This guide explains how to configure the Microsoft Defender for Endpoint export connector in Maltiverse. The integration pushes threat intelligence indicators (IoCs) from your Maltiverse feeds directly into Microsoft Defender, enabling automated blocking and alerting across your endpoints.

Integration Overview

The Microsoft Defender export connector periodically synchronises Maltiverse feed indicators with your Microsoft Defender for Endpoint tenant. It supports IPs, hostnames (domains), URLs, and file hashes (MD5, SHA-1, SHA-256).

IoC Rotation Strategy

The connector uses a continuous rotation strategy to keep Defender in sync with your Maltiverse feeds:

• Expiration: Every indicator is uploaded with a 24-hour TTL (time to live).
• Schedule: The connector runs every hour (fixed, not configurable).
• First run: Uploads ALL indicators from the selected feeds.
• Subsequent runs: Only uploads indicators modified in the last hour.
• Automatic cleanup: Indicators removed from a Maltiverse feed are simply not re-uploaded and expire automatically in Defender after 24 hours.
• Editing a connection (e.g. changing feeds): It resets the execution state, so the next run is treated as a first run and uploads all indicators.

This strategy ensures Microsoft Defender always mirrors the current state of your feeds without manual intervention or stale indicators accumulating.

Prerequisites

To successfully complete the integration you need an Azure AD (Entra ID) application with the correct API permissions.

Azure AD App Registration

Follow the steps below to create the new app registration and add the required permission.

1. Go to Azure Portal > App registrations > New registration. When the form opens up, enter a name (e.g. 'Maltiverse Defender Export'), select Accounts in this organizational directory only, and click Register.

2. Once you create the App Registration, go to the Overview page and copy the Application (client) ID and Directory (tenant) ID. Keep them at hand, they will be needed later to activate the integration in the Maltiverse Portal.

3. Now, go to Certificates & secrets > Client secrets > New client secret. Create the client secret by giving it a description and choose an expiration period. Once you create the client secret, copy and save the Value immediately as it won't be shown again and it is needed to activate the integration in the Maltiverse Portal.

4. Go to API permissions > Add a permission > APIs my organization uses. Search for WindowsDefenderATP. Select Application permissions, then check Ti.ReadWrite.All and click Add permissions to finish.

5. While on the API permissions page, click Grant admin consent for [your tenant].

A Global Administrator must approve this permission.

Configure the Integration in the Maltiverse Portal

To configure the integration log in to the Maltiverse Portal and navigate to Threat Intel > Integrations > Microsoft Defender. Then, click Add Defender. You will be prompted to fill the integration form, fill its fields as follows:

Before saving a new integration, the form requires you to test it. Click Test Connection (enabled only when all required fields are filled). The test authenticates against Azure AD using the provided credentials.

• Success (green): Credentials are valid. The Save button appears. The system also queries your Defender tenant to show real-time capacity information.
• Error (yellow): Authentication failed. Review your Tenant ID, Client ID, and Client Secret. You can still save the connection and test again later.
  

Important considerations

When working with Microsoft Defender Endpoints, it is important to take into account the following information.

When creating a new integration, feeds tagged as EDR-compatible are automatically pre-selected as recommended defaults. These feeds contain indicator types (IPs, domains, URLs, file hashes) that are most relevant for endpoint detection and response. An informational banner is displayed above the feed selector explaining this pre-selection. You can freely add or remove feeds as needed.

Microsoft Defender for Endpoint has a hard limit of 15,000 active custom indicators per tenant. The connector provides real-time capacity monitoring to help you stay within safe operational limits.

How Capacity Is Calculated

When you create or edit a connection, the system queries the Microsoft Defender API to determine how many indicators are already in use in your tenant. This provides the real remaining capacity:

Available capacity = 15,000 (tenant limit) - indicators already in Defender.

The capacity bar shows: selected feed IoC count / available capacity.

• For new connections, the live capacity is queried automatically after a successful Test Connection.
• For existing connections, the live capacity is queried automatically when the edit form loads.
• If the live query fails or has not been performed yet, the system falls back to an estimate using the full 15,000 limit. The label shows live when real Defender data is available, or estimate when using the fallback.

Capacity Thresholds

The capacity bar uses color-coded thresholds to indicate capacity levels:

Save Protection

If the selected feeds would consume 90% or more of the available Defender capacity, the Save button is automatically disabled. This prevents you from creating configurations that could saturate your Defender tenant. You must remove feeds until the capacity drops below 90% to proceed.

Why Saturating Defender Is Not Recommended

An informational alert is always displayed in the capacity section explaining that it is not recommended to saturate Microsoft Defender with indicators up to its maximum capacity. The reasons include:

• Other security applications and third-party integrations may also use the Defender indicator space.
• Consuming all available slots could prevent these integrations from functioning correctly.
• Microsoft Defender may throttle or reject indicator imports when approaching the limit, leading to incomplete coverage.
• Leaving headroom allows for quick manual additions of critical indicators during incident response without having to first remove existing ones.
• A smaller, curated set of high-quality indicators is more effective than saturating the system with a large volume of lower-quality data.

IoC Count Per Feed

Each selected feed chip displays the IoC count next to its name (e.g. '4,230 IoCs'). This count includes all indicator types: IPv4 addresses, hostnames, URLs, and file samples. This helps you quickly identify which feeds contribute most to the total and make informed decisions about which feeds to include.

Managing Connections

The Manage Connections table displays all configured Microsoft Defender connections with the following columns.

• Connection Name: The name of the connection. Hover to see the description in a tooltip.
• Action: The Defender response action (Alert, AlertAndBlock, Block, Allow).
• Severity: The severity level or 'Auto' if not explicitly set.
• Feeds to Export: The names of the selected feeds, shown as tags. Hover over truncated text to see the full list.
• Status: Enabled/Disabled toggle and the last execution result. Hover over the status message to see the full details in a tooltip. Status colors: green (Online) = last execution succeeded, red (Unreachable) = last execution failed, yellow (Pending) = awaiting first execution, gray (Disabled) = connector is disabled.
• Actions: Edit, Run, and Delete buttons for managing the connection.

Running a Connection

Click the play button in the Actions column to trigger an immediate export. The status message will update to show the result, including how many indicators were found and exported per feed (shown by feed name).

Editing a Connection

Click the edit button to modify a connection. When you save changes that affect the configuration (feeds, credentials, action, severity), the execution state is automatically reset. This means the next run will perform a full upload of all indicators from the selected feeds, rather than just the hourly delta. Changes to name or description only do not trigger a reset.

Deleting a Connection

Click the delete button to remove a connection. This stops future scheduled exports. Note that indicators already uploaded to Defender will expire naturally after their 24-hour TTL.

Indicator Mapping

Maltiverse indicators are mapped to Defender indicator types as follows:

Severity Mapping

When Severity is set to 'Auto (based on classification)', the connector maps the Maltiverse classification to a Defender severity:

Microsoft Defender API Limits

Microsoft Defender for Endpoint imposes the following limits on custom threat intelligence indicators:

The 15,000 indicator limit is shared across all sources. If other applications or manual entries are also using indicator slots, the actual available capacity for Maltiverse will be lower. The connector queries the real usage from the Defender API to provide accurate capacity information.

How Capacity Is Queried

The connector uses the Defender List Indicators API (GET /api/indicators) with OData pagination ($top=10000, $skip) to count all active custom indicators in the tenant. This API does not support a direct $count parameter, so the connector paginates through all results. The query typically completes in 1-2 API calls for tenants with up to 15,000 indicators.

Troubleshooting

• Test Connection fails: Verify the Tenant ID, Client ID, and Client Secret are correct. Ensure the app registration has Ti.ReadWrite.All permission with admin consent granted. Check that the Client Secret has not expired.
• 0 indicators exported: For subsequent (hourly) runs, the connector only uploads indicators modified in the last hour. If no indicators changed, the count will be 0. This is normal. If it happens on the very first run, check that the selected feeds contain indicators.
• Status shows 'Feed not found' error: The feed ID in the configuration no longer exists. Edit the connection and re-select your feeds.
• Save button is disabled (capacity): Your selected feeds would consume 90% or more of the available Defender capacity. Remove some feeds or use feeds with fewer indicators until the capacity drops below 90%.
• Capacity shows '(estimate)' instead of '(live)': The real-time capacity query has not been performed or failed. For new connections, complete the Test Connection step first. For existing connections, check that the saved credentials are still valid.
• Indicators not appearing in Defender: Check that the connection is Enabled. Verify that the scheduled task has run (check the Status column). Ensure the Azure AD app has the correct permissions. Note that some indicator types (e.g. SHA-512) are not supported by Defender and will be skipped.
• Stale indicators in Defender: Indicators have a 24-hour TTL. If a feed removes an indicator, it will stop being re-uploaded and expire within 24 hours. No manual cleanup is needed.
• Partial export (some feeds succeed, some fail): The status message now includes both successes and failures. Check the tooltip on the Status column for the full message. Common causes include feeds that have been deleted or Defender API rate limits.

Frequently Asked Questions

Q: Can I change the schedule?
A: No. The schedule is fixed at every hour to ensure consistent IoC rotation with the 24-hour expiration. This combination guarantees that Defender always reflects the current state of your feeds.

Q: Can I change the expiration time?
A: No. The expiration is hardcoded to 1 day (24 hours). This is by design — it ensures that indicators removed from feeds are automatically cleaned up in Defender without manual intervention.

Q: What happens if I add a new feed to an existing connection?
A: When you save the connection, the execution state is reset. The next scheduled run will perform a full upload of all indicators from all selected feeds (including the new one).

Q: Does the connector delete indicators from Defender?
A: No. The connector only creates indicators. Removal happens passively through TTL expiration. When an indicator is no longer in the feed, it stops being re-uploaded and expires after 24 hours.

Q: What API Base URL should I use?
A: For most commercial tenants, use the default (https://api.security.microsoft.com). For GCC, GCC High, or DoD environments, use the appropriate regional endpoint provided by Microsoft.

Q: How are EDR-recommended feeds selected?
A: Feeds that have the 'package:edr' tag in Maltiverse are automatically pre-selected when creating a new connection. These feeds are curated for endpoint detection use cases. You can modify the selection at any time.

Q: Why is the Save button disabled?
A: The Save button is disabled when: (a) required fields are missing or invalid, or (b) the selected feeds would consume 90% or more of the available Defender capacity. For capacity issues, remove feeds until the usage drops below 90%.

Q: Why does capacity show different numbers for 'live' vs 'estimate'?
A: The 'estimate' mode uses the full 15,000 limit and only considers your selected feed IoC counts. The 'live' mode queries Microsoft Defender to see how many indicators are already in use (from all sources), and shows the actual remaining capacity. The live number is always more accurate because it accounts for indicators from other applications.

Q: What happens if other applications also upload indicators?
A: The 15,000 indicator limit is shared across all applications and manual entries in your Defender tenant. The connector's live capacity check accounts for this by querying the total number of active indicators regardless of source. This is why it is important not to saturate the indicator space.