AZSentinel icon indicating copy to clipboard operation
AZSentinel copied to clipboard

Published 20 hours ago verified publisher icon wortell

[Feature Request] Support new ThreatIntelligence rule kind

Open pemontto opened this issue 3 years ago • 0 comments

Summary of the new feature/enhancement

Azure Sentinel templates include a new rule kind ThreatIntelligence. It would be useful if this could be deployed by AzSentinel.

It looks like this:

{
  "ThreatIntelligence": [
    {
      "alertRuleTemplateName": "xyz",
      "severity": "Medium",
      "tactics": [
        "Persistence",
        "LateralMovement"
      ],
      "displayName": "(Preview) Microsoft Threat Intelligence Analytics",
      "enabled": true,
      "description": "This rule generates an alert when a Microsoft Threat Intelligence Indicator gets matched with your event logs. The alerts are very high fidelity.\n\nNote : It is advised to turn off any custom alert rules which match the threat intelligence indicators with the same event logs matched by this analytics to prevent duplicate alerts.",
      "name": "xyz",
      "kind": "ThreatIntelligence"
    }
  ]
}

pemontto avatar Oct 01 '21 15:10 pemontto