Microsoft Defender’s TI Tables Are Changing—Here’s Your Survival Kit Before the 2025 Deadline!

By /

Listen to this Post

Featured Image

Introduction:

Microsoft Defender for Threat Intelligence is retiring its legacy `ThreatIntelligenceIndicator` table by August 31, 2025, replacing it with `ThreatIntelIndicators` and ThreatIntelObjects. Organizations must migrate custom queries, automations, and analytics to avoid disruptions as dual ingestion ends in May 2026.

Learning Objectives:

  • Migrate legacy KQL queries to the new Threat Intelligence tables
  • Automate TI data ingestion using Azure Logic Apps
  • Enrich security alerts with contextual threat indicators
  • Configure real-time detection rules for emerging threats
  • Optimize threat hunting workflows with unified TI objects

1. Querying the New ThreatIntelIndicators Table

ThreatIntelIndicators 
| where ExpirationDateTime > now() 
| project IndicatorValue, ThreatType, Description

Step-by-step guide:

1. Replace `ThreatIntelligenceIndicator` with `ThreatIntelIndicators` in existing KQL.

2. Filter active indicators using `ExpirationDateTime`.

  1. Use `project` to extract critical fields like `IndicatorValue` (IP/Domain) and ThreatType.

2. Linking Indicators to Threat Objects

ThreatIntelIndicators 
| join ThreatIntelObjects on $left.ThreatId == $right.Id 
| where ThreatType == "Malware"

Step-by-step guide:

1. Join `ThreatIntelIndicators` and `ThreatIntelObjects` via `ThreatId`.

2. Filter by `ThreatType` (e.g., “Malware”, “Phishing”).

  1. Enrich indicators with object details like actor groups or campaigns.

3. Migrating Legacy Queries with PowerShell

 Find all legacy KQL queries: 
Get-Content ".kql" | Select-String "ThreatIntelligenceIndicator" 
 Bulk replace: 
(Get-Content "query.kql") -replace "ThreatIntelligenceIndicator", "ThreatIntelIndicators" | Set-Content "query.kql"

Step-by-step guide:

  1. Scan KQL scripts for references to the old table.

2. Use PowerShell’s `-replace` to update file contents.

3. Validate syntax in Microsoft Sentinel’s Logs interface.

  1. Ingesting TI Data via API with Python 
    import requests 
headers = {"Authorization": "Bearer <TOKEN>"} 
response = requests.post( 
"https://api.security.microsoft.com/v1.0/tiIndicators", 
json={"indicator": "94.140.14.14", "threatType": "Botnet"}, 
headers=headers 
)

Step-by-step guide:

  1. Obtain an Azure AD token with `ThreatIndicators.ReadWrite.All` scope.
  2. POST JSON payloads to Microsoft’s TI API to populate the new tables.
  3. Verify ingestion via ThreatIntelIndicators | where IndicatorValue == "94.140.14.14".

5. Creating Detection Rules in Defender

// New: Alert on malicious IP communication 
SecurityAlert 
| where ProviderName == "MDTI" 
| where Entities has "94.140.14.14"

Step-by-step guide:

  1. Use `SecurityAlert` table instead of legacy TI tables.

2. Filter by `ProviderName` and `Entities` field.

  1. Trigger automated playbooks via Azure Sentinel when matches occur.

6. Hardening Cloud Workloads with TI Data

 Enable Defender TI integration in ARC: 
az security setting update --name MCAS \ 
--enabled true \ 
--ti-providers "Microsoft Defender"

Step-by-step guide:

  1. Ensure Azure Arc agents are deployed to hybrid servers.
  2. Link Defender TI to Microsoft Cloud App Security (MCAS).

3. Block TI indicators automatically across Azure/on-prem resources.

7. Automating TI Expiry with Logic Apps

// ARM template snippet for expiry cleanup: 
"condition": "@less(utcNow(), item()?['ExpirationDateTime'])", 
"action": { "type": "Http", "method": "DELETE", "url": "https://api.security.microsoft.com/v1.0/tiIndicators/{id}" }

Step-by-step guide:

  1. Create a recurring Logic App that queries ThreatIntelIndicators.

2. Add condition to check `ExpirationDateTime`.

  1. Delete stale indicators via TI API to reduce noise.

What Undercode Say:

  • Migrate by Q3 2024 to avoid rushed transitions—dual ingestion requires manual activation.
  • Refactor KQL now: Legacy queries will fail post-August 2025, breaking dashboards and alerts.
    The shift to granular TI tables (Indicators + Objects) enables deeper threat context but demands query rewrites. Organizations lagging risk blind spots in detection pipelines. Prioritize updating: 1) SIEM correlations, 2) SOAR playbooks, 3) Hunting notebooks. Microsoft’s extension is a grace period—not an excuse for delay.

Prediction:

By 2026, threat actors will exploit migration gaps in enterprises slow to adopt the new schema, launching campaigns disguised as “legacy” false negatives. Organizations using the unified `ThreatIntelObjects` model will gain 40% faster attribution of IoCs to TTPs, while holdouts face increased dwell time and breach costs. API-driven TI ingestion will become standard, phasing out manual uploads by 2027.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Mmihalos Microsoftsecurity – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: