> ## Documentation Index
> Fetch the complete documentation index at: https://docs.socdefenders.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Connect SOC Defenders to Microsoft Sentinel

> Import SOC Defenders threat indicators into Microsoft Sentinel via TAXII 2.1 or the REST API. Includes Defender TAXII connector configuration steps.

Microsoft Sentinel can consume SOC Defenders threat indicators through its native TAXII Threat Intelligence connector — the lowest-effort path for Pro subscribers — or via an Azure Logic App that polls the REST API and pushes indicators through the Microsoft Security Graph. Both methods populate the `ThreatIntelligenceIndicator` table, making indicators immediately available for analytics rules, hunting queries, and workbooks.

## Option 1: TAXII Threat Intelligence connector (Pro)

The TAXII connector is built into Sentinel and requires no custom code. It polls the SOC Defenders TAXII server on a schedule and maps STIX 2.1 indicator objects directly into the `ThreatIntelligenceIndicator` table.

<Note>
  TAXII 2.1 integration requires a SOC Defenders Pro subscription.
</Note>

### Configure the connector

<Steps>
  <Step title="Open the Data connectors blade">
    In the Azure portal, navigate to your Sentinel workspace. In the left menu, select **Data connectors**.
  </Step>

  <Step title="Find the TAXII connector">
    Search for **Threat Intelligence – TAXII** and open the connector page. Click **Open connector page**.
  </Step>

  <Step title="Add a new TAXII server">
    Under **Configuration**, click **Add new** and enter the following values:

    | Field                     | Value                                                                       |
    | ------------------------- | --------------------------------------------------------------------------- |
    | Friendly name             | SOC Defenders                                                               |
    | TAXII server API Root URL | `https://www.socdefenders.ai/api/taxii2/api/`                               |
    | Collection ID             | See available collections below                                             |
    | Username                  | Leave blank, or enter `apikey`                                              |
    | Password                  | Your SOC Defenders API key                                                  |
    | Import indicators         | `At most one month old` (or choose a range that fits your retention policy) |
    | Poll interval             | 1 hour                                                                      |
  </Step>

  <Step title="Choose a collection">
    Available collection IDs on the SOC Defenders TAXII server:

    | Collection  | ID       |
    | ----------- | -------- |
    | All IOCs    | `all`    |
    | IPs only    | `ips`    |
    | Hashes only | `hashes` |
    | CVEs        | `cves`   |

    You can add multiple connector entries — one per collection — if you want to separate indicator types into different ingestion streams.
  </Step>

  <Step title="Save and confirm ingestion">
    Click **Add**. Sentinel will begin polling within a few minutes. To confirm, run the following KQL query in the Logs blade:

    ```kql theme={null}
    ThreatIntelligenceIndicator
    | where SourceSystem == "SOC Defenders"
    | take 10
    ```
  </Step>
</Steps>

## Option 2: REST API with Logic Apps

If you are on the Free tier or want more control over field mapping and filtering, use an Azure Logic App to poll `GET /api/v1/iocs` and push indicators to Sentinel via the Microsoft Security Graph `tiIndicators` API.

<Steps>
  <Step title="Create an app registration">
    In Azure Active Directory, register a new application. Grant it the `ThreatIndicators.ReadWrite.OwnedBy` permission in Microsoft Graph. Note the **client ID**, **tenant ID**, and **client secret**.
  </Step>

  <Step title="Create a Logic App">
    Create a new Logic App with a **Recurrence** trigger. Set the interval to 15 minutes (Free tier) or 1 minute (Pro).
  </Step>

  <Step title="Add an HTTP action to poll SOC Defenders">
    Add an **HTTP** action with:

    * **Method**: `GET`
    * **URI**: `https://socdefenders.ai/api/v1/iocs?type=ipv4&limit=100`
    * **Headers**: `Authorization: Bearer YOUR_API_KEY`
  </Step>

  <Step title="Parse the response and push to Sentinel">
    Add a **Parse JSON** action to extract the `data` array, then loop through each IOC and call the Microsoft Graph `tiIndicators` endpoint to create or update the indicator in Sentinel.

    ```
    POST https://graph.microsoft.com/beta/security/tiIndicators
    ```
  </Step>
</Steps>

## Hunting with KQL

Once indicators are in the `ThreatIntelligenceIndicator` table, use these KQL examples to hunt for matches.

### Correlate network connections with IP indicators

```kql theme={null}
let iocs = ThreatIntelligenceIndicator
    | where isnotnull(NetworkIP)
    | project NetworkIP, ConfidenceScore, Description, ExpirationDateTime;
NetworkConnection
| join kind=inner iocs on $left.DestinationIP == $right.NetworkIP
| where ExpirationDateTime > now()
| project TimeGenerated, SourceIP, DestinationIP, ConfidenceScore, Description
| sort by TimeGenerated desc
```

### Hunt for DNS queries matching domain indicators

```kql theme={null}
let domainIocs = ThreatIntelligenceIndicator
    | where isnotnull(DomainName)
    | project DomainName, ConfidenceScore, ThreatType, ExpirationDateTime;
DnsEvents
| join kind=inner domainIocs on $left.Name == $right.DomainName
| where ExpirationDateTime > now()
| project TimeGenerated, ClientIP, Name, ConfidenceScore, ThreatType
| sort by TimeGenerated desc
```
