Listen to this Post
Microsoft is introducing an improved data schema for Threat Intelligence in Microsoft Sentinel, with two new tables:
– ThreatIntelIndicators
– ThreatIntelObjects
Key Timelines:
- 3 April 2025: Public preview of new tables (
ThreatIntelIndicators&ThreatIntelObjects). Dual ingestion begins (legacy + new tables). - 31 May 2025: General Availability (GA) of new tables.
- 31 July 2025: Legacy table (
ThreatIntelligenceIndicator) stops new data ingestion. Custom content must migrate to new tables. - 31 May 2026: Full retirement of legacy table.
Required Actions:
- Update analytic rules, workbooks, and KQL queries to use the new tables by 31 July 2025.
- Opt for dual ingestion (if needed) until 31 July 2026.
You Should Know:
1. Querying the New Tables in KQL
To adapt your Kusto Query Language (KQL) queries, replace references to `ThreatIntelligenceIndicator` with:
[kql]
ThreatIntelIndicators
| where ExpirationDateTime > now()
| project IndicatorValue, ThreatType, Description
[/kql]
For threat actor data:
[kql]
ThreatIntelObjects
| where ObjectType == “ThreatActor”
| project Name, Aliases, Motivations
[/kql]
2. Updating Analytic Rules
Modify Sentinel analytics rules to use the new tables:
[kql]
// Old rule (legacy)
ThreatIntelligenceIndicator
| where …
// New rule (updated)
ThreatIntelIndicators
| where …
[/kql]
3. PowerShell Automation for Migration
Use Azure PowerShell to audit and update rules:
List all analytics rules Get-AzSentinelAlertRule -ResourceGroupName "YourRG" -WorkspaceName "YourWorkspace" Export rules for backup Export-AzSentinelAlertRule -ResourceGroupName "YourRG" -WorkspaceName "YourWorkspace" -OutputFolder "C:\SentinelBackup\"
4. Azure CLI for Bulk Operations
Check table ingestion status:
az monitor log-analytics workspace table list --resource-group YourRG --workspace-name YourWorkspace --query "[?name=='ThreatIntelIndicators'].name"
5. Log Analytics Workspace Adjustments
Ensure your Log Analytics Workspace has permissions for the new tables:
az role assignment create --assignee "YourSPN" --role "Log Analytics Contributor" --scope "/subscriptions/YourSub/resourceGroups/YourRG"
What Undercode Say
Migrating to ThreatIntelIndicators and ThreatIntelObjects ensures future-proofing your Microsoft Sentinel deployment. Key steps:
1. Test queries in a dev workspace before production rollout.
2. Monitor ingestion delays during dual-write phase with:
[kql]
union ThreatIntelligenceIndicator, ThreatIntelIndicators
| summarize count() by $table
[/kql]
3. Leverage ARM templates for automated rule deployments:
"resources": [{
"type": "Microsoft.SecurityInsights/alertRules",
"apiVersion": "2023-02-01",
"name": "NewThreatIntelRule",
"properties": {
"query": "ThreatIntelIndicators | where ..."
}
}]
4. Use Linux `jq` to parse exported rule JSONs:
cat old_rule.json | jq '.properties.query |= sub("ThreatIntelligenceIndicator"; "ThreatIntelIndicators")' > new_rule.json
Expected Output:
Updated KQL queries, analytic rules, and scripts targeting `ThreatIntelIndicators` and `ThreatIntelObjects` tables without dependency on the legacy schema.
Reference: Microsoft Sentinel Documentation
References:
Reported By: Markolauren Sentinel – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
