Building faster AI agents with Azure Managed Redis and .NET Aspire
August 6, 2025Announcing General Availability of App Service Inbound IPv6 Support
August 6, 2025
Key updates
On April 3, 2025, we publicly previewed two new tables to support STIX (Structured Threat Information eXpression) indicator and object schemas: ThreatIntelIndicators and ThreatIntelObjects.
To summarize the important dates:
31 August 2025: We previously announced that data ingestion into the legacy ThreatIntelligenceIndicator table would cease on the 31 July 2025. This timeline has now been extended and the transition to the new ThreatIntelIndicators and ThreatIntelObjects tables will proceed gradually until the 31st of August 2025. The legacy ThreatIntelligenceIndicator table (and its data) will remain accessible, but no new data will be ingested there. Therefore, any custom content, such as workbooks, queries, or analytic rules, must be updated to reference the new tables to remain effective. If you require additional time to complete the transition, you may opt into dual ingestion, available until the official retirement on the 21st of May 2026, by submitting a service request.
31 May 2026: ThreatIntelligenceIndicator table support will officially retire, along with ingestion for those who opt-in to dual ingestion beyond 31st of August 2025.
What’s changing: ThreatIntelligenceIndicator VS ThreatIntelIndicators and ThreatIntelObjects
Let’s summarise some of the differences.
|
|
ThreatIntelligenceIndicator |
ThreatIntelIndicators |
ThreatIntelObjects |
|
Status |
Extended data ingestion until the 31st of August 2025, opt-in for additional transition time available. Deprecating on the 31st of May 2026 — no new data will be ingested after this date.
|
Active and recommended for use.
|
Active and complementary to ThreatIntelIndicators.
|
|
Purpose |
Originally used to store threat indicators like IPs, domains, file hashes, etc.
|
Stores individual threat indicators (e.g. IPs, URLs, file hashes).
|
Stores STIX objects that provide contextual information about indicators. Examples: threat actors, malware families, campaigns, attack patterns.
|
|
Characteristics |
Limitations: o Less flexible schema. o Limited support for STIX (Structured Threat Information eXpression) objects. o Fewer contextual fields for advanced threat hunting.
|
Enhancements: o Supports STIX indicator schema. o Includes a Data column with full STIX object data for advanced hunting. o More metadata fields (e.g. LastUpdateMethod, IsDeleted, ExpirationDateTime). o Optimized ingestion: excludes empty key-value pairs and truncates long fields over 1,000 characters.
|
Enhancements: o Enables richer threat modelling and correlation. o Includes fields like StixType, Data.name, and Data.id.
|
|
Use cases |
Legacy structure for storing threat indicators. Migration Note: All custom queries, workbooks, and analytics rules referencing this table must be updated to use the new tables .
|
Ideal for identifying and correlating specific threat indicators.
Threat Hunting:
Alerting and detection rules: Can be used in KQL queries to match against telemetry from other tables (e.g. Heartbeat, SecurityEvent, Syslog). Example query correlating threat indictors with threat actors: Identify threat actors associated with specific threat indicators |
Useful for understanding relationships between indicators and broader threat entities (e.g. linking an IP to a known threat actor).
Alerting and Detection rules: Enrich alerts with context like threat actor names or malware types. Example query listing TI objects related to a threat actor, “Sangria Tempest.” : List threat intelligence data related to a specific threat actor
|
Benefits of the new ThreatIntelIndicators and ThreatIntelObjects tables
In addition to what’s mentioned in the table above. The main benefits of the new table include:
- Enhanced Threat Visibility
- More granular and complete representation of threat intelligence.
- Support for advanced hunting scenarios and complex queries.
- Enables attribution to threat actors and relationships.
- Improved Hunting Capabilities
- Generic parsing of STIX patterns.
- Support for all valid STIX IoCs, Threat Actors, Identity, and Relationships.
Important considerations with the new TI tables
Higher volume of data being ingested:
o In the legacy ThreatIntelligenceIndicator table, only the IoCs with Domain, File, URL, Email, Network sources were ingested.
o The new tables support a richer schema and more detailed data, which naturally increases ingestion volume. The Data column in both tables stores full STIX objects, which are often large and complex.
o Additional metadata fields (e.g. LastUpdateMethod, StixType, ObservableKey, etc.) increase the size of each record.
o Some fields like description and pattern are truncated if they exceed 1,000 characters, indicating the potential for large payloads.
More Frequent Republishing:
o Previously, threat intelligence data was republished over a 12-day cycle. Now, all data is republished every 7-10 days (depending on the volume), increasing the ingestion frequency and volume.
o This change ensures fresher data but also leads to more frequent ingestion events.
o Republishing is identifiable by LastUpdateMethod = “LogARepublisher” in the tables.
Optimising data ingestion
There are two mechanisms to optimise threat intelligence data ingestion and control costs.
Ingestion Rules
See ingestion rules in action: Introducing Threat Intelligence Ingestion Rules | Microsoft Community Hub
Sentinel supports Ingestion Rules that allow organizations to curate data before it enters the system. In addition, it enables:
- Bulk tagging, expiration extensions, and confidence-based filtering, which may increase ingestion if more indicators are retained or extended.
- Custom workflows that may result in additional ingestion events (e.g. tagging or relationship creation).
- Reduce noise by filtering out irrelevant TI Objects such as low confidence indicators (e.g. drop IoCs with a confidence score of 0), suppressing known false positives from specific feeds.
These rules act on TI objects before they are ingested into Sentinel, giving you control over what gets stored and analysed.
Data Collection Rules/ Data transformation
As mentioned above, the ThreatIntelIndicator and ThreatIntelObjects tables include a “Data” column which contains the full original STIX object and may or may not be relevant for your use cases. In this case, you can use a workspace transformation DCR to filter it out using a KQL query. An example of this KQL query is shown below, for more examples about using workspace transformations and data collection rules: Data collection rules in Azure Monitor – Azure Monitor | Microsoft Learn
|
A few things to note:
o Your threat intelligence feeds will be sending the additional STIX objects data and IoCs, if you prefer not to receive these additional TI data, you can modify the filter out data according to your use cases as mentioned above. More examples are mentioned here: Work with STIX objects and indicators to enhance threat intelligence and threat hunting in Microsoft Sentinel (Preview) – Microsoft Sentinel | Microsoft Learn
o If you are using a data collection rule to make schema changes such as dropping the fields, please make sure to modify the relevant Sentinel content (e.g. detection rules, Workbooks, hunting queries, etc.) that are using the tables.
o There can be additional cost when using Azure Monitor data transformations (such as when adding extra columns or adding enrichments to incoming data), however, if Sentinel is enabled on the Log Analytics workspace, there is no filtering ingestion charge regardless of how much data the transformation filters.
New Threat Intelligence solution pack available
A new Threat Intelligence solution is now available in the Content Hub, providing out of the box content referencing the new TI tables, including 51 detection rules, 5 hunting queries, 1 Workbook, 5 data connectors and also includes 1 parser for the ThreatIntelIndicators.
Please note, the previous Threat Intelligence solution pack will be deprecated and removed after the transition phase. We recommend downloading the new solution from the Content Hub as shown below:
Conclusion
The transition to the new ThreatIntelIndicators and ThreatIntelObjects tables provide enhanced support for STIX schemas, improved hunting and alerting features, and greater control over data ingestion allowing organizations to get deeper visibility and more effective threat detection. To ensure continuity and maximize value, it’s essential to update existing content and adopt the new Threat Intelligence solution pack available in the Content Hub.
Related content and references:
Work with STIX objects and indicators to enhance threat intelligence and threat hunting in Microsoft Sentinel
Curate Threat Intelligence using Ingestion Rules
Announcing Public Preview: New STIX Objects in Microsoft Sentinel