![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 33%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBB%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Sentinel
A cloud-native SIEM solution that provides intelligent security analytics and threat detection across systems
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 21%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBV%3C/text%3E%3C/svg%3E)
Hello,
Your choice of APIs is correct for working with Azure Sentinel Threat Intelligence indicators and Microsoft Defender for Endpoint.
- To create or update indicators in Azure Sentinel, use the following API:
- To fetch the data of Azure Sentinel indicators, use the following API:
- To create or update indicators in Microsoft Defender for Endpoint, use the following API:
Here's a high-level workflow for your task:
- Call the "List Threat Intelligence Indicators" API to fetch the indicators from Azure Sentinel.
- Iterate through the fetched indicators, and for each indicator, perform the following steps:
a. Call the "Create or Update Threat Intelligence Indicator" API to create or update the indicator in Azure Sentinel, if needed.
b. Call the "Create or update TI indicator" API to create or update the indicator in Microsoft Defender for Endpoint.
