Windows Defender: Import Indicators from TruSTAR

Updated 3 months ago by TruSTAR

This script extracts Indicators from TruSTAR and imports them into Windows Defender ATP.

Activating the Script

  1. Create an AD App in the Azure portal (link).
  2. Assign permissions Ti.ReadWrite.All (link).
  3. Create an App Secret for the newly registered App.
  4. Contact your TruSTAR account manager with the following information:
  • Source enclave IDs
  • App ID
  • App Secret
  • Tenant ID

How It Works

  1. Searches for all Indicators from the specified source enclaves once every 24 hours.
  2. Converts TruSTAR Indicator into Defender Indicators.
  3. Divide the Defender indicators into batches of 500 and then uploads each batch separately to Defender ATP.

Any issues or questions about this script, please contact

How Did We Do?