ELLIO for Microsoft Sentinel

Detect active exploitation & recon waves before they become Sentinel incidents.

Turn early signals into actionable detections in Microsoft Sentinel. Identify recon and exploitation waves with context-rich, behavior-driven IP intelligence.

Start Free Trial Talk to an Expert

Built for Microsoft Sentinel workflows.

Not just another threat intel feed.
Not just static indicators.

Refine analytics rules, accelerate investigations, and distinguish real threats from benign activity.

Detect emerging exploitation waves

Prioritize actively targeted vulnerabilities. Patch based on active exploitation campaigns, not on CVSS.

Suppress noise from non-exploited threats

Reduce incident and alert volume by filtering non-exploited activity. Suppress irrelevant IOC-based signals using real-time behavioral context.

Detect early-stage threats as they happen

Detect network scanning, exploit payload delivery, brute-force campaigns, and emerging attack patterns as they unfold, not after compromise.

Stop repeat attacks behind rotating IP infrastructure

Correlate distributed recon and exploitation activity across changing IP addresses to detect persistent attacker campaigns, not just individual sources. Block behavior patterns instead of chasing single IPs.

Bring ELLIO into Sentinel workflows, where needed.

ELLIO enriches Sentinel through native ingestion pipelines:
Threat Intelligence Indicators (TI feeds)
Analytics rule enrichment
Incident context augmentation
Hunting query support
Workbook visualization inputs

Separate what needs action from what doesn’t.

Enrich Sentinel signals with threat intelligence and behavioral context to distinguish real threats from benign activity.

High-risk exploitation traffic

IP connections linked to active mass exploitation campaigns targeting vulnerable services.

Reconnaissance & vulnerability scanning activity

Promiscuous internet scanners probing exposed assets for known weaknesses.

Suspicious authentication behavior

Financial fraud indicators

Transactions correlated with known malicious infrastructure or high-risk behavioral patterns.

Remote code execution attempts

Activity associated with exploit attempts targeting application or system-level vulnerabilities.

Botnet-driven activity

Traffic originating from opportunistic botnets used for scanning, exploitation, or secondary payload delivery.

Automated credential spraying campaigns

Large-scale “spray-and-pray” authentication attempts across multiple targets.

MITRE ATT&CK mapping context

Enrichment of security events with MITRE ATT&CK techniques and adversary behavior mapping.

Know IP behavior and threat level in Microsoft Sentinel.

210.187.49.191 malicious

src object

geo.country 🇲🇾 Malaysia (MY)

geo.continent Asia (AS)

dst.geo array[21]

countries 🇦🇺 AU 🇫🇷 FR 🇸🇬 SG 🇦🇪 AE 🇭🇰 HK 🇨🇿 CZ 🇩🇪 DE 🇸🇪 SE 🇯🇵 JP 🇬🇧 GB 🇰🇷 KR 🇺🇸 US 🇮🇳 IN 🇮🇪 IE 🇮🇩 ID 🇦🇹 AT 🇬🇷 GR 🇳🇿 NZ 🇮🇱 IL 🇵🇱 PL 🇱🇻 LV

network object

ports 22238044322222375

spoofable_ports 23

non_spoofable_ports 228044322222375

spoofable false

fingerprints object

ja4 t13i170900 _ 5b57614c22b0 _ 78e6aca7449b

ja3 7041540a5e44ce9a1d4200c4214355aa

muonfp 65535 : : : 42340 :2-4-8-1-3 :1460 :11

http object

path //V2/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php/admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php/api/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php/app/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh +5 more

user_agent Go-http-client/1.1NTRIP NtripClient/1.0Hello-world

tag array[8]

-- PHPUnit RCE DetectorThinkPHP RCE DetectorDocker API ScannerApache Path TraversalLaravel DetectorTargets GCPTargets AWSFast Scanner (i.e. Masscan / ZMap)

mitre_attack object

tactics ReconnaissanceInitial Access

techniques T1595.002 - Vulnerability ScanningT1190 - Exploit Public-Facing ApplicationT1592.002 - Gather Victim Software Info

cve array[5]

-- CVE-2017-9841CVE-2018-20062CVE-2022-47945CVE-2021-41773CVE-2021-42013

ssh.auth array[8]

-- root root root 123456 root admin admin admin admin 1234 ubuntu ubuntu pi raspberry oracle oracle

first_seen / last_seen string

first_seen 2025-12-20

last_seen 2025-12-31

Source

Geographic and network context for the observed source IP, such as country, ASN, and hosting/provider information where available.

Destination

Countries where we observed the IP interacting with ELLIO sensors or monitored infrastructure.

Network

Destination ports and protocols observed in network activity. The spoofable field helps separate traffic where the source IP is likely reliable from traffic types where source spoofing or reflection/amplification behavior may be possible.

Fingerprints

Network and protocol fingerprints observed for the IP, including JA4/JA4+ for TLS and related protocol behavior, JA3 for legacy TLS fingerprinting, and MuonFP for TCP stack characteristics. A single IP may have multiple fingerprints over time because of changing tools, shared infrastructure, proxies, NAT, or multiple services behind the same address.

HTTP

HTTP request paths, headers, and User-Agent strings observed in traffic. Scanner paths, traversal attempts, admin endpoints, and vendor-specific URIs are preserved to support investigation and detection engineering.

Tags

Human-readable threat tags describing observed behavior, campaigns, tooling, or infrastructure patterns.

MITRE ATT&CK

Mapped ATT&CK tactics, techniques, and sub-techniques based on observed behavior.

CVE

Vulnerabilities associated with observed probing, exploitation attempts, or exploit-related behavior from the IP.

SSH.auth

Username and password combinations observed in SSH authentication attempts against ELLIO honeypots.

{
  "ip": "210.187.49.191",
  "classification": "malicious",
  "first_seen": "2025-12-20",
  "last_seen": "2025-12-31",
  "spoofable": false,
  "src": {
    "geo": {
      "country": {
        "name": "Malaysia",
        "code": "MY"
      },
      "continent": {
        "name": "Asia",
        "code": "AS"
      }
    }
  },
  "dst": {
    "geo": [
      {
        "country": {
          "name": "Australia",
          "code": "AU"
        },
        "continent": {
          "name": "Oceania",
          "code": "OC"
        }
      },
      {
        "country": {
          "name": "France",
          "code": "FR"
        },
        "continent": {
          "name": "Europe",
          "code": "EU"
        }
      },
      {
        "country": {
          "name": "Singapore",
          "code": "SG"
        },
        "continent": {
          "name": "Asia",
          "code": "AS"
        }
      },
      {
        "country": {
          "name": "United Arab Emirates",
          "code": "AE"
        },
        "continent": {
          "name": "Asia",
          "code": "AS"
        }
      },
      {
        "country": {
          "name": "Hong Kong",
          "code": "HK"
        },
        "continent": {
          "name": "Asia",
          "code": "AS"
        }
      },
      {
        "country": {
          "name": "Czechia",
          "code": "CZ"
        },
        "continent": {
          "name": "Europe",
          "code": "EU"
        }
      },
      {
        "country": {
          "name": "Germany",
          "code": "DE"
        },
        "continent": {
          "name": "Europe",
          "code": "EU"
        }
      },
      {
        "country": {
          "name": "Sweden",
          "code": "SE"
        },
        "continent": {
          "name": "Europe",
          "code": "EU"
        }
      },
      {
        "country": {
          "name": "Japan",
          "code": "JP"
        },
        "continent": {
          "name": "Asia",
          "code": "AS"
        }
      },
      {
        "country": {
          "name": "United Kingdom",
          "code": "GB"
        },
        "continent": {
          "name": "Europe",
          "code": "EU"
        }
      },
      {
        "country": {
          "name": "South Korea",
          "code": "KR"
        },
        "continent": {
          "name": "Asia",
          "code": "AS"
        }
      },
      {
        "country": {
          "name": "United States",
          "code": "US"
        },
        "continent": {
          "name": "North America",
          "code": "NA"
        }
      },
      {
        "country": {
          "name": "India",
          "code": "IN"
        },
        "continent": {
          "name": "Asia",
          "code": "AS"
        }
      },
      {
        "country": {
          "name": "Ireland",
          "code": "IE"
        },
        "continent": {
          "name": "Europe",
          "code": "EU"
        }
      },
      {
        "country": {
          "name": "Indonesia",
          "code": "ID"
        },
        "continent": {
          "name": "Asia",
          "code": "AS"
        }
      },
      {
        "country": {
          "name": "Austria",
          "code": "AT"
        },
        "continent": {
          "name": "Europe",
          "code": "EU"
        }
      },
      {
        "country": {
          "name": "Greece",
          "code": "GR"
        },
        "continent": {
          "name": "Europe",
          "code": "EU"
        }
      },
      {
        "country": {
          "name": "New Zealand",
          "code": "NZ"
        },
        "continent": {
          "name": "Oceania",
          "code": "OC"
        }
      },
      {
        "country": {
          "name": "Israel",
          "code": "IL"
        },
        "continent": {
          "name": "Asia",
          "code": "AS"
        }
      },
      {
        "country": {
          "name": "Poland",
          "code": "PL"
        },
        "continent": {
          "name": "Europe",
          "code": "EU"
        }
      },
      {
        "country": {
          "name": "Latvia",
          "code": "LV"
        },
        "continent": {
          "name": "Europe",
          "code": "EU"
        }
      }
    ]
  },
  "network": {
    "port": [
      22,
      23,
      80,
      443,
      2222,
      2375
    ],
    "spoofable_port": [
      23
    ],
    "non_spoofable_port": [
      22,
      80,
      443,
      2222,
      2375
    ]
  },
  "fingerprints": {
    "ja3": [
      "7041540a5e44ce9a1d4200c4214355aa"
    ],
    "ja4": [
      "t13i170900_5b57614c22b0_78e6aca7449b"
    ],
    "muonfp": [
      "65535:::",
      "42340:2-4-8-1-3:1460:11"
    ]
  },
  "http": {
    "path": [
      "/",
      "/V2/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php",
      "/admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php",
      "/api/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php",
      "/app/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php",
      "/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh",
      "/containers/json",
      "/index.php",
      "/laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php",
      "/public/index.php",
      "/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php"
    ],
    "user_agent": [
      "Go-http-client/1.1",
      "NTRIP NtripClient/1.0",
      "Hello-world"
    ]
  },
  "tag": [
    "PHPUnit RCE Detector",
    "ThinkPHP RCE Detector",
    "Docker API Scanner",
    "Apache Path Traversal",
    "Laravel Detector",
    "Targets GCP",
    "Targets AWS",
    "Fast Scanner (i.e. Masscan / ZMap)"
  ],
  "mitre_attack": {
    "tactics": [
      "Reconnaissance",
      "Initial Access"
    ],
    "techniques": [
      "T1595.002 - Vulnerability Scanning",
      "T1190 - Exploit Public-Facing Application",
      "T1592.002 - Gather Victim Software Info"
    ],
    "sub_techniques": [
      "T1595.002",
      "T1592.002"
    ]
  },
  "cve": [
    "CVE-2017-9841",
    "CVE-2018-20062",
    "CVE-2022-47945",
    "CVE-2021-41773",
    "CVE-2021-42013"
  ],
  "ssh": {
    "auth": [
      {
        "username": "root",
        "password": "root"
      },
      {
        "username": "root",
        "password": "123456"
      },
      {
        "username": "root",
        "password": "admin"
      },
      {
        "username": "admin",
        "password": "admin"
      },
      {
        "username": "admin",
        "password": "1234"
      },
      {
        "username": "ubuntu",
        "password": "ubuntu"
      },
      {
        "username": "pi",
        "password": "raspberry"
      },
      {
        "username": "oracle",
        "password": "oracle"
      }
    ]
  }
}

Improve signal quality across all Sentinel workflows.

Increase detection confidence in KQL Rules

Improve signal quality in Analytics Rules by enriching detections with real attacker and exploitation context.

Analytics Rule Enrichment

Prioritize real threats over alert noise

Enrich Sentinel Incidents with mass exploitation and reconnaissance intelligence so analysts can triage faster and escalate accurately.

Incident Prioritization

Speed up entity investigation decisions

Enable faster analyst decisions by turning Sentinel entities into enriched, behavior-aware threat signals.

Entity Context Enrichment

Automate response with higher trust

Feed Logic Apps playbooks with real-time threat context to automate blocking, suppression, escalation, and response actions.

SOAR Decision Intelligence

Try ELLIO in Microsoft Sentinel via TAXII 2.1

Connect ELLIO threat intelligence feed via TAXII 2.1 and see how mass exploitation and reconnaissance data enriches your Sentinel detections and investigations in real time.

Start Free Trial

Yes. Your environment is constantly scanned.
No. You don’t need every scan in your incident queue.

Reduce Sentinel noise by filtering out constant scanning activity, AI/ML scraping tools, and benign research crawlers.

Without ELLIO With ELLIO

Incoming 7,028 connections

192.0.2.14 Exploitation

Log4Shell CVE-2021-44228

198.51.100.33 Exploitation

PAN-OS GlobalProtect CVE-2024-3400

203.0.113.22 Exploitation

regreSSHion CVE-2024-6387

192.0.2.41 Exploitation

React2Shell CVE-2025-55182

198.51.100.77 Exploitation

Ivanti Connect Secure CVE-2024-21887

203.0.113.55 Exploitation

FortiOS Auth Bypass CVE-2024-55591

192.0.2.91 Recon

Shodan Scanner

198.51.100.12 Recon

BinaryEdge

ELLIO Blocklist L3 Firewall, IP Layer

0 Blocked at L3

0 Unfiltered Relevant Events

WAF

0 alerts

Known CVEs triggering WAF rules Targeted attempts only

NDR

0 alerts

Scan traffic generating false positives Real network events, no scan noise

XDR

0 alerts

Noise triggering correlation rules Real correlations only

SIEM

OVERLOADED NOMINAL

0 events

SOC Triaging 9,600+ events daily. Most are noise. 18 actionable alerts. Clear signal.

Strengthen the perimeter for cleaner Sentinel signals.

Integrate ELLIO Threat Intelligence as a pre-SIEM filtering layer (IP Blocking) in Azure Firewall to improve perimeter protection and reduce unnecessary noise before it reaches Microsoft Sentinel.

Malicious IPs & Attack Infrastructure

Mass Exploitation Attempts

Automated Scanners, Bots & Reconnaissance

Brute Force & Account Takeovers

API Abuse & Endpoint Enumeration

L7 DDoS Traffic Sources

Cryptomining & Resource Hijacking

Unwanted SaaS & Cloud Services

x Malicious IPs & Attack Infrastructure

x Mass Exploitation Attempts

x Automated Scanners, Bots & Reconnaissance

x Brute Force & Account Takeovers

x API Abuse & Endpoint Enumeration

x L7 DDoS Traffic Sources

x Cryptomining & Resource Hijacking

x Unwanted SaaS & Cloud Services

More About Ultimate IP Blocking

Stylized illustration of a cat in a blue hoodie using a laptop computer, representing a cybersecurity hacker or threat actor

Enterprise or MSSP using Microsoft Sentinel?

Tell us how your SOC operates in Microsoft Sentinel. We’ll explore how ELLIO can support your detection and response workflows. Your needs are our starting point, not a limitation.

Talk to ELLIO Experts

Enterprise or MSSP using Microsoft Sentinel?

Tell us how your SOC operates in Microsoft Sentinel. We’ll explore how ELLIO can support your detection and response workflows. Your needs are our starting point, not a limitation.

Talk to ELLIO Experts

Detect active exploitation & recon waves before they become Sentinel incidents.

Not just another threat intel feed. Not just static indicators.

Detect emerging exploitation waves

Suppress noise from non-exploited threats

Detect early-stage threats as they happen

Stop repeat attacks behind rotating IP infrastructure

Bring ELLIO into Sentinel workflows, where needed.

Separate what needs action from what doesn’t.

High-risk exploitation traffic

Reconnaissance & vulnerability scanning activity

Suspicious authentication behavior

Financial fraud indicators

Remote code execution attempts

Botnet-driven activity

Automated credential spraying campaigns

MITRE ATT&CK mapping context

Know IP behavior and threat level in Microsoft Sentinel.

Improve signal quality across all Sentinel workflows.

Increase detection confidence in KQL Rules

Prioritize real threats over alert noise

Speed up entity investigation decisions

Automate response with higher trust

Try ELLIO in Microsoft Sentinel via TAXII 2.1

Yes. Your environment is constantly scanned.No. You don’t need every scan in your incident queue.

Strengthen the perimeter for cleaner Sentinel signals.

Enterprise or MSSP using Microsoft Sentinel?

Enterprise or MSSP using Microsoft Sentinel?

Not just another threat intel feed.
Not just static indicators.

Yes. Your environment is constantly scanned.
No. You don’t need every scan in your incident queue.