This solution enables integration between Google Threat Intelligence (GTI) and Microsoft Defender for Endpoint (MDE) using Azure Functions.
It automates ingestion of threat intelligence indicators (IOCs) from GTI into Defender, allowing security teams to operationalize external intelligence and strengthen endpoint protection.
The integration performs the following:
- Retrieves threat intelligence data from GTI
- Transforms data into Microsoft Defender-compatible format
- Ingests indicators into Defender as custom indicators
- Runs on a scheduled basis using Azure Functions
This enables near real-time enrichment of Defender with global threat intelligence.
- Automate ingestion of external threat intelligence into Defender
- Reduce manual IOC management
- Enhance endpoint detection with high-fidelity threat signals
- Improve SOC response time with continuously updated indicators
Before deployment, ensure you have:
- GTI API Key
- Azure Subscription
- Microsoft Defender for Endpoint (E5)
- Microsoft Defender Security Administrator access
- Microsoft Intune Admin access (optional)
You will need:
- Client ID
- Client Secret
- Tenant ID
- User Object ID
Steps to generate Client ID, Client Secret, and Tenant ID are covered in the App Registration section below.
Create and configure an application for authentication.
- Navigate to:
Microsoft Entra Admin Center → Identity → Applications → App registrations - Click New registration
- Choose Single tenant
- Leave Redirect URI blank
From the Overview page:
- Application (Client) ID → Client ID
- Directory (Tenant) ID → Tenant ID
- Go to:
Certificates & secrets - Click **New client secret`
- Copy the value immediately
- Navigate to:
API permissions → Add permission - Select:
WindowsDefenderATP
Add:
Ti.ReadWrite.All(Application)Ti.ReadWrite(Delegated)
- Click Grant admin consent
- Navigate to:
Microsoft Entra Admin Center → Users - Select your user
- Copy the Object ID
Click Deploy to Azure.
You have two deployment options based on the Azure function plan:
| Plan | Description | Action |
|---|---|---|
| Consumption | Cost-efficient, auto-scaling, suitable for most workloads | |
| Premium | Better performance, no cold starts, longer execution duration |
📌 Reference:
- Azure Functions Pricing: https://azure.microsoft.com/en-us/pricing/details/functions/
- Pricing Calculator: https://azure.microsoft.com/en-us/pricing/calculator/
Provide the following values:
| Parameter | Description |
|---|---|
| App Name | Function App name |
| GTI API Key | Authentication key |
| Threat List | Optional GTI list IDs |
| Lookback Days | Max 7 days |
| Threat Score | 0–100 |
| Timer Schedule | CRON expression |
| Client ID | From App Registration |
| Client Secret | From App Registration |
| Tenant ID | From App Registration |
| User Object ID | From Entra |
This step is optional and only required for device compliance and mobile protection scenarios.
- Navigate to:
Intune Admin Center → Endpoint Security → Microsoft Defender for Endpoint - Open Defender portal:
Settings → Endpoints → Advanced features
- Enable:
- Microsoft Intune connection
- Threat Lists – Select specific GTI feeds
- Lookback Days – Historical ingestion window (max 7 days)
- Verdicts
- Severities
- Threat Score (0–100)
- Configured via CRON expression
- Recommended: hourly execution
- Navigate to:
https://security.microsoft.com - Go to:
Settings → Endpoints → Rules → Indicators
Failed IOCs are stored in Azure Table Storage:
- Table Name:
FailedIOCs
- Maximum 15,000 indicators supported in Defender
- Ingestion API may return inconsistent counts
- Consumption plan timeout: 10 minutes
- Remaining data is processed in subsequent runs