Outgoing feed - Microsoft Defender for Endpoint API#

Note

This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Create and configure incoming feeds.


Specifications

Transport type

Microsoft Defender for Endpoint

Content type

Microsoft Defender for Endpoint JSON model

Published data

Indicators Of Compromise (IOCs) with Maliciousness

Calculating Expiration time#

The intelligence objects on the feed will have an Expiration time calculated based on their half-life:

Expiration time = Estimated start time + Half-life

For example, if the Estimated start time is March 1 and the half-life is 30 days, the Expiration time will be set as March 31.

Configure the Outgoing feed#

TLP v1 only

This Outgoing feed supports TLP v1 only. Any TLP v2 values assigned to intelligence objects included in the feed will be converted to v1 values (i.e., CLEAR becomes WHITE and AMBER+STRICT becomes RED).

  1. Create or edit an Outgoing feed.

  2. From the Transport type drop-down menu, select Microsoft Defender for Endpoint.

  3. From the Content type drop-down menu, select Microsoft Defender for Endpoint JSON model.

  4. Under Transport configuration, enter your Microsoft Defender Client ID, Client Secret, and Tenant ID.

    The API URL field is automatically filled in with the default domain for the endpoint, i.e.: https://api.securitycenter.microsoft.com.

    You can replace it with a proxy or set up ports according to your needs.

  5. Under Content configuration, select the Action that IOCs on this Outgoing feed should trigger in Microsoft defender.

  6. (Optional) Specify additional Recommended Actions or RBAC Group Names to be applied to the IOCs, and check the Generate Alert box to generate an alert in addition to the action set in the previous step.

    Checking Generate Alert is required if you selected the Audit action.

  7. Set a Schedule for the Outgoing feed to operate on.

  8. (Optional) Set any required advanced options.

  9. To store your changes, select Save.

    If you want the Outgoing feed to run right away, select the dropdown arrow next to Save and then select Save and run.