Azure Sentinel: Import Indicators from TruSTAR

Updated 3 months ago by TruSTAR

This script for Microsoft Azure Sentinel exports Indicators from specified TruSTAR Enclaves and imports them into the ThreatIntelligenceIndicator table in Azure Sentinel. This provides additional metadata to Azure Sentinel users, including normalized indicator scores and tags.

Activating the Script

  1. Create an AD App in the Azure portal & assign permissions (link to Microsoft Docs here)
  2. Create an App Secret for that new AD App.
  3. Contact your TruSTAR account manager and provide the following information:
  • Source Enclave ID(s)
  • App ID
  • App Secret
  • Tenant ID

After you have provided the information, your account manager will configure the feature and then email you with confirmation that the script has been enabled.

How It Works

  1. Searches the specified TruSTAR Enclave(s) for all Indicators once every 24 hours.
  2. Converts TruSTAR indicators into Sentinel indicators.
  3. Divides the Sentinel indicators into batches of 100 and uploades each batch separately to the Sentinel ThreatIntelligenceIndicator table.

Any issues or questions about this script, please contact

How Did We Do?