Integrating OpenCTI with Microsoft Sentinel

by Pierre COLLARD - Senior Cloud Security Architect Lead, Sopra Steria Canada
by Gurkamal BEDI - Network & Security Engineer, Sopra Steria Canada
| minute read

In today’s rapidly evolving threat landscape, SOC teams need every advantage to identify and respond to advanced threats effectively. While Microsoft Sentinel offers powerful out-of-the-box SIEM capabilities and seamless XDR integration, its effectiveness can be significantly amplified through enhanced threat intelligence.

Integrating Sentinel with OpenCTI empowers organizations by automatically injecting curated Indicators of Compromise (IOCs) into Sentinel’s analytic rules. This enables real-time updates while enriching incidents with actionable context. This bi-directional integration leverages OpenCTI’s STIX/TAXII feeds and MITRE ATT&CK implementation, to transform raw Sentinel alerts into fully contextualized incidents with precise adversary attribution and detailed Tactics, Techniques, and Procedures (TTPs).

By integrating OpenCTI with Microsoft Sentinel, Sopra Steria’s Managed Detection & Response (MDR) teams have improved threat correlation activities by connecting seemingly unrelated alerts into actionable threat patterns, while also reducing false positives by over 50%.

In this article, we will explain how to integrate OpenCTI with Microsoft Sentinel using Live Streams and Sentinel’s tiIndicators API.

Prerequisites

Technical Requirements:

  • An active Microsoft Sentinel instance.
  • A configured OpenCTI instance (on-premises or SaaS).
  • A privileged role in Entra ID to grant admin consent for app registration.

Knowledge Prerequisites:

  • Familiarity with API configurations.
  • Familiarity with Docker containers for on-premises deployments.

1. Why Integrate Microsoft Sentinel with OpenCTI?

The right tool for the right job:

Microsoft Sentinel is a cloud-native Security Information and Event Management (SIEM) solution designed to help organizations identify and respond to potential security threats. Think of it as a powerful command center for your IT security operations. It collects data from across your network—devices, applications, servers, and more—and uses advanced analytics and machine learning to detect unusual behavior that might indicate a cyberattack. For example, if an unauthorized user tries to log in repeatedly or transfer large amounts of data, Sentinel flags it as suspicious, allowing your SOC teams to investigate and respond quickly.

OpenCTI is like a library and research lab for cyber threat intelligence. It collects, organizes, and presents information about cyber threats, such as known malware, attack techniques, and the groups behind them. By structuring this data into visualized reports, OpenCTI makes it easier for security teams to understand who might target them and how. For instance, it can display connections between a malware variant and its typical targets, helping organizations prepare for specific risks.

SocGholish Malware Overview in OpenCTI

Benefits of integration

Enhanced Threat Detection with Actionable Intelligence:

Integrating OpenCTI with Sentinel enhances its ability to detect relevant and high priority threats. OpenCTI provides up-to-date IOCs, such as suspicious IP addresses or malware signatures. For example, if OpenCTI identifies a new phishing domain used by hackers, this information is shared with Sentinel in real-time, allowing it to detect and block potential attacks before they reach your systems.

Streamlined Incident Investigation by Enriching Alerts with CTI Context:

When Sentinel raises an alert, it can sometimes lack context, making it harder for analysts to decide how serious the threat is. By adding intelligence from OpenCTI, each alert is enriched with valuable detail, such as attributing it to an adversary and surfacing common tactics and tools they use. For instance, an alert about unusual login activity could include information from OpenCTI that links it to a known hacking group, giving analysts a clearer picture and saving them time.

Proactive Defense Against Emerging Threats:

The integration allows organizations to stay ahead of attackers by proactively updating defenses based on the latest threat intelligence. OpenCTI can be configured to monitor global threat trends and feeds this intelligence to Sentinel, which can then incorporate this in its detection rules in real time. For example, if OpenCTI detects a new type of ransomware spreading across industries, Sentinel can immediately include this in its detection and response mechanisms, helping organizations defend themselves before the threat becomes widespread.

2. Integration Options: Live Streams or STIX/TAXII Feeds?

OpenCTI supports multiple integration options to connect with external platforms like Microsoft Sentinel. This includes regularly polling OpenCTI for updates via STIX/TAXII using the Sentinel OpenCTI Connector, or leverage OpenCTI Live Streams and Server-Sent Events (SSE) for real-time notifications.

Live streams are usually the recommended option, as they provide several key benefits such as real-time updates, and dependency resolution. For more information about OpenCTI’s integration capabilities, please refer to the OpenCTI documentation.

STIX/TAXII integration through Sentinel workbooks

OpenCTI live streams using Sentinel’s tiIndicators API

 

In this article, we will focus exclusively on OpenCTI live streams using Sentinel’s tiIndicators API.

3. Step-by-Step Integration Process

Set up Microsoft Azure and Sentinel

  • Create an Azure App Registration
  • Register a new app by navigating to, Microsoft Entra ID -> App Registrations -> New Registration.
  • Once the registration is completed, you will get an Application (client) ID and Directory (tenant) ID.
  • Under the newly registered application, go to API Permissions -> Add a permission. Add the “ThreatIndicators.ReadWrite.OwnedBy” permissions to allow read/write access to Sentinel’s threat intelligence data via the Graph API. Your MS Entra Privileged Role Admin will then need to grant tenant-wide consent for this app registration.

Create an App Registration Secret

Under Microsoft Entra ID, navigate to App Registrations -> Select the app -> Certificate & secrets -> New Client secret. Copy the generated secret value.

Grant Permissions in MS Sentinel

In Sentinel, head over to Content Hub and install the Threat Intelligence solution. You can now go to Data Connectors and enable Threat Intelligence Platforms. That concludes the setup for Sentinel.

Configure OpenCTI

  • Create Stream in OpenCTI GUI
  • From OpenCTI, go to Data -> Data sharing -> Live streams, and click on the + icon on the bottom right.
  • Give the stream a name, description and click Create.
  • Copy the generated stream ID, for later.

Update your Docker stack

You are now ready to update your docker stack and add a connector to OpenCTI. In this article, we will be using docker-compose.

Here is an example of a sentinel-intel connector configuration. For more details, please refer to the OpenCTI Sentinel-Intel GitHub documentation.

OpenCTI Sentinel-Intel Connector Config in Docker-Compose.yml

You can now apply the changes to your docker stack and confirm that your sentinel-connector is running properly. Do not forget to assign a unique user to your connector within OpenCTI.

OpenCTI Sentinel-Intel Connector

3.1 Verify

OpenCTI IOCs are now replicated to the configured Sentinel workspace (Threat Management -> Threat Intelligence) and available for use with KQL queries.

OpenCTI-originated IOCs in Microsoft Sentinel

The following example returns DNS events that match high-confidence threat intelligence indicators within the last 7 days, along with details such as domain name, description, threat type, source, confidence score, and the associated client or computer.

KQL Query Example using IOCs

4. Conclusion

Integrating Microsoft Sentinel with OpenCTI is not just a technical enhancement—it's a strategic move in strengthening your organization's cybersecurity posture. By combining Sentinel's robust detection and response capabilities with OpenCTI's enriched threat intelligence, security teams gain a clearer view of the threat landscape, enabling faster and more informed decisions. This partnership transforms raw alerts into actionable insights, helping teams not only respond to incidents but anticipate and prevent them.

5. References

Search
Pierre COLLARD

Pierre COLLARD

Senior Cloud Security Architect Lead, Sopra Steria Canada

More about Pierre COLLARD
Gurkamal BEDI

Gurkamal BEDI

Network & Security Engineer, Sopra Steria Canada

More about Gurkamal BEDI

cloud

cybersecurity

infrastructure-management

technology-services

Related content

SNCF propels its digital transformation through massive, industrial and selective Multi-Cloud adoption

In 2016, the SNCF group, which operates in the passenger and freight transport sectors with 275,000 employees, decided to modernise and make its IT assets more agile by launching the Programme Renouveau du Socle Numérique, PRSN, for which e.SNCF is the prime contractor.

Schréder enlightens its entire IT systems with Cloud Services

To enable its move to the Cloud and the management of its whole infrastructure, digital workplace and global cybersecurity, Schréder has once again selected Sopra Steria, its former outsourcer.

Sopra Steria recognised as a Leader in Cloud Infrastructure Brokerage & Orchestration Services by global analyst firm NelsonHall

Sopra Steria helps organisations to build their data, software and tech platforms in order to invigorate the creation of new services.