Sentinel CYFIRMA Integration

Microsoft Sentinel


Microsoft Sentinel is a cloud native SIEM that offers a variety of options to import threat intelligence data that can be used for hunting, investigation, and other analysis. There are three ways to import rich threat intelligence data into Microsoft Sentinel—using the Threat Intelligence TAXII data connector, Threat Intelligence Platform (TIP) connector, or importing indicators of compromise or attack using a flat file.

Microsoft Sentinel was an early adopter of STIX/TAXII as the preferred way to import threat intelligence data. Microsoft Sentinel “Threat Intelligence -TAXII” connector uses the TAXII protocol for sharing data in STIX format. This data connector supports pulling data from TAXII 2.0 and 2.1 servers. The Threat Intelligence—TAXII data connector is essentially a built-in TAXII client in Microsoft Sentinel to import threat intelligence from TAXII 2.x servers.

Today we are announcing our integration with CYFIRMA, which allows organizations to import curated threat intelligence data from CYFIRMA into Microsoft Sentinel using the Threat Intelligence—TAXII Data Connector.


Microsoft Sentinel Benefits with CYFIRMA External Threat Landscape Insights

With CYFIRMA’s External Threat Landscape Management insights, the Sentinel platform is enriched with personalized and actionable insights to help security leaders mitigate risk and prevent the impact of a cyber-attack. The threat intelligence provided by CYFIRMA uncovers external attack surfaces that hackers can use to penetrate the organization, highlight exploitable vulnerabilities, and recommends remedial actions to help strengthen the organization’s cyber posture.

Unlike generic threat feeds, the intelligence from CYFIRMA reduces noise as it is tailored to an organization’s industry, geography, and technology ecosystem. By reducing this noise overload, security operations teams can focus on the validated high-severity threats.

These contextual insights help organizations understand the threat actor, motive, campaign, and methods so security teams can be adequately prepared to mitigate risk and reduce the impact of an attack. CYFIRMA’s External Threat Landscape Management insights provide an outside-in view of an organization and are the underpinning foundation for cyber controls, enabling seamless integration into security tools such as Sentinel that drive insights and remediate risks rapidly. With CYFIRMA’s intelligence, users of Sentinel will be equipped with detection, protection, monitoring, and response capabilities that can automate everyday tasks that enable organizations to stay ahead of cybercriminals.


DeCYFIR TI Feeds creation process


The core capabilities of DeCYFIR that can be combined with MS sentinel are:

Associated IOCs
Rich data on the tactics, techniques, and procedures used by threat actors with IOC-specific remediation steps and tactical execution recommendations. These can be used for threat hunting, investigation, and analysis of threats.

External Attack Surface Discovery *
A clear view of the entire external digital footprint across domains, sub-domains, and third parties as well as identifying critical exposures, vulnerabilities, or weak configuration (default setting vs. misconfiguration) to establish a strong security posture and cyber defense. Attack surface intelligence covers domains, subdomains, on-premises, cloud, hybrid, shadow IT, forgotten IT, and third parties.

Vulnerability Intelligence *
Vulnerabilities should be actioned based on their technical severity together with the current state of exploits by attackers, not simply the CVSS score. Our vulnerability intelligence allows remediation efforts to focus on the must-do critical vulnerabilities that attackers are exploiting matched to an organization’s threat profile, specific industries, geographies, or technology ecosystem.

Threat Actor & Campaign Intelligence *
Enables organizations to better conduct scenario planning to predict and combat threats and attacks. Knowing who is most likely to attack, the attack vectors they are likely to use, and the vulnerabilities they will exploit are essential to improve an organization’s cybersecurity posture. Customers can search threat actors, their profiles, their active campaigns, exploits, and associated TTP including malware.

* Denotes the feature will be available in Phase 2

TAXII Collections

Connecting Microsoft Sentinel to CYFIRMA TAXII Server

To connect Microsoft Sentinel to CYFIRMA TAXII Server, you will need the API Root, Collection ID, Username, and Password from CYFIRMA. Please contact CYFIRMA at [email protected] to request your trial or commercial access.

For more details on how to configure the TAXII data connector in Microsoft Sentinel, please refer to - Microsoft Sentinel - Connect Threat Intelligence.

Available TAXII collections
At the time of writing, the following collections are supported:

Collection Description Collection name/Collection ID
IOC Feeds- a set of malicious IOCs Pan-IOC
Threat Actors feeds threat_actor_feeds
Campaigns Feeds campaign_feeds
Attack Surface Feeds attack_surface_feeds


Configuration of DeCYFIR Threat Intelligence Data Feeds in Microsoft Sentinel

To import DeCYFIR Threat Intelligence Data Feeds into Microsoft Sentinel as a TAXII Threat Intelligence source:
  1. Create a Log Analytics workspace in your Microsoft Azure Account.
  2. Add Microsoft Sentinel to your workspace.
  3. From the Configuration to clicks the “Data Connectors” and search for the Connector Name “Threat Intelligence - TAXII”
  4. Open the “Threat Intelligence—TAXII,” connector.
  5. Configure the connector as follows.
    • Friendly name:
    • API Root URL:
    • Collection ID: Specify the Collection ID for one of the supported collections.
    • Username: specify your username
    • Password: Specify your token.
    • Import indicators: Select a suitable choice (e.g., ‘All available’)
    • Polling frequency: Select a suitable choice (e.g., ‘Once per hour’)
  6. Once Added the above details and then Click “Add”.
  7. After the indicators are imported, you can use DeCYFIR Threat Intelligence in Microsoft Sentinel.


Put CYFIRMA Threat Intelligence to use in Microsoft Sentinel

Once the CYFIRMA threat intelligence is imported into Microsoft Sentinel, it can enrich your existing data sources using the out-of-the-box analytic rules in Microsoft Sentinel. These completely customizable analytics rules are used to match threat indicators with your event data for faster identification and response times. To learn how to enable and create analytic rules within Microsoft Sentinel, follow these steps - Microsoft Sentinel Analytics Rules.

You can also view dashboards using Workbooks in Sentinel to get a deeper understanding of the threat landscape covered by the CYFIRMA Threat Intelligence Feeds. You can read more about the out-of-the-box threat intelligence workbook here - Microsoft Sentinel Workbooks.

Reach out to CYFIRMA to learn further how our Threat Intelligence can keep you and your organization ahead of threat actors - [email protected]
This site is registered on as a development site. Switch to a production site key to remove this banner.