Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Migrate your custom Threat Intelligence (TI) to indicators!
Published Aug 06 2019 05:43 AM 4,398 Views

A little while ago we introduced the unified indicators of compromise (IOC) experience in Microsoft Defender ATP allowing you to define your organization-specific rules for detection, prevention, and the exclusion of entities.  


With this update, we unified several different IoC lists and made the lists more accessible for interactive (portal) and automated (API) use. In addition, we aligned all detection and enforcement means to honor the unified list. The new schema supports several actions such as allow, alert-only, and alert and block. Today you can define the action to be taken on detected files and IPs, and soon we will be also exposing URLs, domains, and certificates. It also supports RBAC for fine-grained control over user access. 


As part of this overall APIs alignment, we are deprecating the previous custom TI APIs and are asking you to migrate automation based on the custom TI to the new unified IOCs paradigmThe migration is easy and straight forward 


Migration path 

Your existing custom TI rules will be migrated automatically to the new unified indicators experience. Please make sure to port any automation based on the custom TI API into the new unified IOCs paradigm in advance. 


You can find here more details on how to configure new indicators through the management UI or through the Microsoft Defender ATP rich set of programmatic APIs. 



The custom TI will be available for the next weeks, until August 29th, 2019. We will then discontinue support for the custom TI.   


Talk to us 

As always, please don’t hesitate to contact our team at the Microsoft Defender ATP community if you have any questions or concerns. 


@Dan Michelson 

@Efrat Kliger

Version history
Last update:
‎Apr 07 2020 11:55 AM
Updated by: