Share via

Anyone managed to get IoCs ( threat indicators ) from Sentinel to Defender for endpoint

Nicholas Giannoulis 20 Reputation points
2024-08-12T07:21:48.0933333+00:00

Currently I have some scripts running on a cron job that import IoCs to defender for endpoint indicator list ( this allows blocking on the endpoints) . We have recently setup a Sentinel instance and it’s pretty easy to add threat intel to Sentinel via a myriad of connectors. What I would like to do is get rid of my scripts - have all the threat intel I need flow into Sentinel via the connectors and then send what I need to defender for blocking . Considering these are both MS and Cloud platforms I would have thought this would be easy but I just can’t find any info around this .

Has anyone managed to do this ?

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,133 questions
Microsoft Defender for Endpoint Training
Microsoft Defender for Endpoint Training
Microsoft Defender for Endpoint: A Microsoft unified security platform for preventative protection, postbreach detection, and automated investigation and response. Previously known as Microsoft Defender Advanced Threat Protection.Training: Instruction to develop new skills.
40 questions
0 comments
Accepted answer
  1. Andrew Blumhardt 9,856 Reputation points Microsoft Employee
    2024-08-12T11:20:18.7533333+00:00

    I agree, it does seem like MDE and Sentinel import and integration of IOCs should be easier.

    MDE has a 15k limit and uses indicators for limited custom blocking, auditing, and allow lists. MDE also uses Microsoft's threat intelligence natively, reducing the need for custom indicators. Unfortunately, Sentinel and MDE use different IOC import APIs and UI for manual additions.

    I recommend feeding IOCs to MDE with a 30-90 day duration along with any persistent blocks to stay under the 15k limit. Then send the same IOCs to Sentinel for longer term tracking. Sentinel has no specific limit on indicators.

    Sentinel can also use TAXII which is convenient when that is an option. Though both often require a custom logic app or function for indicator ingestion. Also, Sentinel requires "TI Map" analytic rules to scan for IOCs vs. MDE that will respond automatically. There are some samples in the Sentinel GitHub that can be helpful when creating an IOC import.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.