, they initially had too many low-confidence indicators causing false positives; they reduced the threshold to ConfidenceScore > 70.
Scenario 2: Financial Institution Using Premium TI
A bank uses Microsoft Defender Threat Intelligence (MDTI) because they need high-fidelity indicators for critical assets. MDTI provides reputation scores and threat actor profiles. They integrated MDTI with Sentinel and enabled rules for DNS and network traffic. When a domain with a malicious reputation score of 99 was queried from an internal host, Sentinel generated a critical incident. The SOAR playbook automatically isolated the host. The bank also uses TI in hunting queries to proactively search for IOCs from recent threat reports. They set up a weekly job to expire indicators older than 30 days unless they are tagged 'persistent'. The challenge was cost: MDTI is a premium service, but for their risk profile it was justified.
Scenario 3: MSSP Managing Multiple Tenants
A managed security service provider (MSSP) uses Sentinel for multiple customers. They deploy a centralized TI strategy: indicators from various sources are ingested into a single Log Analytics workspace, then distributed to customer workspaces via Azure Lighthouse. They use custom analytics rules that filter by customer tenant ID. The MSSP learned that each customer needs different TI sources—some prefer open-source, others require commercial feeds. They also had to manage indicator expiration carefully to avoid stale indicators affecting multiple customers. Performance was a concern: with millions of indicators, queries slowed down. They optimized by using only high-confidence indicators and creating separate workspaces for high-volume customers.
Common Misconfigurations
Not enabling analytics rules: The most frequent mistake. TI connectors alone do nothing.
Using default retention: TI indicators are often needed for longer than 90 days. Set retention to at least 1 year.
Ignoring expiration: Indicators that never expire cause false positives. Always set an expiration date.
Over-ingesting low-confidence indicators: This leads to alert fatigue. Filter by confidence score.
Performance and Scale
Indicator volume: Sentinel can handle millions of indicators, but query performance degrades. Use indexing on the Pattern column.
Polling frequency: Default 5 minutes; can be increased to reduce API calls, but at the cost of delayed detection.
Cost: TI ingestion is subject to Log Analytics data ingestion charges. Each indicator is typically a few hundred bytes. For 100,000 indicators, expect ~50 MB per month.
What SC-200 Tests on Threat Intelligence (Objective 2.2)
The exam focuses on:
- Connector types: Know the difference between TAXII, MDTI, and TIP connectors. Specifically, TAXII uses STIX/TAXII protocol; MDTI is a Microsoft premium feed; TIP connectors integrate with third-party platforms like MISP.
- Default values: TAXII polling interval default is 5 minutes. Indicator expiration default is 30 days. Confidence score range 0-100.
- Analytics rules: You must know that built-in 'TI Map' rules are templates that need to be enabled. They are scheduled queries that run every 5 minutes.
- ThreatIntelligenceIndicator table: Schema fields like IndicatorType, Pattern, ThreatType, ConfidenceScore, ExpirationDateTime.
- Entity mapping: How TI indicators are matched to log entities (IP, domain, URL, file hash, email).
- Automation: How playbooks can be triggered by TI matches.
Common Wrong Answers and Why
"TI connectors automatically generate alerts" – FALSE. Connectors only ingest indicators. Alerts are generated by analytics rules. Candidates confuse ingestion with detection.
"Indicators never expire unless deleted" – FALSE. Default expiration is 30 days. Candidates think TI is permanent.
"You must create custom KQL rules for TI matching" – FALSE. Built-in templates exist. Candidates overlook them.
"MDTI is free" – FALSE. MDTI is a premium add-on. Candidates assume it's included with Sentinel.
"TAXII connector only supports STIX 2.0" – FALSE. It supports both STIX 1.x and 2.0. Candidates often think only one version.
Specific Numbers and Terms
TAXII default polling interval: 5 minutes (range 1 minute to 24 hours)
Indicator default expiration: 30 days
Confidence score range: 0-100
Built-in rule template names: "TI Map IP Entity To AzureActivity", "TI Map Domain Entity To DnsEvents", etc.
Table name: ThreatIntelligenceIndicator
STIX version: 1.x and 2.0 supported
Severity mapping: Indicator severity (Low, Medium, High, Critical) maps directly to alert severity.
Edge Cases and Exceptions
Custom TI upload: You can upload indicators manually via the Azure portal or API. The exam may ask about this as an alternative to connectors.
Multiple workspaces: TI is workspace-specific. To share across workspaces, use Azure Lighthouse or export/import.
Indicator types: Supported types include IP (v4 and v6), domain, URL, file hash (MD5, SHA1, SHA256), email address, and registry key.
Expired indicators: They are not matched but remain in the table until purged by retention policy.
How to Eliminate Wrong Answers
If a question asks about alert generation, remember that connectors do NOT generate alerts; analytics rules do.
If a question mentions default values, recall 5 minutes for polling, 30 days for expiration.
If a question lists indicator types, any valid STIX type is possible, but exam focuses on IP, domain, URL, file hash.
For performance questions, think about confidence score filtering and expiration.
Exam Tips
Memorize the default polling interval and expiration.
Know the difference between TAXII (generic STIX/TAXII) and MDTI (Microsoft-specific).
Understand that TI is a two-step process: ingest (connector) + detect (analytics rule).
Practice KQL queries that join ThreatIntelligenceIndicator with other tables.
Be familiar with the 'Threat Intelligence' workbook for monitoring.
Threat intelligence in Sentinel uses the ThreatIntelligenceIndicator table to store IOCs ingested via connectors.
TAXII connector default polling interval is 5 minutes; indicator default expiration is 30 days.
Built-in 'TI Map' analytics rules must be enabled to generate alerts from TI matches.
ConfidenceScore ranges from 0-100; use high-confidence indicators to reduce false positives.
MDTI is a premium Microsoft feed that requires additional licensing.
Indicators can be uploaded manually via the Azure portal or API.
TI matching is performed at query time by scheduled analytics rules running every 5 minutes.
Use the 'Threat Intelligence' workbook to monitor indicator health and match activity.
These come up on the exam all the time. Here's how to tell them apart.
TAXII Connector
Supports STIX 1.x and 2.0 feeds from any TAXII-compatible source.
Free to use; only data ingestion costs apply.
Requires manual configuration of API URL and collection ID.
Polling interval configurable from 1 minute to 24 hours (default 5 min).
Indicators may have lower confidence if from open-source feeds.
Microsoft Defender Threat Intelligence (MDTI)
Microsoft's own premium threat intelligence feed.
Requires additional licensing (premium add-on).
Simple toggle to enable; no manual configuration.
Indicators are pushed in real-time; no polling interval.
High-confidence indicators with rich context and reputation scores.
Mistake
Threat intelligence connectors automatically create alerts when a match is found.
Correct
Connectors only ingest indicators. Alerts are generated by analytics rules that query the ThreatIntelligenceIndicator table. Without enabling the built-in 'TI Map' rules, no alerts are created.
Mistake
Indicators in Sentinel never expire unless manually deleted.
Correct
Indicators have an expiration date. If not set, they expire 30 days after ingestion. Expired indicators are not matched against logs but remain in the table until purged by retention.
Mistake
Microsoft Defender Threat Intelligence (MDTI) is included with all Sentinel licenses.
Correct
MDTI is a premium add-on that requires additional licensing. It is not included in the base Sentinel cost.
Mistake
TAXII connector only supports STIX 2.0 indicators.
Correct
TAXII connector supports both STIX 1.x and 2.0. The version depends on the feed provider.
Mistake
You must write custom KQL rules to use threat intelligence in Sentinel.
Correct
Sentinel provides built-in rule templates (e.g., 'TI Map IP Entity To AzureActivity') that you can enable with minimal configuration. Custom rules are optional.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
First, install and configure a TI connector (TAXII, MDTI, or TIP) to ingest indicators into the ThreatIntelligenceIndicator table. Then, go to Analytics > Rule templates, search for 'TI map', and enable the relevant rules (e.g., 'TI Map IP Entity To AzureActivity'). These rules run every 5 minutes and join TI indicators with your log data. Without enabling these rules, no matching occurs.
The default polling interval is 5 minutes. You can configure it between 1 minute and 24 hours when setting up the connector. Shorter intervals provide faster detection but increase API calls and data ingestion costs.
Indicators have an ExpirationDateTime field. If not set, they expire 30 days after ingestion. Expired indicators are not matched against logs but remain in the table until the workspace retention policy purges them (default 90 days). You can manually set a longer expiration if needed.
Yes. You can use the TAXII connector to ingest any STIX/TAXII-compatible feed (e.g., AlienVault OTX, Anomali). You can also upload indicators manually via the Azure portal or use Logic Apps to pull from custom APIs. Additionally, you can use the Threat Intelligence Platform connector to integrate with platforms like MISP.
MDTI is a premium Microsoft feed that provides high-confidence, contextual threat intelligence with real-time push. TAXII is a generic connector for any STIX/TAXII feed, free to use but requires manual configuration and polling. MDTI is simpler to set up but costs extra; TAXII is more flexible but may have lower confidence indicators.
Filter indicators by ConfidenceScore (e.g., only use indicators with score > 70). Set appropriate expiration dates to remove stale indicators. Use tags to categorize indicators and only enable rules for specific tags. Also, tune your analytics rules to require multiple matching criteria or higher severity.
Yes. The ThreatIntelligenceIndicator table can be joined with any log table in KQL queries. You can create custom analytics rules that match TI indicators against custom tables (e.g., custom network logs). The built-in templates only cover common Azure logs, but you can extend them.
You've just covered Threat Intelligence in Microsoft Sentinel — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?