Which KQL function queries a Sentinel watchlist by name?

Correct: a. _GetWatchlist('name') is the purpose-built KQL function that returns rows from a named watchlist as a queryable table. The other options are not valid Sentinel KQL patterns for watchlists.

The TAXII connector in Microsoft Sentinel is used to…

Correct: b. The TAXII connector polls a TAXII 2.0/2.1 server on a schedule and imports STIX bundles containing indicators. It is not an export or forwarding mechanism.

Which table should a custom detection rule use to access current IOCs after July 2025?

Correct: c. Microsoft retired ThreatIntelligenceIndicator after July 2025. Current IOC data lands in ThreatIntelIndicators (Indicator STIX objects). Non-indicator STIX objects go to ThreatIntelObjects.

Priya wants to enrich her TI map IP analytics rule so that firewall hits from internal scanner IPs are never alerted. What should she add?

Correct: b. A suppression watchlist combined with a NOT IN / exclusion join is the standard pattern. Adding a connector, a second workspace, or manual indicators would not suppress the alerts.

Why might a TI map analytics rule produce zero incidents even when known-malicious IPs appear in firewall logs?

Correct: b. Expired connector credentials stop new indicator ingest; expired ValidUntil dates exclude old indicators from the rule join. The result: the rule runs but finds no active matching indicators, even if malicious IPs are in the logs.

An analyst needs to profile a known threat actor group and understand which MITRE ATT&CK techniques they use. Which data source in Sentinel is best suited for this?

Correct: c. ThreatIntelObjects stores non-indicator STIX objects including Threat Actors, Attack Patterns (mapped to MITRE ATT&CK), and Relationships between them. This is richer than raw IOCs and enables attribution-level threat hunting.

Microsoft Sentinel Watchlists & Threat Intelligence — IOC Matching & STIX (2026)

Q: What is the primary purpose of a Sentinel watchlist?

Correct: b. Watchlists are KQL-queryable CSV tables used for enrichment (e.g. tagging VIP users) or suppression (e.g. ignoring known-safe IPs). They are not log tables or TI connectors.

Q: Which Sentinel TI connector brings in Microsoft-curated indicators at no additional licence cost?

Correct: c. The MDTI connector is the Microsoft-native option that ingests high-confidence indicators from Microsoft's own telemetry at no extra licence cost. TAXII and the Upload API are for third-party or custom feeds.

Q: An analyst wants to hunt for relationships between a known threat actor and attack patterns used in recent incidents. Which table should they query?

Correct: d. ThreatIntelObjects holds non-indicator STIX objects including Threat Actors, Attack Patterns, and Relationships. ThreatIntelIndicators holds classic IOCs (IPs, domains, hashes). The legacy table was retired after July 2025.

Q: A built-in TI map analytics rule is generating too many false-positive incidents from low-quality IP indicators. What is the best first tuning step?

Correct: a. Wait — option A (delete all indicators) is destructive and wrong. The correct answer is C: add a confidence-score filter and ValidUntil check. This filters out low-quality, stale indicators without losing the feed entirely.

Most engineers think…

Many people think 'threat intelligence in Sentinel' just means 'subscribe to a feed and wait for alerts'. That works — barely — but it misses the architecture.

Sentinel threat intelligence is a pipeline: ingest (TAXII, MDTI or Upload API) → store (ThreatIntelIndicators or ThreatIntelObjects tables) → match (built-in IOC-matching analytics rules join raw logs against indicators) → fire an incident. Watchlists plug into this pipeline as a fast KQL-queryable lookup, letting you enrich or suppress matches with context — VIP lists, safe IP ranges, subnet maps — without touching the main log tables. Getting this pipeline right is what separates a noisy feed subscription from a high-fidelity SOC detection engine.

① Watchlists — fast enrichment tables inside your workspace

A watchlist in Microsoft Sentinel is a CSV file you upload to the workspace and query by name in KQL, like a small reference table. Typical uses: a list of VIP user accounts that need priority alerting, known-bad IP ranges to suppress or escalate, subnet-to-site mappings for geographic context, or a list of recently terminated employees. The watchlist lives in your Log Analytics workspace and is queried with the _GetWatchlist() function — no extra table ingestion cost, just a small flat-file join.

The key difference from a raw log join: watchlists are semi-static reference data, not streaming events. They refresh on upload (or via API) and are ideal for context that changes slowly — asset inventories, trust lists, geofencing. In analytics rules you add a watchlist lookup to enrich a match or to suppress known-good positives before an alert fires, keeping your incident queue clean.

Figure 1 — Watchlist enrichment flow

A watchlist CSV is uploaded once and queried in KQL analytics rules to enrich or suppress matches before an alert fires.

Watchlists are free KQL joins

Watchlist rows do not cost Log Analytics ingestion. Use them freely for context tables — VIP lists, department-to-subnet maps, recently terminated employees. Update them via the portal or the Watchlist API when the data changes.

Quick check · Q1 of 10 · Understand

What is the primary purpose of a Sentinel watchlist?

a) Stream live firewall logs into the workspaceb) Enrich or suppress analytics rule matches with semi-static CSV reference datac) Replace the TAXII connector for IOC feedsd) Archive old incidents to cold storage

Correct: b. Watchlists are KQL-queryable CSV tables used for enrichment (e.g. tagging VIP users) or suppression (e.g. ignoring known-safe IPs). They are not log tables or TI connectors.

👉 So far: Watchlist = semi-static CSV reference table queried with _GetWatchlist() in KQL — use for VIP enrichment, safe-IP suppression and subnet context, not for streaming log data.

② TI connectors — TAXII, MDTI and the Upload API

Microsoft Sentinel offers three ways to bring in threat indicators. The TAXII connector (Data connectors → Threat Intelligence – TAXII) accepts TAXII 2.0 and 2.1 feeds — most commercial and open-source TI providers (e.g. Pulsedive, AlienVault OTX, Recorded Future, ISAC feeds) expose a TAXII server. You give Sentinel the API root URL, a collection ID and credentials, and it polls on a schedule. Indicators arrive as STIX bundles.

MDTI and the Upload API

The Microsoft Defender Threat Intelligence (MDTI) connector brings in Microsoft-curated indicators at no additional licence cost — high-confidence IOCs from Microsofts own telemetry. It ingests into the ThreatIntelIndicators table automatically once enabled. The Threat Intelligence Upload API lets you push indicators programmatically from your own platform or SOAR via REST, which is useful for homegrown feeds or platforms that do not speak TAXII. All three routes end in the same destination table.

Figure 2 — Three TI connectors, one destination

All three connectors funnel indicators into ThreatIntelIndicators in the same workspace.

📋

Watchlist

tap to flip

A CSV reference table inside the workspace. Queried with _GetWatchlist() in KQL. Used for VIP lists, safe-IP suppression, subnet maps — semi-static enrichment data, not streaming events.

📡

TAXII connector

tap to flip

Polls a TAXII 2.0 / 2.1 server on a schedule. Accepts STIX bundles from commercial or open-source feeds. Needs API root URL, collection ID and credentials.

🛡️

MDTI connector

tap to flip

Microsoft Defender Threat Intelligence connector — brings in Microsoft-curated high-confidence IOCs at no additional licence cost, enriched with GeoLocation and WhoIs.

🔗

IOC-matching rule

tap to flip

A built-in scheduled KQL analytics rule that joins ThreatIntelIndicators against a log table (e.g. CommonSecurityLog, DNS events) and raises an incident on a match.

Forgetting the legacy table cutover

Microsoft stopped ingesting data into ThreatIntelligenceIndicator after July 2025. Any custom queries, workbooks or automation still referencing the old table return no results. Update all references to ThreatIntelIndicators (IOCs) and ThreatIntelObjects (STIX actors, patterns, relationships).

Quick check · Q2 of 10 · Remember

Which Sentinel TI connector brings in Microsoft-curated indicators at no additional licence cost?

a) The TAXII connectorb) The Upload APIc) The MDTI (Microsoft Defender Threat Intelligence) connectord) The Logic App TI playbook

Correct: c. The MDTI connector is the Microsoft-native option that ingests high-confidence indicators from Microsoft's own telemetry at no extra licence cost. TAXII and the Upload API are for third-party or custom feeds.

👉 So far: Three TI connectors all feed ThreatIntelIndicators: TAXII (third-party STIX feeds), MDTI (Microsoft-curated, free), Upload API (programmatic custom feeds).

③ The Threat Intelligence blade, ThreatIntelIndicators & STIX objects

The Threat Intelligence blade (Sentinel → Threat intelligence) is your indicator management UI. It shows all ingested indicators, lets you filter by type (IP, domain, URL, file hash, email), confidence score, threat type and validity date. You can add indicators manually here too — handy for ad-hoc IOC response. Microsoft enriches IP and domain indicators with GeoLocation and WhoIs data automatically, giving analysts extra context without a separate enrichment step.

Since April 2025, Sentinel uses two tables. ThreatIntelIndicators holds STIX Indicator objects — the classic IOCs: IP addresses, domain names, URLs, file hashes, email addresses. ThreatIntelObjects holds non-indicator STIX objects: Threat Actors, Attack Patterns (MITRE ATT&CK techniques), Identities, Relationships, and Malware — richer context for threat hunting beyond simple matches. Custom queries, workbooks and analytics rules should reference these new tables; the legacy ThreatIntelligenceIndicator table stopped receiving data after July 2025.

STIX version matters here: Sentinel supports STIX 2.0 and 2.1 bundles from TAXII and the Upload API, and maps them to the appropriate table on ingest.

Figure 3 — ThreatIntelIndicators vs ThreatIntelObjects

The two new tables split classic IOCs from richer STIX objects introduced in the April 2025 public preview.

Check the TI blade before the incident queue

Before troubleshooting a suspected IOC match, open Sentinel → Threat intelligence to confirm the indicator is actually ingested, active, and not expired (ValidUntil). A connector that silently stopped polling will give you no indicators and therefore no matches — even though everything else looks fine.

▶ Watch an IOC from a TAXII feed fire a Sentinel incident

Step through how a malicious IP from a TAXII feed travels from ingest to incident. Press Play for the healthy path, then Break it to see the classic silent-failure.

① TAXII pollSentinel polls the TAXII server on schedule, fetches a STIX bundle containing a malicious IP indicator with ConfidenceScore 80 and a future ValidUntil date.

▼

② IOC storedThe indicator is written to ThreatIntelIndicators in the Log Analytics workspace. The TI blade shows it as active and enriched with GeoLocation data.

▼

③ Analytics rule firesThe scheduled TI map IP analytics rule joins ThreatIntelIndicators against CommonSecurityLog. It finds a matching source IP in a firewall event from this morning.

▼

④ Incident createdSentinel raises an incident with the IOC details, the matched firewall event, and mapped entities (IP, account, host) — ready for analyst triage.

Press Play to step through the healthy IOC-to-incident path. Then press Break it.

Quick check · Q3 of 10 · Analyze

An analyst wants to hunt for relationships between a known threat actor and attack patterns used in recent incidents. Which table should they query?

a) SecurityAlertb) ThreatIntelligenceIndicator (legacy)c) ThreatIntelIndicatorsd) ThreatIntelObjects

Correct: d. ThreatIntelObjects holds non-indicator STIX objects including Threat Actors, Attack Patterns, and Relationships. ThreatIntelIndicators holds classic IOCs (IPs, domains, hashes). The legacy table was retired after July 2025.

👉 So far: ThreatIntelIndicators = IOCs (IP, domain, URL, hash). ThreatIntelObjects = STIX actors, attack patterns, relationships. Legacy ThreatIntelligenceIndicator table retired after July 2025.

④ IOC-matching analytics rules — from feed to fired incident

Ingesting indicators is not detection — you need IOC-matching analytics rules to turn indicators into alerts. Sentinel ships a family of built-in TI map rules in the Analytics templates gallery, with names like TI map IP entity to CommonSecurityLog, TI map Domain entity to DNS Events, and TI map URL entity to OfficeActivity. Each rule does a scheduled KQL join between ThreatIntelIndicators and a specific log table, looking for matching field values. When a match fires, it raises an incident with the indicator details, the matched event, and the entities for investigation.

Tuning is critical. Raw TI feeds carry low-confidence indicators — broad IP ranges, aged domains — that produce noise. Best practice: filter by confidence score (e.g. > 50), restrict by ValidUntil date, use watchlists to suppress known-safe IPs (your CDN ranges, internal scanners), and monitor the False Positive Rate in the Efficiency workbook. You can also write custom KQL analytics rules that join ThreatIntelIndicators directly for indicators that do not have a built-in map rule. Start in a low-severity test rule, validate for a week, then promote to production severity.

Figure 4 — IOC match to incident pipeline

An IOC from a TAXII feed fires an incident only after passing through the analytics rule join and confidence filter.

Priya, a SOC analyst at a Mumbai fintech firm, faces this

After enabling the TAXII connector to an open-source feed, the Sentinel incident queue floods with hundreds of low-severity IOC match alerts per day, mostly for IP addresses that belong to major CDN providers.

Likely cause

The built-in TI map rule has no confidence-score filter and no watchlist suppression — every IP in the feed, regardless of quality or validity date, is matched against CommonSecurityLog.

Diagnosis

Open Sentinel → Analytics → find the TI map IP rule → inspect the KQL — no confidence filter. Check ThreatIntelIndicators — many entries have ConfidenceScore below 30 and ValidUntil in the past.

Sentinel ▸ Analytics ▸ TI map rule KQL ▸ Threat Intelligence blade ▸ Watchlist (CDN-safe-IPs)

Fix

Edit the analytics rule KQL to filter ConfidenceScore > 50 and ValidUntil > now(). Create a watchlist of known CDN and internal IP ranges and add a watchlist exclusion join in the rule. Re-enable the rule in monitor mode for one week before raising severity.

Verify

Incident count drops by more than 80%. Remaining alerts are genuine matches on high-confidence, current IOCs. Priya promotes the rule to medium severity and closes the false-positive flood ticket.

Quick check · Q4 of 10 · Apply

A built-in TI map analytics rule is generating too many false-positive incidents from low-quality IP indicators. What is the best first tuning step?

a) Delete all ingested indicators from the workspaceb) Disable the MDTI connector immediatelyc) Add a confidence-score filter (e.g. ConfidenceScore > 50) and a ValidUntil date check in the rule KQLd) Move the workspace to a different Azure region

Correct: a. Wait — option A (delete all indicators) is destructive and wrong. The correct answer is C: add a confidence-score filter and ValidUntil check. This filters out low-quality, stale indicators without losing the feed entirely.

👉 So far: IOC-matching analytics rules join ThreatIntelIndicators against log tables on a schedule. Filter by confidence score and ValidUntil, suppress with watchlists, and validate in monitor mode before raising severity.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

🧠 In your own words

Write one line: what is the difference between a watchlist and the ThreatIntelIndicators table in Sentinel? Then compare with the expert version.

Expert version: A watchlist is a semi-static CSV reference table you upload and query with _GetWatchlist() — it holds your own context data (VIP users, safe IPs, subnet maps) and costs no ingestion. ThreatIntelIndicators is a Log Analytics table populated automatically by Sentinel TI connectors (TAXII, MDTI, Upload API) with external threat indicators (IPs, domains, hashes) in STIX format. Analytics rules join logs against ThreatIntelIndicators for detection; they join logs against watchlists for enrichment or suppression. Both appear in KQL but they serve opposite purposes: one brings in attacker data, the other brings in your own context.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📩 Quiz me on this in 7 days. Opt in and we'll email 3 micro-questions on Microsoft Sentinel at Day 1, Day 7 and Day 30 — spaced repetition is how this sticks. Un-tick any time.

📖 Glossary

Watchlist: A CSV reference table in a Sentinel workspace queried via _GetWatchlist() in KQL — used for enrichment or suppression of analytics rule results.
TAXII connector: Sentinel data connector that polls a TAXII 2.0 / 2.1 server on a schedule and imports STIX-formatted indicator bundles from third-party TI providers.
MDTI connector: Microsoft Defender Threat Intelligence connector — brings Microsoft-curated, high-confidence IOCs into Sentinel at no additional licence cost.
ThreatIntelIndicators: The current Log Analytics table holding STIX Indicator objects (IP, domain, URL, file hash, email) ingested by all three TI connectors.
ThreatIntelObjects: The Log Analytics table holding non-indicator STIX objects: Threat Actors, Attack Patterns, Identities, Relationships, and Malware — for threat hunting beyond IOC matching.
STIX: Structured Threat Information eXpression — a JSON-based open standard for describing threat intelligence objects including indicators, actors, techniques and relationships.
IOC-matching analytics rule: A built-in or custom Sentinel scheduled analytics rule that joins ThreatIntelIndicators against a log table and fires an incident when a field value matches an active indicator.
Confidence score: A 0–100 field on each indicator reflecting the TI provider's certainty. Filtering to scores above ~50 in analytics rules is the primary way to reduce false positives from low-quality feeds.
ValidUntil: A timestamp field on each indicator marking when it expires. Analytics rules should filter ValidUntil > now() to exclude stale indicators from matches.
TI blade: The Threat Intelligence section in the Sentinel portal where all ingested indicators are visible, filterable by type and confidence, and manually manageable.

📚 Sources

Microsoft Learn — Understand threat intelligence in Microsoft Sentinel. learn.microsoft.com/en-us/azure/sentinel/understand-threat-intelligence
Microsoft Learn — Threat intelligence integration in Microsoft Sentinel (connectors, TAXII, Upload API). learn.microsoft.com/en-us/azure/sentinel/threat-intelligence-integration
Microsoft TechCommunity — Announcing Public Preview: New STIX Objects in Microsoft Sentinel (ThreatIntelIndicators & ThreatIntelObjects). techcommunity.microsoft.com/blog/microsoftsentinelblog/announcing-public-preview-new-stix-objects-in-microsoft-sentinel/4369164
Microsoft Learn — Work with STIX objects and indicators in Microsoft Sentinel. learn.microsoft.com/en-us/azure/sentinel/work-with-stix-objects-indicators
Jeffrey Appel — Microsoft Defender Threat Intelligence (Defender TI) integrations with Microsoft Sentinel. jeffreyappel.nl/defender-ti-integrations-with-microsoft-sentinel/
OneUptime Blog — How to Configure Microsoft Sentinel Threat Intelligence Connectors and Indicator Matching Rules (2026). oneuptime.com/blog/post/2026-02-16-how-to-configure-microsoft-sentinel-threat-intelligence-connectors-and-indicator-matching-rules/view

What's next?

Threat intel feeds your detections; automation closes the loop. Next, explore Microsoft Sentinel automation rules and Logic App playbooks — how to auto-triage, enrich and respond the moment an IOC match fires an incident.

Next · All interview lessons → Practice on exam.techclick.in →

Microsoft Sentinel Watchlists & Threat Intelligence — IOC Matching, TAXII & STIX in 2026

🎯 By the end you will be able to

Pick where you want to start

Watchlists

TI connectors

TI blade & tables

IOC-matching rules

① Watchlists — fast enrichment tables inside your workspace

② TI connectors — TAXII, MDTI and the Upload API

MDTI and the Upload API

③ The Threat Intelligence blade, ThreatIntelIndicators & STIX objects

▶ Watch an IOC from a TAXII feed fire a Sentinel incident

④ IOC-matching analytics rules — from feed to fired incident

🤖 Ask the AI Tutor

📝 Wrap-up assessment — six more

🧠 In your own words

🗣 Teach a friend

📖 Glossary

📚 Sources

What's next?