Azure Sentinel: Import Indicators from TruSTAR

Updated 6 months ago by Sachit Soni

This script for Microsoft Azure Sentinel exports Indicators from specified TruSTAR Enclaves and imports them into the Azure Sentinel Monitor log. This provides additional metadata to Azure Sentinel users, including normalized indicator scores and tags.

Activating This Script

Contact your TruSTAR account manager and provide the following information:

  • Source Enclave ID(s)
  • Azure Sentinel customer ID and shared key
  • Frequency of script execution. The default is every 24 hours but you can request a different time interval to meet your organization's needs.

After you have provided the information, your account manager will configure the feature and then email you with confirmation that the script has been enabled.

How It Works

  1. Searches the specified TruSTAR Enclave(s) for all Indicators added since the script was last run. The default is 24 hours but you can request a customized interval.
  2. Initializes Sentinel SDK with the customer ID and shared key you provided to TruSTAR.
  3. Exports TruSTAR Indicators in JSON format into the Azure Monitor log.

Any issues or questions about this script, please contact

How Did We Do?