Issue with Duplicate Threat Intelligence Data Ingestion in Microsoft Sentinel via TAXII Connector

Environment:

• Microsoft Sentinel workspace
• Using TAXII connector for threat intelligence ingestion
• Tables involved: ThreatIntelligenceIndicator (old/deprecated) and ThreatIntelIndicators (new)

Problem Description:

I'm experiencing duplicate data ingestion in my Sentinel workspace from the TAXII connector. There are two tables being populated with the same threat intelligence data:

• ThreatIntelligenceIndicator (the old table, which has been deprecated by Microsoft)
• ThreatIntelIndicators (the new table introduced as a replacement)

This duplication is causing unnecessary increases in data ingestion costs, as the same intel is being stored twice.

What I've Tried:

• After Microsoft announced the deprecation of the old table and the introduction of the new one, I uninstalled the old TAXII connector/solution from the Content Hub in Sentinel.
• Despite uninstallation, the old ThreatIntelligenceIndicator table continues to ingest data.
• I've verified that the new table is working as expected, but I can't seem to fully disable or stop ingestion into the old one.

Question:

How can I completely stop data ingestion into the deprecated ThreatIntelligenceIndicator table while ensuring that all threat intel data is only ingested into the new ThreatIntelIndicators table? Are there any additional steps beyond uninstalling from the Content Hub, such as disabling workflows, updating configurations, or purging legacy connectors?

Any guidance, scripts, or documentation references would be greatly appreciated to help reduce these redundant costs. Thanks!