Forum Discussion

MikeP751860's avatar
MikeP751860
Brass Contributor
Jun 12, 2024

Massive reduction in Threat Intelligence IP data since Monday 10th June

Hi,   Anyone else see a massive reduction in Threat Intelligence IP data since Monday 10th June into Sentinel platforms? I operate two Sentinel environments and they both seen the same change.   ...
Microsoft Defender Threat Intelligence
Jovansavage's avatar
Jovansavage
Copper Contributor
Sep 11, 2025

Hello,

The significant reduction in Threat Intelligence IP data observed in your Microsoft Sentinel environments since Monday, June 10, 2025, could be attributed to several factors:

1. Transition to New Threat Intelligence Tables

Microsoft Sentinel has been migrating from the legacy ThreatIntelligenceIndicator table to the new ThreatIntelIndicators and ThreatIntelObjects tables. This transition, initially set to complete by July 31, 2025, has been extended to August 31, 2025. During this period, data ingestion into the legacy table continues, but new data is being directed to the new tables. If your queries and analytics are still referencing the old table, they might not capture the latest threat intelligence data.

https://techcommunity.microsoft.com/blog/microsoftsentinelblog/table-talk-sentinel%E2%80%99s-new-threatintel-tables-explained/4440273?utm_source=chatgpt.com

2. Changes in Threat Intelligence Feed Sources

There have been significant global efforts to dismantle malicious IP addresses. For instance, INTERPOL's Operation Secure led to the takedown of 79% of identified suspicious IPs, which could result in a noticeable decrease in the number of malicious IPs reported in threat intelligence feeds.

3. Integration of Microsoft Defender Threat Intelligence (MDTI) into Sentinel

Microsoft is integrating MDTI directly into Defender XDR and Microsoft Sentinel, providing access to a comprehensive repository of threat intelligence. This integration, expected to be completed by October 2025, may alter the volume and nature of threat intelligence data ingested into Sentinel.

4. Potential Configuration or Query Issues

It's also possible that configuration changes or updates in your Sentinel environment, such as modifications to data connectors or analytics rules, could have impacted the ingestion or visibility of threat intelligence data.

 

  • Have you updated your custom queries and analytics rules to reference the new ThreatIntelIndicators and ThreatIntelObjects tables?
  • Are there any recent changes in your threat intelligence feed sources or configurations that might have affected data ingestion?

Let me know.

Jovan.

 

Resources