← Back to integrations
SIEM
Microsoft Sentinel
Trusteed enriches Microsoft Sentinel with IP risk scores and context, surfacing real threats and reducing false positives in the cloud.
Prerequisites
- Microsoft Sentinel enabled in your Azure tenant
- Log Analytics workspace
- Trusteed account with IP Enrichment feed
- Trusteed Sentinel Connector (provided by Trusteed)
Setup Steps
- Deploy the Trusteed Connector as an Azure Function or container with outbound internet access.
- Configure credentials (Trusteed API + Azure ingestion key).
- Connector fetches IP feed (
IP, RiskScore, Category, FirstSeen, LastSeen). - Data ingested into a custom Sentinel table (
Trusteed_IP_Enrichment_CL). - Create Sentinel Analytics Rules using KQL:
SecurityEvent
| lookup Trusteed_IP_Enrichment_CL on $left.SourceIP == $right.IP
| where RiskScore > 80
Outcome
- Sentinel rules trigger on high-risk IPs, not background noise.
- Enrichment available in dashboards and hunting queries.