INTEGRATION / SIEM
Threat intel feeds, Sentinel workbooks, and Security Copilot in 2026
Microsoft Sentinel patterns for threat intelligence: MDTI native integration, Azure Marketplace vendor connectors, TAXII feed import, Logic Apps automation, and Security Copilot agents.
Last verified: May 2026. Independent reference. No vendor input.
Sentinel threat-intelligence architecture
Microsoft Sentinel exposes threat intelligence as a first-class concept in the workspace. The Threat Intelligence menu surfaces ingested indicators, search and pivot UI, and indicator-management workflow. The underlying storage is the ThreatIntelligenceIndicator table in Log Analytics. Analytic rules in Sentinel automatically correlate against this table; Security Copilot uses the same table as part of its knowledge corpus for natural-language querying.
Indicator ingestion has three main paths. Microsoft Defender Threat Intelligence (MDTI) is the native integration: enable the connector, MDTI indicators flow into Sentinel. The Threat Intelligence TAXII connector polls STIX 2.x feeds from any compliant TAXII 2.x server. The Threat Intelligence Platforms (TIP) connector accepts indicators from vendor TIPs (Anomali, ThreatConnect, EclecticIQ, MISP via misp2sentinel). The upload-indicators API supports custom integrations and one-time loads.
Analytic rules in Sentinel come in several flavours: scheduled queries (run on a defined schedule), Microsoft security rules (built-in detection content from MSTIC), fusion rules (cross-source correlation), and ML behaviour analytics. The threat-intel matching analytic rules are pre-built and ship as part of the Threat Intelligence solution; they match common indicator types (IPs, domains, URLs, hashes, certificates) against logs as they arrive.
For the Microsoft Defender Threat Intelligence platform specifically, see Microsoft Defender Threat Intelligence review. MDTI is the most efficient first feed for Sentinel-centric SOCs already on the Microsoft licensing stack.
Vendor integration patterns
Microsoft Defender Threat Intelligence (MDTI)
Native integration. Enable the connector in Sentinel; MDTI indicators flow into the ThreatIntelligenceIndicator table. MSTIC actor profiles and infrastructure observations are surfaced in the Sentinel investigation workbench.
Recorded Future for Microsoft Sentinel
Azure Marketplace listing. Curated indicators plus analytic rules plus workbooks. Requires active RF subscription ($50k+ Core tier minimum).
Mandiant Advantage for Sentinel
Marketplace listing. Mandiant indicators and adversary intelligence in Sentinel. Bundled with broader Google Cloud Security relationship for many customers.
Anomali ThreatStream for Sentinel
TAXII-based integration. ThreatStream-curated indicators flow into Sentinel via TAXII connector. Bidirectional with Anomali Bridge.
MISP via misp2sentinel
OSS path. Python script that pulls MISP events and posts to the Sentinel upload-indicators API. Free, self-hosted, supports complex TLP-based scoping.
ISAC TAXII feeds
FS-ISAC, MS-ISAC, sector-specific ISACs publish TAXII 2.x endpoints. Configure as TAXII source in Sentinel. Requires ISAC membership; free for members.
Logic Apps for SOAR automation
Sentinel uses Azure Logic Apps as the SOAR layer. Logic Apps are visual workflow designer applications that connect Sentinel incidents to actions across Microsoft and third-party systems. A typical CTI-driven Logic App workflow: Sentinel incident fires, Logic App receives the incident, queries MDTI for enrichment, queries Recorded Future for risk score, queries internal asset inventory for the affected host, creates a ServiceNow ticket pre-populated with enrichment, posts a summary to a Microsoft Teams channel, and tags the Sentinel incident with the assigned analyst.
Logic Apps pricing is consumption-based: a few cents per playbook run plus connector-specific costs. For a SOC processing 100-500 incidents per day with multi-step playbooks, Logic Apps cost is typically $5,000 to $25,000 per year. This is meaningfully cheaper than dedicated SOAR products like Splunk SOAR; the trade-off is that Logic Apps are general-purpose workflow tooling rather than security-specific, so SOC-specific abstractions (case management, playbook libraries) require custom implementation or marketplace add-ons.
For agentic SOC patterns that extend beyond Logic Apps playbooks, Microsoft Security Copilot is the integration layer that brings autonomous and semi-autonomous agent capability into the workflow. The combination of Logic Apps (deterministic playbooks) plus Security Copilot (reasoning over unstructured data) is the Microsoft answer to the multi-agent agentic SOC architecture.
Security Copilot multi-agent architecture
Microsoft Security Copilot is the agentic AI layer that wraps Sentinel, Defender XDR, MDTI, and the broader Microsoft security graph. The product became generally available in April 2024 and has expanded through 2025 and 2026 to incorporate the multi-agent architecture described in the April 2026 agentic SOC manifesto.
The capability set in 2026 includes natural-language KQL generation (ask in plain English, Security Copilot writes the KQL and runs it), incident summarisation (paste an incident, get a structured timeline plus likely root cause plus suggested next steps), alert triage agents (autonomous first-pass on alerts with human review gates on escalations), and threat-intel reasoning (ask about specific actors, campaigns, or techniques and get sourced answers from MSTIC and the broader Microsoft Threat Intelligence Center corpus).
Pricing is denominated in Security Compute Units (SCU) at approximately $4 per SCU per hour. Active SOC analysts typically consume 10-50 SCU per day depending on workload. For a 20-analyst SOC, Security Copilot alone often runs $50,000 to $200,000 per year. The capability is genuinely useful at this price point for the analyst-productivity case; the autonomous-decision case requires careful governance, particularly on high-impact actions like endpoint isolation or account lockout.
For the broader agentic SOC architecture and how Security Copilot fits against competing platforms (Dropzone AI, Prophet Security, Torq HyperSOC), see agentic SOC buildout.
Cost of a Sentinel-centric SOC
| Layer | Annual cost range (mid-market) | Notes |
|---|---|---|
| Sentinel ingestion (200 GB/day) | $150,000 - $300,000 | Pay-as-you-go or commitment tier. Commitment tier 15-50% cheaper at scale. |
| MDTI standalone (paid tier) | $12,000 - $30,000 | ~$20/user/mo for 50-100 analysts. Skip if E5 limited tier sufficient. |
| Security Copilot | $50,000 - $200,000 | ~$4/SCU/hr. 10-50 SCU/day/active-analyst typical. |
| Logic Apps SOAR | $5,000 - $25,000 | Consumption-based. Cheaper than dedicated SOAR products. |
| Commercial CTI subscription | $50,000 - $200,000 | RecF Core, Mandiant Advantage entry, or equivalent. |
| Total Sentinel-centric SOC stack | $300,000 - $700,000 | Mid-market 200 GB/day, 20 analysts. Excludes salaries. |
Source: Microsoft Sentinel pricing page (Apr 2026), Microsoft Security Copilot pricing page (Apr 2026), Azure Logic Apps pricing reference, Vendr contract data 2024-2026. Last verified May 2026.
FAQ
How does Microsoft Sentinel handle threat intelligence?
Microsoft Sentinel has a dedicated Threat Intelligence menu where indicators are ingested, managed, and matched against logs. The native integration with Microsoft Defender Threat Intelligence (MDTI) is the primary source for Microsoft-licensed customers. Additional sources are ingested via the TAXII connector for STIX 2.x feeds, the Threat Intelligence Platforms (TIP) connector for vendor TIP integrations, and the upload-indicators API for custom feeds. Indicators flow into the ThreatIntelligenceIndicator table, where analytic rules and Security Copilot correlate them with logs in real time.
What is the TAXII connector and how does it work?
The Sentinel TAXII connector polls a configured TAXII 2.x server at a defined cadence and ingests STIX 2.x indicators into the ThreatIntelligenceIndicator table. It supports authentication via basic credentials or API keys. Common TAXII sources include OASIS-managed feeds, ISAC TAXII servers (FS-ISAC, MS-ISAC, others), commercial CTI vendor TAXII endpoints (Anomali, ThreatConnect, EclecticIQ all publish TAXII), and OSS sources (MISP supports TAXII export via the misp-taxii-server). The connector is the cleanest path for STIX-native integration into Sentinel and avoids vendor-specific custom code.
Does Recorded Future have a Sentinel integration?
Yes, several. Recorded Future for Microsoft Sentinel is published on Azure Marketplace and provides curated indicator ingestion into Sentinel, plus pre-built analytic rules and workbooks for visualisation. The Recorded Future Foundry-style integration also enables natural-language queries from Sentinel to the RF platform. Pricing requires an active RF subscription (Core tier minimum, $50k+); the Marketplace listing covers integration plumbing rather than data licensing.
How does Security Copilot use threat intelligence?
Security Copilot uses the indicators in the Sentinel ThreatIntelligenceIndicator table, the Microsoft Threat Intelligence Center actor profiles (via MDTI integration), and the broader Microsoft security graph as its knowledge corpus. Analysts can ask natural-language questions like 'show me alerts in the past 24 hours related to known APT-29 infrastructure' and Security Copilot generates the KQL query, runs it, and summarises the result. The multi-agent architecture from the April 2026 agentic SOC manifesto extends this with autonomous triage agents that process alerts in real time with human review on escalations.
What is the cost of a Sentinel-centric SOC stack?
Common Sentinel-centric SOC pricing in 2026: Sentinel ingestion at $2-4 per GB (200 GB/day reference profile lands at roughly $150k-$300k per year); Microsoft Defender Threat Intelligence standalone at approximately $20 per user per month for the paid tier; Security Copilot at $4 per SCU per hour (10-50 SCU/day/active-analyst typical); plus optional commercial feed subscriptions ($50k-$200k per year). Total Sentinel-centric SOC stack commonly runs $300k-$700k per year for mid-market, $700k-$2M for large enterprise.