• Last Updated
    Jul 15, 2025
  • Version
    1.1.4
  • Compatibility
    ThreatQ Versions >= 5.25.0
  • ThreatQ Action Bundle for Microsoft Azure Sentinel

    ThreatQuotient

    Overview

    The ThreatQ Action Bundle for Microsoft Azure Sentinel provides actions that are used to enrich a specific collection and to add or delete them to/from your Microsoft Azure Sentinel instance.

    The action yaml installs the following actions:

    • Microsoft Azure Sentinel Enrich Indicators - queries indicators in the Threat Library against Microsoft Sentinel and enriches them with the returned data.
    • Microsoft Azure Sentinel Add Tag - adds user defined tags to indicators in a data collection both in the Microsoft Sentinel context and in TQ.
    • Microsoft Azure Sentinel Export Collection - queries indicators in the Threat Library against Microsoft Sentinel and adds them if not present.
    • Microsoft Defender ATP Export Collection - adds the indicators in the Threat Library to Microsoft Defender ATP.
    • Microsoft Azure Sentinel Delete Collection - queries indicators in the Threat Library against Microsoft Sentinel and deletes them if present.
    • Microsoft Azure Sentinel Create Incidents - uses ThreatQ objects to create incidents in Microsoft Sentinel.

    The actions are compatible with the following object types:

    • Campaigns
    • Events
    • Incidents
    • IndicatorsCIDR Block
    • Email Address
    • Filename
    • File Path
    • FQDN
    • IP Address
    • IPv6 Address
    • Mutex
    • URL
    • SHA-1
    • SHA-256
    • MD5

    The actions return the following enriched system objects:

    • Campaigns
      • Campaign Attributes
    • Events
      • Event Attributes
    • Incidents
      • Incident Attributes
    • Indicators
      • Indicator Attributes

    Note: This action bundle is intended for use with ThreatQ TDR Orchestrator (TQO). An active TQO license is required for this feature.

    Copyright © 2025, ThreatQuotient, Inc. All Rights Reserved. Privacy Policy