An Azure service that provides an event-driven serverless compute platform.
The behavior matches known indicator and counting limitations rather than an Azure Functions issue.
Key points relevant to the mismatch:
- Tenant-wide indicator limit
Defender for Endpoint enforces a hard limit of 15,000 indicators per tenant. When this limit is approached or reached, not all submitted indicators can be stored. This can cause the API response to show fewer successfully processed indicators than were sent. - Different enforcement types and behavior
Indicators use updated enforcement types (audit,block and remediate,allow,block and warn). These do not change the raw count of indicators, but they can affect how indicators are processed and surfaced (for example, whether alerts are generated). If the same indicator (same key fields) is submitted multiple times with different actions, it may be updated instead of counted as a new indicator, which can also make the “processed” count appear lower than the number sent. - Partner / threat-intelligence integration behavior
When indicators come from threat-intelligence providers or partner integrations, Defender for Endpoint correlates and may remediate based on matches. If the same indicator already exists (for example, from a previous import or a partner feed), a new import may update the existing record rather than add a new one, again causing a mismatch between “sent” and “newly created” indicators. - Intermittent nature
The fact that the mismatch is intermittent is consistent with:- Periodically hitting or nearing the 15,000-indicator limit.
- Re-sending indicators that already exist (updates vs. inserts) only in some batches.
To troubleshoot concretely:
- Check current indicator count
Use the Microsoft Graph Security threat intelligence profile indicator count cmdlets to see how many indicators currently exist:-
Get-MgSecurityThreatIntelligenceProfileIndicatorCount(v1.0) - or
Get-MgBetaSecurityThreatIntelligenceProfileIndicatorCount(beta)
-
- Verify duplicates vs. new indicators
Compare a sample of indicators from a batch where the mismatch occurs against existing indicators (same value, type, and scope). If they already exist, the API may be updating them instead of creating new entries, which explains a lower “created” count. - Monitor per-batch results
Log the API response from each Azure Function execution and compare:- Number of indicators sent in the request
- Number reported as created/updated/failed in the response
- Indicators rejected due to tenant limits
- Indicators treated as updates
- Actual failures (which should be visible in the response details)
If the current indicator count is well below 15,000 and the response does not classify the “missing” indicators as failures or updates, capture a failing batch (request and response metadata, excluding secrets) and open a support case, as that would fall outside documented behavior.
References: