← Back to integrations
SIEM

Microsoft Sentinel

Trusteed enriches Microsoft Sentinel with IP risk scores and context, surfacing real threats and reducing false positives in the cloud.

Prerequisites

  • Microsoft Sentinel enabled in your Azure tenant
  • Log Analytics workspace
  • Trusteed account with IP Enrichment feed
  • Trusteed Sentinel Connector (provided by Trusteed)

Setup Steps

  1. Deploy the Trusteed Connector as an Azure Function or container with outbound internet access.
  2. Configure credentials (Trusteed API + Azure ingestion key).
  3. Connector fetches IP feed (IP, RiskScore, Category, FirstSeen, LastSeen).
  4. Data ingested into a custom Sentinel table (Trusteed_IP_Enrichment_CL).
  5. Create Sentinel Analytics Rules using KQL:

SecurityEvent
| lookup Trusteed_IP_Enrichment_CL on $left.SourceIP == $right.IP
| where RiskScore > 80

Outcome

  • Sentinel rules trigger on high-risk IPs, not background noise.
  • Enrichment available in dashboards and hunting queries.