Enable data connector for Microsoft Defender Threat Intelligence

Bring high fidelity indicators of compromise (IOC) generated by Microsoft Defender Threat Intelligence (MDTI) into your Microsoft Sentinel workspace. The MDTI data connector ingests these IOCs with a simple one-click setup. Then monitor, alert and hunt based on the threat intelligence in the same way you utilize other feeds.


The Microsoft Defender Threat Intelligence data connector is currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.


  • In order to install, update and delete standalone content or solutions in content hub, you need the Template Spec Contributor role at the resource group level. See Azure RBAC built in roles for details on this role.
  • To configure this data connector, you must have read and write permissions to the Microsoft Sentinel workspace.

Install the Threat Intelligence solution in Microsoft Sentinel

To import threat indicators into Microsoft Sentinel from MDTI, follow these steps:

  1. From the Azure portal, navigate to the Microsoft Sentinel service.

  2. Choose the workspace to which you want to import the MDTI indicators from.

  3. Select Content hub from the menu.

  4. Find and select the Threat Intelligence solution.

  5. Select the Install/Update button.

For more information about how to manage the solution components, see Discover and deploy out-of-the-box content.

Enable the Microsoft Defender Threat Intelligence data connector

  1. To configure the MDTI data connector, select the Data connectors menu.

  2. Find and select the Microsoft Defender Threat Intelligence data connector > Open connector page button.

    Screenshot displaying the data connectors page with the MDTI data connector listed.

  3. Enable the feed by selecting the Connect button

    Screenshot displaying the MDTI data connector page and the connect button.

  4. When MDTI indicators start populating the Microsoft Sentinel workspace, the connector status displays Connected.

At this point, the ingested indicators are now available for use in the TI map... analytics rules. For more information, see Use threat indicators in analytics rules.

You can find the new indicators in the Threat intelligence blade or directly in Logs by querying the ThreatIntelligenceIndicator table. For more information, see Work with threat indicators.

Next steps

In this document, you learned how to connect Microsoft Sentinel to Microsoft's threat intelligence feed with the MDTI data connector. To learn more about Microsoft Defender for Threat Intelligence see the following articles.