Action Required for Microsoft Defender For Endpoint Integration

Updated

Reason for the Change

Microsoft is deprecating the tiIndicator object for Microsoft Defender For Endpoint. This crucial change will impact all existing integrations that rely on this object, specifically our “RecordedFuture-Block-IPs-and-Domains-on-Microsoft-Defender-for-Endpoint”  and “RecordedFuture_IP_SCF” playbooks.

The existing solution will cease to function by April 2026.

This document provides immediate notification of this deprecation and outlines the steps to transition to an interim solution developed by Recorded Future to maintain continuous threat intelligence sharing with Microsoft Defender For Endpoint.

Mitigation

To ensure a seamless transition and minimize disruption, Recorded Future has developed a new playbook (attached to this support article) that replaces the deprecated integration. This new Playbook is also deployed within Microsoft Azure.

This solution uses HTTP actions to send the information to the Microsoft Defender For Endpoint API directly instead of creating tiIndicator objects. This solution requires a different permission structure.

While the new Playbook offers the same core functionality as the “RecordedFuture-Block-IPs-and-Domains-on-Microsoft-Defender-for-Endpoint” , the method for granting necessary permissions has changed significantly. Users must take immediate action to configure permissions for the new solution.

Action Items: Steps to deploy the new playbook

The primary difference in the new integration is the requirement for users to register a new application in Microsoft Entra ID (formerly Azure Active Directory) and grant it specific API permissions. 

1. Register a New Application in Microsoft Entra ID

  1. Log in to the Microsoft Entra ID portal.
  2. Navigate to App registrations.
  3. Click New registration.
  4. Follow the on-screen instructions to register a new application for the Recorded Future integration.

2. Configure API Permissions

The new playbook requires specific permissions to interact with Microsoft Defender.

  1. From your new application's overview page in Microsoft Entra ID, navigate to API permissions.
  2. Click Add a permission.
  3. Select the APIs my organization uses tab.
  4. Search for and select the WindowsDefenderATP API.
  5. Select Application permissions.
  6. Under TI, check the box for Ti.ReadWrite.All.
  7. Click Add permissions.
  8. Crucial Step: Grant admin consent for the newly added permission.

3. Generate Client Secret

The new playbook requires a Client ID and Client Secret for authentication.

  1. In your Entra ID application's settings, navigate to Certificates & secrets.
  2. Under Client secrets, click New client secret.
  3. Provide a description and set an appropriate expiration time.
  4. IMMEDIATELY copy the generated Value of the client secret. This value is only shown once and is required for the new playbook.

4. Deploy the new playbook

Once the app is registered and the secret is secured, the final step is to configure the new playbook. The playbook is attached to this support article.

  1. Deploy the new playbook to your Microsoft Azure environment, to do this, search for “Deploy a custom template” click on “Build your own template in the editor” ->”Load File” then select the new playbook click on “Save”, at this point it’s a normal playbook/logic app deployment flow.
  2. In the playbook configuration, enter the following details from your new Microsoft Entra ID application:
    • Client ID: The Application (Client) ID of your new Entra ID App.
    • Client Secret: The secret Value copied in Step 3.

The playbook contains 3 parameters that have default values, but can be changed.

  • Indicator Action - Action to take when indicator is matched
  • Generate Alert - Whether to generate an alert when indicator is matched
  • Expiration Days - Number of days before indicator expires, must not be shorter than “Recurrence”, which by default is 24h

The playbook will assign a severity on indicators, this is based on Recorded Future risk score and the assignments are as follows: Informational - up to 25, Medium 26-75, High - 75 and up. Since the lists that are imported are very curated, it will mostly result in high severity. 

To change this behavior, locate the “Transform IP/Domain Indicators” and click on it, locate the the “severity” in the left hand modal, click on the pink “if(..)”, update the numbers, click on “Update” then “Save” in the upper right corner.

Timeline and Support

Item Details
Current Solution End-of-Life April 2026
Required Action Configure new Playbook with Microsoft Entra ID App registration and permissions.

We strongly recommend beginning this transition immediately to avoid any disruption to your threat intelligence pipeline. 

This content is confidential. Do not distribute or download content in a manner that violates your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Was this article helpful?
2 out of 2 found this helpful

Articles in this section

See more