Blog Post

Microsoft Sentinel Blog
3 MIN READ

Introducing Threat Intelligence Ingestion Rules

Sreedhar_Ande's avatar
Sreedhar_Ande
Icon for Microsoft rankMicrosoft
Feb 14, 2025

Boost Your Threat Intel Game with Microsoft Sentinel’s New Curation at Scale

Microsoft Sentinel just rolled out a powerful new public preview feature: Ingestion Rules. This feature lets you fine-tune your threat intelligence (TI) feeds before they are ingested to Microsoft Sentinel. You can now set custom conditions and actions on Indicators of Compromise (IoCs), Threat Actors, Attack Patterns, Identities, and their Relationships.

Use cases include:

  • Filter Out False Positives: Suppress IoCs from feeds known to generate frequent false positives, ensuring only relevant intel reaches your analysts.
  • Extending IoC validity periods for feeds that need longer lifespans.
  • Tagging TI objects to match your organization's terminology and workflows

Get Started Today with Ingestion Rules

To create new “Ingestion rule”, navigate to “Intel Management” and Click on “Ingestion rules”

With the new Ingestion rules feature, you have the power to modify or remove indicators even before they are integrated into Sentinel. These rules allow you to act on indicators currently in the ingestion pipeline.

To create new “Ingestion rule”, navigate to “Intel Management” --> Click on “Ingestion rules”

Note: It can take up to 15 minutes for the rule to take effect

Use Case #1: Delete IOC’s with less confidence score while ingesting

When ingesting IOC's from TAXII/Upload API/File Upload, indicators are imported continuously. With pre-ingestion rules, you can filter out indicators that do not meet a certain confidence threshold. Specifically, you can set a rule to drop all indicators in the pipeline with a confidence score of 0, ensuring that only reliable data makes it through.

Ingestion rule to filter out indicators with confidence score of 0

Use Case #2: Extending IOC’s

The following rule can be created to automatically extend the expiration date for all indicators in the pipeline where the confidence score is greater than 75. This ensures that these high-value indicators remain active and usable for a longer duration, enhancing the overall effectiveness of threat detection and response.

Ingestion rule to extend indicators with confidence score greater than 75

Use Case #3: Bulk Tagging

Bulk tagging is an efficient way to manage and categorize large volumes of indicators based on their confidence scores. With pre-ingestion rules, you can set up a rule to tag all indicators in the pipeline where the confidence score is greater than 75. This automated tagging process helps in organizing indicators, making it easier to search, filter, and analyze them based on their tags. It streamlines the workflow and improves the overall management of indicators within Sentinel.

Ingestion rule to tag indicators with confidence score greater than 75

Managing Ingestion rules

In addition to the specific use cases mentioned, managing ingestion rules gives you control over the entire ingestion process.

1. Reorder Rules

You can reorder rules to prioritize certain actions over others, ensuring that the most critical rules are applied first. This flexibility allows for a tailored approach to data ingestion, optimizing the system's performance and accuracy. 

Reorder rules to prioritize certain actions over others, ensuring that the most critical rules are applied first

2. Create From

Creating new ingestion rules from existing ones can save you a significant amount of time and offer the flexibility to incorporate additional logic or remove unnecessary elements. Effectively duplicating these rules ensures you can quickly adapt to new requirements, streamline operations, and maintain a high level of efficiency in managing your data ingestion process.

Creating new ingestion rules from existing onesCreating new ingestion rules from existing ones

3. Delete Ingestion Rules

Over time, certain rules may become obsolete or redundant as your organizational needs and security strategies evolve. It's important to note that each workspace is limited to a maximum of 25 ingestion rules. Having a clean and relevant set of rules ensures that your data ingestion process remains streamlined and efficient, minimizing unnecessary processing and potential conflicts.

Deleting outdated or unnecessary rules allows for a more focused approach to threat detection and response. It reduces clutter, which can significantly enhance the performance. By regularly reviewing and purging obsolete rules, you maintain a high level of operational efficiency and ensure that only the most critical and up-to-date rules are in place.

Delete Ingestion rule confirmation

Conclusion

By leveraging these pre-ingestion rules effectively, you can enhance the quality and reliability of the IOC’s ingested into Sentinel, leading to more accurate threat detection and an improved security posture for your organization.

Updated Feb 14, 2025
Version 1.0
automation
microsoft defender xdr
microsoft sentinel
security operations
siem
threat detection and response
threat intelligence
what's new
xdr
  • GaryBushey's avatar
    GaryBushey
    Bronze Contributor
    Feb 16, 2025

    Great feature but I have to ask, if a feed is known to generate a lot of false positives, why is Microsoft even including it?

    • Sebabulte's avatar
      Sebabulte
      Copper Contributor
      Feb 17, 2025

      Because this blog talks about ingesting your own TI sources which you control yourself, be that via TAXII or manual upload. Many companies like to integrate with free TI sources which are more prone to less qualitative IOC's, and this may help further control data ingestion.