Cyren Defender Threat Intelligence: New IP and Malware URL Ingestion for Microsoft Sentinel

What Changed

New Microsoft Sentinel solution enabling ingestion of Cyren threat intelligence indicators through an automated Logic App playbook. The solution provides dual-feed support for IP reputation and malware URL data via Cyren’s CCF API, with STIX indicator formatting and automated push to Sentinel’s Threat Intelligence platform.

Data Source

Cyren threat intelligence feeds provide two distinct data categories:

• IP Reputation feed: Malicious IP addresses with risk scoring
• Malware URL feed: Known malicious URLs and domains

The solution polls Cyren’s CCF API (api-feeds.cyren.com) every 6 hours using JWT Bearer authentication, supporting delta polling via persistent token pagination.

Ingestion Mechanism

Logic App-based connector that:

• Fetches NDJSON-formatted indicators from Cyren feeds
• Transforms data into STIX 2.1 indicator format
• Pushes indicators to Sentinel via the createIndicator API
• Uses managed identity authentication for workspace access
• Implements confidence mapping from Cyren risk scores

The playbook requires Sentinel Contributor role assignment and includes null identifier guards plus 2-day freshness filtering to prevent re-ingestion of stale indicators.

Detection Surface Unlocked

Enables correlation of network activity against Cyren threat intelligence:

• IP-based detections: Outbound connections, authentication events, and network flows against malicious IP indicators
• URL-based detections: Web proxy logs, DNS queries, and email security events against malicious URL indicators
• STIX pattern matching: Compatible with existing TI-based analytics using ThreatIntelligenceIndicator table

Deployment Architecture

ARM template deploys:

• Logic App workflow with 6-hour recurrence
• Storage Account for persistent token state management
• Role assignment granting managed identity Sentinel Contributor access
• Configurable feed selection (ip_reputation or malware_urls)

Affected Files

Solutions/Cyren-Defender-ThreatIntelligence/Playbooks/CyrenToDefenderTI_Playbook.json
Solutions/Cyren-Defender-ThreatIntelligence/Playbooks/Images/content-hub-installed.png
Solutions/Cyren-Defender-ThreatIntelligence/Playbooks/Images/playbook-template-visible.png
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_CyrenDefenderTI.json, createUiDefinition.json, mainTemplate.json)