Recorded Future: Defender Portal Migration Breaks Incident Creation -- Playbooks Redesigned Around Analytic Rules

Recorded Future v3.2.20 removes direct incident creation from four playbooks (now incompatible with the unified Microsoft Defender portal) and introduces new Analytic Rules to restore incident generation from custom log tables. Read More →

Cofense Intelligence Connector: SSRF and Credential Leakage Vulnerabilities Patched in DownloadThreatReports Function

Critical security hardening of the Cofense Intelligence Azure Function eliminates a Server-Side Request Forgery (SSRF) vector and credential leakage risk that allowed callers to redirect authenticated requests to arbitrary or internal hosts. Read More →

New Workbook: Hybrid Attack Kill-Chain Hunting Across Cloud and On-Prem Identity

A new behavior-led hunting workbook registers in Microsoft Sentinel covering end-to-end hybrid identity attack scenarios across 7 MITRE ATT&CK phases, correlating signals from Entra ID, Azure, on-prem AD, and Defender XDR. Read More →

TacitRed Defender TI Playbook: Fixing Content Hub Deployment Failure on Hyphenated Workspace Names

TacitRed Defender Threat Intelligence v3.0.2 fixes an InvalidTemplate ARM error that blocked Content Hub deployment entirely on any workspace with a hyphenated name, plus resolves a sovereign cloud storage endpoint bug and adds required post-deployment RBAC guidance. Read More →

Threat Intelligence (NEW): Broken Connector Mappings and Case-Sensitive Rule Names Fixed Across 36 Analytic Rules

Two customer-reported issues are resolved: EmailEvents and EmailUrlInfo rules were mapped to the wrong connectors (Office365 instead of MicrosoftThreatProtection), and inconsistent capitalisation in rule names was silently breaking customer Playbook automations. Read More →

ZeroFox Threat Intelligence Solution: Metadata Fix to Unblock Content Hub Publishing

Corrects an invalid solution ID in SolutionMetadata.json that was preventing the ZeroFox Threat Intelligence solution from publishing to Content Hub. Read More →

JoeSandbox Solution: Sample Queries Updated to Use ThreatIntelIndicators Table

JoeSandbox solution v3.0.2 updates sample queries from the legacy ThreatIntelligenceIndicator table to ThreatIntelIndicators — workspaces still on the legacy table may see broken sample queries post-upgrade. Read More →

Google Threat Intelligence: New GTI Relevance System Alerts Connector and Six Bundled Detections

A new Function App-based data connector ingests Google Threat Intelligence Relevance System Alerts into Sentinel, unlocking six new Analytic Rules that fire on high-severity, data-leak, initial access broker, and insider threat alert categories surfaced by the GTI platform. Read More →

Vaikora-SentinelOne Playbook: Broken IOC Push Restored After HTTP 422 API Rejection

The v3.0.0 playbook always appended an empty agent_id= parameter, causing the Vaikora API to reject every poll request with HTTP 422, silently halting all IOC delivery to SentinelOne Threat Intelligence since initial deployment. Read More →

Vaikora-CrowdStrike Playbook: Silent IOC Pipeline Failure Fixed for Monitor All Agents Mode

When VaikoraAgentId was left blank to monitor all agents, every HTTP 422 rejection from the Vaikora API silently dropped all IOCs - no high/critical-risk actions ever reached CrowdStrike Falcon. Read More →

ZeroFox Threat Intelligence: Marketplace Packaging Fix Restores Customer Access

Critical solution ID mismatch prevented customers from installing ZeroFox Threat Intelligence connector from marketplace. Read More →

Premium MDTI Connector Removed from Threat Intelligence Solution During MDTI Convergence

Premium Microsoft Defender Threat Intelligence connector no longer available in Threat Intelligence (NEW) solution v3.0.19 as part of MDTI convergence effort. Read More →

Cyren Threat Intelligence: Data Fidelity Fix Corrects IP Field Pollution by URL UUIDs

DCR transform fix stops storing malware URL UUIDs in IP fields — improves data quality for threat intelligence queries. Read More →

NordStellar CCF Push Connector: Real-time Threat Intelligence Integration Now Available

New NordStellar solution delivers real-time threat intelligence and exposure monitoring via CCF Push architecture to unified NordStellar_CL table. Read More →

Google Threat Intelligence Solution: Custom Connector Deployment Prerequisites Clarified

Solution metadata updated to warn customers that Playbooks require manual deployment of the GTI custom Logic Apps connector before use. Read More →

Cyren Defender Threat Intelligence: New IP and Malware URL Ingestion for Microsoft Sentinel

Content Hub solution adds Cyren threat intelligence feeds for IP reputation and malware URL indicators via automated Logic App playbook. Read More →

New Cyren-CrowdStrike Threat Intelligence Solution: Automated IOC Sync for Enhanced Threat Detection

Logic App playbook now available to automatically sync Cyren IP reputation and malware URL indicators to CrowdStrike Falcon for streamlined threat blocking. Read More →

Illumio Insights Graph: New Network Traffic Analysis and Threat Intelligence Connector

New CCF-based connector ingests Illumio AI-powered threat discovery reports with network flow analysis, geographic context, and MITRE ATT&CK framework integration. Read More →

New Strider Shield Threat Intelligence Connector for Email Security Monitoring

NVISO introduces Strider Shield CCF connector enabling ingestion of email threat intelligence data across five data streams targeting phishing and BEC protection. Read More →

Flare Solution 3.1.0: Enhanced Threat Intelligence Detection Coverage

Flare Solution updates detection logic and adds three new Analytic Rules for improved threat exposure monitoring across chat platforms, lookalike domains, and underground marketplaces. Read More →