Anyone managed to get IoCs ( threat indicators ) from Sentinel to Defender for endpoint

Question

Currently I have some scripts running on a cron job that import IoCs to defender for endpoint indicator list ( this allows blocking on the endpoints) . We have recently setup a Sentinel instance and it’s pretty easy to add threat intel to Sentinel via a myriad of connectors. What I would like to do is get rid of my scripts - have all the threat intel I need flow into Sentinel via the connectors and then send what I need to defender for blocking . Considering these are both MS and Cloud platforms I would have thought this would be easy but I just can’t find any info around this .

Has anyone managed to do this ?

Answer 1

I agree, it does seem like MDE and Sentinel import and integration of IOCs should be easier.

MDE has a 15k limit and uses indicators for limited custom blocking, auditing, and allow lists. MDE also uses Microsoft's threat intelligence natively, reducing the need for custom indicators. Unfortunately, Sentinel and MDE use different IOC import APIs and UI for manual additions.

I recommend feeding IOCs to MDE with a 30-90 day duration along with any persistent blocks to stay under the 15k limit. Then send the same IOCs to Sentinel for longer term tracking. Sentinel has no specific limit on indicators.

Sentinel can also use TAXII which is convenient when that is an option. Though both often require a custom logic app or function for indicator ingestion. Also, Sentinel requires "TI Map" analytic rules to scan for IOCs vs. MDE that will respond automatically. There are some samples in the Sentinel GitHub that can be helpful when creating an IOC import.