Change Log
This page documents the changes that have been made to the service:
2025-07-07
Fixed a bug preventing users managing multiple tenants from accessing the portal due to size constraints on session data
2025-07-04
New named locations added (Aeza Group, DigitalOcean, RouterHosting)
Update time of hosting provider named locations (e.g. Stark) updated to 12 hours via daemon and refresh cycle of all hosting provider named locations (e.g. Stark) updated to 6 hourly - i.e. if you query the API we update the data every 6 hours but we only update your named locations every 12 hours (this data does not change regularly)
Historical data set at 48 hours for all named locations except AiTM (30 days with active checks), Tor-exits (7 days), Express VPN (custom). i.e. any ranges that have not been observed in that hosting providers ASN are flushed after 48 hours of not being observed
Updated the “What feeds are available?” documentation to reflect changes and updates to the named locations
2025-06-24
Alterations made to Indicator logic in order to better fit within Microsoft Defender limitations whilst also improving coverage
Introduced incremental updates to Indicators (occur every 15 minutes)
Reduced full indicator updates to every 6 hours (i.e. 4 times per day) - toggle indicators off (wait a minute or two for MS to catch up) and then toggle them back on if you want an immediate full update
Increased expiry time on indicators to 24 hours (from 2 hours)
More frequent updates to non AiTM named locations introduced
New indicator endpoint at “/v1.0/indicators/aitm/15” for all indicators added in the last 15 minutes (consider this beta - also not yet in the API docs)
Code introduced to minimise the length of named location data by merging adjacent CIDRs into a single CIDR range
General bug and performance fixes
2025-06-16
Changes meaning existing users of the Microsoft Defenders Indicators service will be automatically migrated from delegated to application authentication. New users will only have application authentication available.
Changes to the Lab539 Indicators Feed app registration API Permission (removed multiple, added one)
Minor changes to portal codebase to support authentication changes
Indicators update frequency altered to 1 update per hour
Indicators expiry time is increased to 30 days - this will soon be complimented with
Minor changes to portal help text
Introduced additional rate limiting for MS Defender API’s
2025-06-01
Updates to the named location ARM templates for those operating a self hosted environment - these are available here: https://www.lab539.com/blog/self-hosted-conditional-access-service but will be moved to our https://aitm-feed.com documentation soon.
2025-05-28
Multiple named location feeds made available via the API, this includes AiTM, tor-exits, Stark Industries, XHOST, ExpressVPN
Known Issues / Feature Requests
Resolved issues are removed from this list:
AiTM feed is close approaching the 3000 indicators limit - controls are in place to prevent it hitting this limit, but as the rate of AiTM infrastructure increases we intend to add an additional named location feed to accommodate this.
Changing indicators account displays the tenant ID rather than a friendly organisation name or domain - this issue arises due to slow propegation of MS Graph permissions. This is outside of our control, but if you set the account again it should catch up. We will add something that automatically updates this in a future release that will run automatically.
Documentation not up to date - we are aware that after a few changes our documentation is not as up to date as it could be. Updates will happen soon to rectify this.
Environments using Sentinel are treating indicator updates as new indicators and so seeing excessive indicator writes - we plan to resolve this with incremental changes to indicators and longer TTLs on indicators by default.
(fixed in 2025-06-24 update)
We have reached our maximum indicators level - we’ve discussed this in depth with Microsoft but they remain unwilling to increase the maximum number of indicators per tennant, we have various workarounds to keep this number as low as possible whilst still providing a good level of protection. If this concerns you then we advise that you contact Microsoft directly. You may wish to consider ingesting our feed into other security tooling in order to supplement your Microsoft protection
(workarounds introduced in 2025-06-24 update)
Named location feed uses delegated auth for early users - this is being worked on and will be updated shortly. We envisage no changes will be required by users, so this should be seamless.
(fixed in 2025-06-24 update)