Listen to this Post

Introduction:
Most Security Operations Centers (SOCs) have access to Microsoft Defender Threat Intelligence (MDTI), yet they fail to leverage its full potential, leaving critical attack stories hidden within isolated data points. The July 2025 update introduces groundbreaking features like the new ThreatIntelIndicators table and advanced relationship mapping, fundamentally changing how analysts can contextualize threats. This guide provides a practical roadmap to move beyond passive alerting and proactively build intelligence that integrates seamlessly with your security logs.
Learning Objectives:
- Understand the critical new tables and capabilities introduced in the July 2025 MDTI update.
- Learn how to create custom threat indicators and build actionable relationship graphs.
- Master the integration of this enriched intelligence with Microsoft Sentinel for proactive hunting and detection.
You Should Know:
- The Paradigm Shift in the July 2025 MDTI Update
The July 2025 update represents a significant evolution from a passive feed to an active intelligence platform. The cornerstone of this update is the new `ThreatIntelIndicators` table in Log Analytics, which provides a unified schema for storing both Microsoft-provided and custom-generated indicators of compromise (IoCs). Furthermore, the introduction of native relationship mapping allows you to visually and programmatically link indicators—such as connecting a malicious IP to a domain it resolves to, and then to a file hash downloaded from that domain—transforming isolated alerts into a coherent attack narrative.
2. Accessing and Querying the New ThreatIntelIndicators Table
Step‑by‑step guide explaining what this does and how to use it.
The first step is to locate and query the new data. This table consolidates all threat intelligence, making it the central point for all IoC-based investigations and detections.
- Navigate to Microsoft Sentinel Logs: Open your Microsoft Sentinel workspace and access the Log Analytics interface.
- Run a Basic Query: Execute a simple query to explore the table’s schema and content.
ThreatIntelIndicators | take 100
This returns a sample of 100 indicators. Review the columns like
NetworkIP,DomainName,Url,FileHash,ThreatType, and `Description` to understand the available data.
3. Filter for High-Confidence Malicious IPs:
ThreatIntelIndicators | where ThreatType == "malware" | where NetworkIP != "" | where ExpirationDateTime > now()
This query filters for active, non-expired IP indicators associated with malware, providing a list for immediate blocklist review.
3. Building Your Own Custom Indicators
Step‑by‑step guide explaining what this does and how to use it.
Relying solely on vendor-provided intelligence is insufficient. Creating custom indicators from your own investigations is crucial for defending against targeted attacks. This process internalizes your threat intelligence.
- Use the Microsoft Graph Security API: Custom indicators are created via API. Below is a PowerShell example using an app registration with the `ThreatIndicators.ReadWrite.OwnedBy` permission.
- PowerShell Script to Create a Custom IP Indicator:
Define variables $tenantId = "your-tenant-id" $clientId = "your-app-client-id" $clientSecret = "your-app-client-secret" $resource = "https://graph.microsoft.com" Get OAuth token $tokenBody = @{ Grant_Type = "client_credentials" Scope = "https://graph.microsoft.com/.default" client_Id = $clientId Client_Secret = $clientSecret } $tokenResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" -Method POST -Body $tokenBody $headers = @{ Authorization = "Bearer $($tokenResponse.access_token)" } Create the indicator JSON payload $indicatorJson = @{ action = "alert" description = "Custom IOC from internal investigation C-2025-001" expirationDateTime = (Get-Date).AddDays(30).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ") targetProduct = "Microsoft Defender ATP" threatType = "compromised" networkIdentifier = @{ address = "203.0.113.100" protocol = "ipv4" } } | ConvertTo-Json -Depth 3 Submit the indicator Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/security/tiIndicators" -Method POST -Headers $headers -Body $indicatorJson -ContentType "application/json"This script creates a new indicator that will trigger alerts when the specified IP is observed in your environment.
4. Creating Relationship Maps to Connect the Dots
Step‑by‑step guide explaining what this does and how to use it.
Relationship mapping is the key to moving from data points to intelligence. The `ThreatIntelligenceRelation` table links related indicators, allowing you to reconstruct attack chains.
- Query for Built-in Relationships: Start by exploring the relationships already identified by Microsoft.
ThreatIntelligenceRelation | where SourceThreatIntelligenceIndicatorId != "" | project SourceIndicator=SourceThreatIntelligenceIndicatorId, Relationship, TargetIndicator=TargetThreatIntelligenceIndicatorId | take 50
- Join Tables to Build an Attack Graph: Create a more complex query to map out a full relationship story. For example, find an IP, the domains it’s linked to, and the files associated with those domains.
let MaliciousIP = "203.0.113.100"; ThreatIntelIndicators | where NetworkIP == MaliciousIP | join (ThreatIntelligenceRelation) on $left.Id == $right.SourceThreatIntelligenceIndicatorId | join (ThreatIntelIndicators) on $right.TargetThreatIntelligenceIndicatorId == $left.Id | project IP=NetworkIP, Relationship, RelatedDomain=DomainName, RelatedFileHash=FileHash
This KQL query provides a tabular view of how a single malicious IP connects to other infrastructure and payloads.
-
Integrating Custom Intel with Security Detections in Sentinel
Step‑by‑step guide explaining what this does and how to use it.
The ultimate goal is to use this enriched intelligence for detection and hunting. This involves creating analytics rules in Sentinel that leverage both custom and vendor indicators.
- Create a Scheduled Analytics Rule: In Microsoft Sentinel, navigate to Analytics and create a new Scheduled query rule.
- Craft a Detection Query: Use a query that joins your custom threat intelligence with security event data, such as Windows firewall logs or Azure NSG flows.
// Look for network connections to IPs marked as 'compromised' in the last 24 hours let MaliciousIPs = materialize ( ThreatIntelIndicators | where ThreatType == "compromised" | where NetworkIP != "" | where ExpirationDateTime > now() | distinct NetworkIP ); AzureNetworkAnalytics_CL | where TimeGenerated >= ago(1h) | where SrcIP_s in (MaliciousIPs) or DestIP_s in (MaliciousIPs) | project TimeGenerated, SrcIP_s, DestIP_s, DestPort_d, L7Protocol_s, FlowStartTime_t
- Configure the Rule: Set an appropriate schedule (e.g., run every 5 minutes) and create incidents based on any results from this query. This will automatically generate an incident whenever a connection is made to one of your custom-indicator IPs.
6. Proactive Hunting with Relationship-Aware Queries
Step‑by‑step guide explaining what this does and how to use it.
Beyond automated detection, analysts can perform proactive hunts using the relationship graphs to uncover suspicious activity that might otherwise go unnoticed.
- Formulate a Hunting Hypothesis: For example, “An attacker may be using a known C2 server (IP) that has been linked to a new, previously unseen malware family (FileHash).”
2. Execute a Hunting Query:
// Hunt for processes that have communicated with an IP and loaded a DLL related by threat intel let RelatedIndicators = ThreatIntelligenceRelation | where Relationship == "resolves-to" | join (ThreatIntelIndicators) on $left.SourceThreatIntelligenceIndicatorId == $right.Id | where isnotempty(NetworkIP) | project RelatedIP = NetworkIP, RelatedFileHash = TargetThreatIntelligenceIndicatorId; DeviceNetworkEvents | where TimeGenerated > ago(7d) | join RelatedIndicators on $left.RemoteIP == $right.RelatedIP | join (DeviceFileEvents) on $left.DeviceId == $right.DeviceId | where SHA256 == RelatedFileHash
This complex hunt correlates network events with file events based on established threat intelligence relationships, potentially uncovering a successful compromise.
What Undercode Say:
- Customization is Non-Negotiable: The greatest defensive power lies in your ability to generate and action your own internal intelligence, not just consume vendor feeds. The automation of custom IOC creation is a critical skill for modern SOCs.
- Context is King: An isolated malicious IP is a data point; an IP linked to a domain, a file hash, and an attack technique is a story. The new relationship mapping features are what transform a TI platform from a simple lookup tool into an investigative engine.
The post by Bartosz Wysocki highlights a critical maturity gap in most SOCs. Many teams have the tools but lack the operational discipline to extract strategic value from them. The July 2025 update is a forcing function; it provides the technical capability, but the onus is on the security team to build the processes—like automated custom IOC ingestion and relationship-based hunting—that leverage it. Failure to adapt means falling behind, as attackers consistently use interconnected infrastructure that can only be effectively countered with a graph-based intelligence approach.
Prediction:
The integration of graph-based relationship mapping into mainstream security tools like MDTI will fundamentally shift SOC workflows from reactive alert-triaging to proactive threat-narrative building. Within two years, we predict that SOCs will employ “Threat Intelligence Engineers” as a dedicated role, focused on curating custom intelligence graphs and building automated detection pipelines based on them. This will render traditional, siloed IOC blocklisting largely obsolete, forcing a industry-wide uplift in analytical maturity and leading to more effective disruption of sophisticated, multi-stage cyber attacks.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Activity 7394661303992127488 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


