Skip to content

Microsoft Defender Indicators Feed

Our Microsoft Defender Indicators Feed provides a "real-time-updated" feed of indicators relating to AiTM activity.

These indicators interface seamlessly with Microsoft Defender meaning that all users of Defender managed devices will benefit from these indicators preventing them accessing known AiTM infrastructure. In addition the security team will benefit from any triggered alerts appearing in their defender dashboard with the relevant detail and process trees relating to the incident triggered:

View detailed setup information

Note

We don't provide a self hosted template for indicators because the permissions model for Defender is well thought out and granular. It enables you to grant our service only the permission to read and write indicators that we have created.

Therefore, the only reason that you would want to self host is if you intended to do some additional processing of the indicators prior to consuming them - i.e. something bespoke to you. If this is your use case then the indicators are available via the API both as a full feed (all current indicators) and as an update feed (everything new in the last 15 minutes).