What Changed
Added monitoring and sample queries for the new ThreatIntelObjects table across all Threat Intelligence data connector templates. The update affects six connector variants including Microsoft Defender TI, TAXII feeds, and manual upload connectors.
Security Impact (Visibility & Fidelity)
Prior to this update, deployments only tracked threat intelligence data in the ThreatIntelIndicators table. The new ThreatIntelObjects table represents an expanded threat intelligence data model that was invisible to connector health monitoring. SOC teams using these connectors had no visibility into ThreatIntelObjects data ingestion status or volume metrics.
This change ensures comprehensive monitoring coverage for Microsoft Sentinel’s enhanced threat intelligence data structure, providing operators with complete visibility into both indicator-based and object-based threat intelligence ingestion.
Affected Files
Data connector templates updated (6 files): Microsoft Defender TI (standard and premium), generic TI, TAXII, upload indicators (commercial and government)
(packaging artefacts updated: createUiDefinition.json, mainTemplate.json, 3.0.5.zip)
Custom table definition added: ThreatIntelObjects.json