Change Log
This page documents the changes that have been made to the service:
2025-06-16
Changes meaning existing users of the Microsoft Defenders Indicators service will be automatically migrated from delegated to application authentication. New users will only have application authentication available.
Changes to the Lab539 Indicators Feed app registration API Permission (removed multiple, added one)
Minor changes to portal codebase to support authentication changes
Indicators update frequency altered to 1 update per hour
Indicators expiry time is increased to 30 days - this will soon be complimented with
Minor changes to portal help text
Introduced additional rate limiting for MS Defender API’s
2025-06-01
Updates to the named location ARM templates for those operating a self hosted environment - these are available here: https://www.lab539.com/blog/self-hosted-conditional-access-service but will be moved to our https://aitm-feed.com documentation soon.
2025-05-28
Multiple named location feeds made available via the API, this includes AiTM, tor-exits, Stark Industries, XHOST, ExpressVPN
Known Issues / Feature Requests
Resolved issues are removed from this list:
Environments using Sentinel are treating indicator updates as new indicators and so seeing excessive indicator writes - we plan to resolve this with incremental changes to indicators and longer TTLs on indicators by default.
Changing indicators account displays the tenant ID rather than a friendly organisation name or domain - this issue arises due to slow propegation of MS Graph permissions. This is outside of our control, but if you set the account again it should catch up. We will add something that automatically updates this in a future release that will run automatically.
We have reached our maximum indicators level - we’ve discussed this in depth with Microsoft but they remain unwilling to increase the maximum number of indicators per tennant, we have various workarounds to keep this number as low as possible whilst still providing a good level of protection. If this concerns you then we advise that you contact Microsoft directly. You may wish to consider ingesting our feed into other security tooling in order to supplement your Microsoft protection
Named location feed uses delegated auth for early users - this is being worked on and will be updated shortly. We envisage no changes will be required by users, so this should be seamless.