Issue with Duplicate Threat Intelligence Data Ingestion in Microsoft Sentinel via TAXII Connector

Talon Wolf 20 Reputation points
2025-08-21T21:03:56.5433333+00:00

Environment:

  • Microsoft Sentinel workspace
  • Using TAXII connector for threat intelligence ingestion
  • Tables involved: ThreatIntelligenceIndicator (old/deprecated) and ThreatIntelIndicators (new)

Problem Description:

I'm experiencing duplicate data ingestion in my Sentinel workspace from the TAXII connector. There are two tables being populated with the same threat intelligence data:

  • ThreatIntelligenceIndicator (the old table, which has been deprecated by Microsoft)
  • ThreatIntelIndicators (the new table introduced as a replacement)

This duplication is causing unnecessary increases in data ingestion costs, as the same intel is being stored twice.

What I've Tried:

  • After Microsoft announced the deprecation of the old table and the introduction of the new one, I uninstalled the old TAXII connector/solution from the Content Hub in Sentinel.
  • Despite uninstallation, the old ThreatIntelligenceIndicator table continues to ingest data.
  • I've verified that the new table is working as expected, but I can't seem to fully disable or stop ingestion into the old one.

Question:

How can I completely stop data ingestion into the deprecated ThreatIntelligenceIndicator table while ensuring that all threat intel data is only ingested into the new ThreatIntelIndicators table? Are there any additional steps beyond uninstalling from the Content Hub, such as disabling workflows, updating configurations, or purging legacy connectors?

Any guidance, scripts, or documentation references would be greatly appreciated to help reduce these redundant costs. Thanks!

Microsoft Security | Microsoft Sentinel
0 comments No comments
{count} votes

Accepted answer
  1. EduardsGrebezs 1,096 Reputation points
    2025-08-22T10:39:57.4166667+00:00
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.