Skip to main content
Download the Buyer’s Guide for Cyber Risk Quantification Solutions
Download Guide
Request a Demo

ThreatConnect and Microsoft Azure Sentinel: The New Age of Incidents and Alerts

With the Microsoft Azure Sentinel Playbook app and Service app, you can better manage and ingest Incidents and Alerts in Azure Sentinel. ThreatConnect provides context on indicators and enables you to easily spot abnormal trends and patterns to act on them efficiently. Additionally, analysts working in Azure Sentinel can view real-time indicator enrichment, add indicators back into ThreatConnect, and record false positives. You can then tie your data to Playbooks to automate nearly any cybersecurity task and respond to threats faster directly from Azure Sentinel – as well as send data to other tools like your EDR or Network Security tools for alerting or blocking purposes. The following actions are available:

  • Create Incident Comment
  • Get Alert
  • Get Incident
  • List Alerts
  • List Incidents
  • Update Incident

ThreatConnect and Microsoft Azure Sentinel: The New Age of Incidents and Alerts

Microsoft Azure Sentinel Playbook App

The following capabilities are available:

  1. Indicator Matching
    • As part of a security process, you can send available threat data from ThreatConnect into Azure Sentinel for validated alerting and receive the necessary context to be able to take action on malicious indicators. By automating this process, you ensure that high fidelity intelligence is being sent between the two solutions and that you and your team have all the information needed to make informed decisions.
  2. Alert Triage and Incident Investigation
    • As part of an investigation, you can now ingest Incidents and Alerts from Azure Sentinel as Cases in ThreatConnect. From there, ThreatConnect Workflow can orchestrate a predefined Alert triage process and guide you through a combination of automated and manual tasks to resolve the Incident. Additionally, the original Incident in Azure Sentinel can automatically be updated containing the results of the investigation, and the status can be marked as closed or as a false positive.
  3. Retroactive Threat Hunting
    • As part of an investigation, you may want to search Azure Sentinel events for matching ThreatConnect indicators. By automating this process, you introduce efficiency and consistency while removing tedious tasks from your analyst team. 
  4. ROI Reporting
    • As part of a reporting process, ThreatConnect can track the number of False Positives and Observations found by Azure Sentinel. Create dashboards to report important ROI metrics that can then be shared with other relevant team members and business leaders. 

With the Microsoft Azure Sentinel playbook and service app, you can better manage and ingest Incidents and Alerts in Azure Sentinel.  If you’re a ThreatConnect customer, please reach out to your dedicated Customer Success Team for more information on utilizing the Azure Sentinel App. If you’re not yet a customer and are interested in ThreatConnect and this integration, please contact us at

About the Author


By operationalizing threat and cyber risk intelligence, The ThreatConnect Platform changes the security operations battlefield, giving your team the advantage over the attackers. It enables you to maximize the efficacy and value of your threat intelligence and human knowledge, leveraging the native machine intelligence in the ThreatConnect Platform. Your team will maximize their impact, efficiency, and collaboration to become a proactive force in protecting the enterprise. Learn more at