Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.socdefenders.ai/llms.txt

Use this file to discover all available pages before exploring further.

Microsoft Sentinel can consume SOC Defenders threat indicators through its native TAXII Threat Intelligence connector — the lowest-effort path for Pro subscribers — or via an Azure Logic App that polls the REST API and pushes indicators through the Microsoft Security Graph. Both methods populate the ThreatIntelligenceIndicator table, making indicators immediately available for analytics rules, hunting queries, and workbooks.

Option 1: TAXII Threat Intelligence connector (Pro)

The TAXII connector is built into Sentinel and requires no custom code. It polls the SOC Defenders TAXII server on a schedule and maps STIX 2.1 indicator objects directly into the ThreatIntelligenceIndicator table.
TAXII 2.1 integration requires a SOC Defenders Pro subscription.

Configure the connector

1

Open the Data connectors blade

In the Azure portal, navigate to your Sentinel workspace. In the left menu, select Data connectors.
2

Find the TAXII connector

Search for Threat Intelligence – TAXII and open the connector page. Click Open connector page.
3

Add a new TAXII server

Under Configuration, click Add new and enter the following values:
FieldValue
Friendly nameSOC Defenders
TAXII server API Root URLhttps://www.socdefenders.ai/api/taxii2/api/
Collection IDSee available collections below
UsernameLeave blank, or enter apikey
PasswordYour SOC Defenders API key
Import indicatorsAt most one month old (or choose a range that fits your retention policy)
Poll interval1 hour
4

Choose a collection

Available collection IDs on the SOC Defenders TAXII server:
CollectionID
All IOCsall
IPs onlyips
Hashes onlyhashes
CVEscves
You can add multiple connector entries — one per collection — if you want to separate indicator types into different ingestion streams.
5

Save and confirm ingestion

Click Add. Sentinel will begin polling within a few minutes. To confirm, run the following KQL query in the Logs blade:
ThreatIntelligenceIndicator
| where SourceSystem == "SOC Defenders"
| take 10

Option 2: REST API with Logic Apps

If you are on the Free tier or want more control over field mapping and filtering, use an Azure Logic App to poll GET /api/v1/iocs and push indicators to Sentinel via the Microsoft Security Graph tiIndicators API.
1

Create an app registration

In Azure Active Directory, register a new application. Grant it the ThreatIndicators.ReadWrite.OwnedBy permission in Microsoft Graph. Note the client ID, tenant ID, and client secret.
2

Create a Logic App

Create a new Logic App with a Recurrence trigger. Set the interval to 15 minutes (Free tier) or 1 minute (Pro).
3

Add an HTTP action to poll SOC Defenders

Add an HTTP action with:
  • Method: GET
  • URI: https://socdefenders.ai/api/v1/iocs?type=ipv4&limit=100
  • Headers: Authorization: Bearer YOUR_API_KEY
4

Parse the response and push to Sentinel

Add a Parse JSON action to extract the data array, then loop through each IOC and call the Microsoft Graph tiIndicators endpoint to create or update the indicator in Sentinel.
POST https://graph.microsoft.com/beta/security/tiIndicators

Hunting with KQL

Once indicators are in the ThreatIntelligenceIndicator table, use these KQL examples to hunt for matches.

Correlate network connections with IP indicators

let iocs = ThreatIntelligenceIndicator
    | where isnotnull(NetworkIP)
    | project NetworkIP, ConfidenceScore, Description, ExpirationDateTime;
NetworkConnection
| join kind=inner iocs on $left.DestinationIP == $right.NetworkIP
| where ExpirationDateTime > now()
| project TimeGenerated, SourceIP, DestinationIP, ConfidenceScore, Description
| sort by TimeGenerated desc

Hunt for DNS queries matching domain indicators

let domainIocs = ThreatIntelligenceIndicator
    | where isnotnull(DomainName)
    | project DomainName, ConfidenceScore, ThreatType, ExpirationDateTime;
DnsEvents
| join kind=inner domainIocs on $left.Name == $right.DomainName
| where ExpirationDateTime > now()
| project TimeGenerated, ClientIP, Name, ConfidenceScore, ThreatType
| sort by TimeGenerated desc