MC1192257 Microsoft Defender Threat Intelligence: Convergence with Microsoft Defender and Microsoft Sentinel

Home » Update » MC1192257 Microsoft Defender Threat Intelligence: Convergence with Microsoft Defender and Microsoft Sentinel

Table of Contents

Summary
History
Microsoft Message
Introduction
When this will happen
How this affects your organization
What you can do to prepare
Compliance considerations

Summary

Microsoft Defender Threat Intelligence (MDTI) will integrate with Microsoft Defender and Microsoft Sentinel for enhanced threat intelligence capabilities.
Access to the Threat Intelligence Library, exclusive reports, and IoCs will be available through the Microsoft Defender portal.
Enhanced Threat Analytics reports will include IoCs, MITRE ATT&CK mapping, and insights on targeted industries.
IoCs will be connected to cases for Sentinel customers, improving cross-referencing.
Active licensing for Microsoft Defender or Microsoft Sentinel will be required for MDTI capabilities after the transition.

Admin Impact: Low
User Impact: Low
Release Start: 08 Jan 2026
Release End: 08 Jan 2026
Services: Defender XDR
Category: Plan for change
Tags: Feature Update, User Adoption, Admin Action

History

12/5/2025 Item Added to Message Center

Microsoft Message

Updated December 5, 2025: We have updated the timeline. Thank you for your patience.

Introduction

Microsoft Defender Threat Intelligence (MDTI) is converging with Microsoft Defender and Microsoft Sentinel to deliver integrated threat intelligence capabilities directly within your SecOps environment. This change simplifies access to threat insights, improves detection and response workflows, and aligns with customer feedback for a unified experience.

When this will happen

Full convergence will be completed by August 1, 2026. New capabilities are available now, and as of August 2025, all MDTI data has been published via the free connector, with new Threat Analytics APIs replacing retired MDTI APIs.

How this affects your organization

Who is affected: Organizations using Microsoft Defender Threat Intelligence, Microsoft Defender, or Microsoft Sentinel.

What will happen:

Threat Intelligence Library will be accessible via the Microsoft Defender portal, including exclusive threat reports, intel profiles, and Indicators of Compromise (IoCs) integrated into Threat Analytics.
Enhanced Threat Analytics reports will include:
- Indicators of Compromise (IoCs) embedded in reports.
- MITRE ATT&CK mapping for tactics, techniques, and procedures.
- Insights on targeted industries and actor origins.
- Related intelligence and aliases for cross-referencing.
IoCs will be linked to cases for Sentinel customers.
After August 1, 2026, MDTI capabilities will require an active Microsoft Defender or Microsoft Sentinel license.

What you can do to prepare

Plan your transition to Microsoft Defender or Microsoft Sentinel before August 1, 2026, to maintain uninterrupted access.
Review licensing requirements for MDTI capabilities.
Update internal documentation to reflect new Threat Analytics APIs and connector availability.

Compliance considerations

No compliance considerations identified, review as appropriate for your organization.