Cyjax Threat Intelligence Platform: Complete Solution for IOC Ingestion and Investigation

What Changed

New complete Microsoft Sentinel solution for Cyjax threat intelligence platform integration, delivering automated IOC ingestion and interactive threat hunting capabilities.

Data Source

Cyjax API v2 provides comprehensive threat intelligence including:

IOCs (IPs, domains, URLs, file hashes, emails, hostnames)
Data breach credential monitoring
Domain monitoring alerts
Enrichment data (GeoIP, ASN, sightings)

Ingestion Mechanism

Function App-based data connector with:

STIX 2.1 format IOC ingestion to ThreatIntelligenceIndicator table
Configurable IOC type filtering and search queries
Optional enrichment with GeoIP and ASN data
Incremental fetching with checkpoint management
Scheduled collection (default: every 10 minutes)

Detection Surface Unlocked

Automated Threat Intelligence:

Continuous IOC ingestion from Cyjax feeds
Threat indicator correlation with security events
Enhanced IOC context through enrichment data

Interactive Investigation Capabilities:

Ad hoc IOC enrichment via workbook interface
Data breach credential monitoring for email addresses
Domain monitoring for suspicious registrations
Automated incident enrichment with Cyjax threat context

Playbook Automation

Five Logic Apps provide comprehensive investigation workflows:

CyjaxIncidentEnrichment: Auto-enriches incident entities with threat intelligence
CyjaxAddCommentToIncident: Sub-playbook for formatted threat data injection
CyjaxAdHocEnrichment: On-demand IOC lookup from workbook
CyjaxDataBreaches: Email credential breach investigation
CyjaxDomainMonitor: Domain threat monitoring queries

Security Impact

Addresses threat intelligence blind spots by:

Providing continuous IOC feed integration beyond basic indicators
Enabling proactive credential breach monitoring
Supporting ad hoc investigation of suspicious entities
Automating threat context enrichment in incident response workflows

All components integrate via Azure Key Vault for secure API credential management.

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/CyjaxAdHocEnrichment_CL.json
.script/tests/KqlvalidationsTests/CustomTables/CyjaxDataBreaches_CL.json
.script/tests/KqlvalidationsTests/CustomTables/CyjaxDomainMonitor_CL.json
.script/tests/KqlvalidationsTests/CustomTables/CyjaxThreatIndicator.json
Logos/Cyjax.svg
Sample Data/Custom/CyjaxAdHocEnrichment_CL.csv
Sample Data/Custom/CyjaxDataBreaches_CL.csv
Sample Data/Custom/CyjaxDomainMonitor_CL.csv
Sample Data/Custom/CyjaxThreatIndicator.csv
Solutions/Cyjax/Data Connectors/CyjaxIOCIngestion/__init__.py
Solutions/Cyjax/Data Connectors/CyjaxIOCIngestion/cyjax_ioc_helper.py
Solutions/Cyjax/Data Connectors/CyjaxIOCIngestion/function.json
Solutions/Cyjax/Data Connectors/CyjaxIOC_API_FunctionApp.json
Solutions/Cyjax/Data Connectors/README.md
Solutions/Cyjax/Data Connectors/SharedCode/__init__.py
Solutions/Cyjax/Data Connectors/SharedCode/consts.py
Solutions/Cyjax/Data Connectors/SharedCode/cyjax_client.py
Solutions/Cyjax/Data Connectors/SharedCode/cyjax_to_stix_mapping.py
Solutions/Cyjax/Data Connectors/SharedCode/exceptions.py
Solutions/Cyjax/Data Connectors/SharedCode/logger.py
Solutions/Cyjax/Data Connectors/SharedCode/sentinel.py
Solutions/Cyjax/Data Connectors/SharedCode/state_manager.py
Solutions/Cyjax/Data Connectors/azuredeploy_Connector_CyjaxIOC_AzureFunction.json
Solutions/Cyjax/Data Connectors/host.json
Solutions/Cyjax/Data Connectors/requirements.txt
Solutions/Cyjax/Package/testParameters.json
Solutions/Cyjax/Parsers/CyjaxCorrelate.yaml
Solutions/Cyjax/Parsers/CyjaxThreatIndicator.yaml
Solutions/Cyjax/Playbooks/CyjaxAdHocEnrichment/CyjaxAdHocEnrichment.png
Solutions/Cyjax/Playbooks/CyjaxAdHocEnrichment/README.md
Solutions/Cyjax/Playbooks/CyjaxAdHocEnrichment/azuredeploy.json
Solutions/Cyjax/Playbooks/CyjaxAddCommentToIncident/CyjaxAddCommentToIncident.png
Solutions/Cyjax/Playbooks/CyjaxAddCommentToIncident/README.md
Solutions/Cyjax/Playbooks/CyjaxAddCommentToIncident/azuredeploy.json
Solutions/Cyjax/Playbooks/CyjaxDataBreaches/CyjaxDataBreaches.png
Solutions/Cyjax/Playbooks/CyjaxDataBreaches/README.md
Solutions/Cyjax/Playbooks/CyjaxDataBreaches/azuredeploy.json
Solutions/Cyjax/Playbooks/CyjaxDomainMonitor/CyjaxDomainMonitor.png
Solutions/Cyjax/Playbooks/CyjaxDomainMonitor/README.md
Solutions/Cyjax/Playbooks/CyjaxDomainMonitor/azuredeploy.json
Solutions/Cyjax/Playbooks/CyjaxIncidentEnrichment/CyjaxIncidentEnrichment.png
Solutions/Cyjax/Playbooks/CyjaxIncidentEnrichment/README.md
Solutions/Cyjax/Playbooks/CyjaxIncidentEnrichment/azuredeploy.json
Solutions/Cyjax/Workbooks/Cyjax.json
Workbooks/Images/Logos/Cyjax.svg
Workbooks/Images/Preview/CyjaxBlack1.png
Workbooks/Images/Preview/CyjaxBlack2.png
Workbooks/Images/Preview/CyjaxBlack3.png
Workbooks/Images/Preview/CyjaxBlack4.png
Workbooks/Images/Preview/CyjaxBlack5.png
Workbooks/Images/Preview/CyjaxWhite1.png
Workbooks/Images/Preview/CyjaxWhite2.png
Workbooks/Images/Preview/CyjaxWhite3.png
Workbooks/Images/Preview/CyjaxWhite4.png
Workbooks/Images/Preview/CyjaxWhite5.png
Workbooks/WorkbooksMetadata.json
(packaging artefacts: 3.0.0.zip, CyjaxIOC.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_Cyjax.json, createUiDefinition.json, mainTemplate.json)

What Changed#

Data Source#

Ingestion Mechanism#

Detection Surface Unlocked#

Playbook Automation#

Security Impact#

Affected Files#