Disrupting active exploitation of on-premises SharePoint vulnerabilities
July 23, 2025New in Excel for the web: Power Query Refresh & Data Source Settings for authenticated data sources
July 23, 2025
In today’s rapidly evolving threat landscape, organizations need threat intelligence (TI) that is woven seamlessly into every step of their security operations—delivered exactly when and where it matters most. That’s why Microsoft is converging Microsoft Defender Threat Intelligence (MDTI) directly into Defender XDR and Microsoft Sentinel, which will provide world-class, real-time TI within a unified SecOps experience at no additional cost. This convergence will grant customers access to Microsoft’s extensive repository of both raw and finished threat intelligence, developed from 84 trillion daily signals and backed by over 10,000 security professionals, eliminating the need for additional licensing and costly third-party solutions.
With comprehensive threat actor-focused TI at every layer of the SecOps workflow, teams gain enhanced visibility, faster detection, and accelerated incident response to outpace threats.
Key Features Arriving Soon
The convergence of MDTI value into Microsoft Sentinel and Defender XDR will take place over the course of several months and be completed by the first half of next year. Features in the first phase of this convergence, which will be available by October, include:
Finished Threat Intelligence: Defender XDR customers will have access to Microsoft’s comprehensive threat intelligence library via threat reports within threat analytics (TA). This includes exclusive analyses of threat activity and the detailed content focused on threat actors, threat tooling, and vulnerabilities found in intel profiles. Customers can connect this intelligence to related incidents and affected assets, revealing endpoint vulnerabilities and recommended actions.
The convergence of MDTI’s finished intelligence into threat analytics also introduces threat actor-linked indicators of compromise (IOCs). Security operations and threat intelligence teams can use these IOCs—updated in real time as new evidence emerges from Microsoft researchers—to investigate specific attacker infrastructure and behavior, which supports more effective threat hunting and remediation. Even after their expiration, these IOCs will remain available for historical investigations, enabling analysis of past threats and their organizational impact. This helps security teams proactively uncover new, previously unseen attacker infrastructure beyond the known environment.
Additionally, the convergence brings MITRE TTPs (tactics, techniques, and procedures) into threat analytics. Understanding TTPs equips organizations to design detections that specifically target the more persistent methods attackers use. By proactively focusing on TTPs, organizations move beyond simply blocking or alerting on IOCs, which helps achieve stronger, more resilient defenses and a proactive security posture.
Sentinel customers will also get access to threat analytics in the Defender portal, granting them the same finished TI with many of the same capabilities. This experience will be available for Sentinel customers soon after Defender XDR customers. Stay tuned to the MDTI Tech Community blog for updates on availability.
IoCs in Case Management: Sentinel customers will be able to share threat actor IoCs via Sentinel case management to collaborate and share threat research across teams within their organization. This streamlined sharing not only enhances cross-team collaboration but also accelerates the identification and containment of threats as new intelligence is discovered. By leveraging this workflow within Sentinel, security teams can ensure that actionable threat indicators are promptly distributed and integrated into ongoing investigations, driving smarter and faster responses across the enterprise.
What to Expect from the Fully Unified Threat Intelligence Experience
Once MDTI is fully converged into Defender XDR and Sentinel, customers’ alerts, incidents, and investigations will be automatically enriched with relevant threat context, enabling faster, more precise detection and response to emerging threats. Customers will benefit from the entirety of MDTI’s finished and raw intelligence through the threat analytics blade in the Defender portal—including open-source intelligence (OSINT), in-depth threat articles, and advanced internet data sets.
Defender XDR customers will be able to directly link this compendium of intelligence to Defender alerts, endpoints, and vulnerabilities. Sentinel customers will gain unique enhancements of their own, such as automated detection triggers based on the latest IoCs, real-time incident enrichment with current threat actor TTPs, advanced automation features like incident triage, and the ability to enhance third-party intelligence through the Sentinel Threat Intelligence Platform (TIP). For some capabilities, such as alerting on IoCs against log data, Sentinel customers will have to pay a small cost for ingestion of TI (there is no minimum ingestion cost).
The first phase of the convergence will be complete by October 2025, with the rest of the features rolling out over time. Reference the table below to see the features and capabilities that will be available after MDTI is fully converged with Defender XDR and Sentinel.
For ongoing updates about new MDTI features coming online in Sentinel and Defender XDR, customers should check back-in on the MDTI Tech Community blog.
Actions for Existing MDTI Customers
Existing MDTI customers will continue to have full access to their current MDTI experience until the product is retired on August 1, 2026. They will be contacted by their account team or partner with guidance on next steps and how to reduce their current license and transition to this new unified threat intelligence experience in Defender XDR or Sentinel at no additional cost. Please do not hesitate to reach out to your account team with any questions.
Additional Information
Discover how this unified experience simplifies operations, eliminates silos, and helps you see and stop threats faster. Explore the following resources:
- Read our blog announcing the expanded Sentinel data lake offering
- Register to join us in October for our next wave of innovation around threat intelligence and Microsoft Sentinel