Skip to content

Repackaged Threat Intelligence (New) #12631

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
v-dvedak merged 5 commits into from
Aug 13, 2025
Merged

Repackaged Threat Intelligence (New) #12631

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
1385b40
Repackaged Threat Intelligence
v-atulyadav Aug 8, 2025
bfd07dc
Update ReleaseNotes.md
v-atulyadav Aug 8, 2025
485b068
update template
v-atulyadav Aug 8, 2025
74037ca
version increment
v-atulyadav Aug 8, 2025
6635209
Update ThreatIntelIndicators.json
v-atulyadav Aug 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions .script/tests/KqlvalidationsTests/CustomTables/ThreatIntelIndicators.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,18 @@
{
"Name": "_ResourceId",
"Type": "string"
},
{
"Name": "ExpirationDateTime",
"Type": "datetime"
},
{
"Name": "NetworkIP",
"Type": "string"
},
{
"Name": "ThreatType",
"Type": "string"
}
]
}
4 changes: 2 additions & 2 deletions Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_CloudAppEvents_Updated.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ requiredDataConnectors:
- CloudAppEvents
- connectorId: MicrosoftDefenderThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
Expand Down Expand Up @@ -77,5 +77,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPAddress
version: 1.0.5
version: 1.0.6
kind: Scheduled
8 changes: 4 additions & 4 deletions Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_CommonSecurityLog.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,13 @@ severity: Medium
requiredDataConnectors:
- connectorId: ThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
- connectorId: ThreatIntelligenceTaxii
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
- connectorId: MicrosoftDefenderThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
Expand Down Expand Up @@ -72,5 +72,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: PA_Url
version: 1.4.3
version: 1.4.4
kind: Scheduled
8 changes: 4 additions & 4 deletions ...ns/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_DeviceNetworkEvents_Updated.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,13 @@ requiredDataConnectors:
- DeviceNetworkEvents
- connectorId: ThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
- connectorId: ThreatIntelligenceTaxii
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
- connectorId: MicrosoftDefenderThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
Expand Down Expand Up @@ -75,5 +75,5 @@ entityMappings:
fieldMappings:
- identifier: CommandLine
columnName: InitiatingProcessCommandLine
version: 1.0.3
version: 1.0.4
kind: Scheduled
8 changes: 4 additions & 4 deletions Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_DnsEvents.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,13 @@ requiredDataConnectors:
- DnsEvents
- connectorId: ThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
- connectorId: ThreatIntelligenceTaxii
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
- connectorId: MicrosoftDefenderThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
Expand Down Expand Up @@ -91,5 +91,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: Url
version: 1.4.5
version: 1.4.6
kind: Scheduled
8 changes: 4 additions & 4 deletions Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_EmailEvents_Updated.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,13 @@ requiredDataConnectors:
- EmailEvents
- connectorId: ThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
- connectorId: ThreatIntelligenceTaxii
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
- connectorId: MicrosoftDefenderThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
Expand Down Expand Up @@ -60,5 +60,5 @@ entityMappings:
columnName: Name
- identifier: UPNSuffix
columnName: UPNSuffix
version: 1.0.3
version: 1.0.4
kind: Scheduled
8 changes: 4 additions & 4 deletions Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_EmailUrlInfo_Updated.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,13 @@ requiredDataConnectors:
- EmailUrlInfo
- connectorId: ThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
- connectorId: ThreatIntelligenceTaxii
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
- connectorId: MicrosoftDefenderThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
Expand Down Expand Up @@ -85,5 +85,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: Url
version: 1.0.4
version: 1.0.5
kind: Scheduled
8 changes: 4 additions & 4 deletions Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_PaloAlto.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,13 @@ requiredDataConnectors:
- CommonSecurityLog
- connectorId: ThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
- connectorId: ThreatIntelligenceTaxii
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
- connectorId: MicrosoftDefenderThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
Expand Down Expand Up @@ -102,5 +102,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: PA_Url
version: 1.4.3
version: 1.4.4
kind: Scheduled
8 changes: 4 additions & 4 deletions Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_SecurityAlert.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,10 @@ severity: Medium
requiredDataConnectors:
- connectorId: ThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
- connectorId: ThreatIntelligenceTaxii
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
- connectorId: MicrosoftCloudAppSecurity
dataTypes:
- SecurityAlert
Expand All @@ -18,7 +18,7 @@ requiredDataConnectors:
- SecurityAlert
- connectorId: MicrosoftDefenderThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
Expand Down Expand Up @@ -80,5 +80,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: Url
version: 1.4.4
version: 1.4.5
kind: Scheduled
8 changes: 4 additions & 4 deletions Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_Syslog.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,13 @@ requiredDataConnectors:
- Syslog
- connectorId: ThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
- connectorId: ThreatIntelligenceTaxii
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
- connectorId: MicrosoftDefenderThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
Expand Down Expand Up @@ -96,5 +96,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: Url
version: 1.4.5
version: 1.4.6
kind: Scheduled
8 changes: 4 additions & 4 deletions Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_imWebSession.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,13 +12,13 @@ requiredDataConnectors:
- CommonSecurityLog
- connectorId: ThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
- connectorId: ThreatIntelligenceTaxii
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
- connectorId: MicrosoftDefenderThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
Expand Down Expand Up @@ -82,5 +82,5 @@ customDetails:
alertDetailsOverride:
alertDisplayNameFormat: A web request from {{SrcIpAddr}} to hostname {{domain}} matched an IoC
alertDescriptionFormat: A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{Type}}. Consult the threat intelligence blade for more information on the indicator.
version: 1.0.9
version: 1.0.10
kind: Scheduled
8 changes: 4 additions & 4 deletions Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_AzureActivity.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,13 @@ requiredDataConnectors:
- AzureActivity
- connectorId: ThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
- connectorId: ThreatIntelligenceTaxii
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
- connectorId: MicrosoftDefenderThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
Expand Down Expand Up @@ -72,5 +72,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: Url
version: 1.2.10
version: 1.2.11
kind: Scheduled
4 changes: 2 additions & 2 deletions Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_CloudAppEvents_Updated.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ requiredDataConnectors:
- CloudAppEvents
- connectorId: MicrosoftDefenderThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
Expand Down Expand Up @@ -52,5 +52,5 @@ entityMappings:
columnName: User_Id
- identifier: UPNSuffix
columnName: UPNSuffix
version: 1.0.5
version: 1.0.6
kind: Scheduled
8 changes: 4 additions & 4 deletions Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_EmailEvents_Updated.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,13 @@ requiredDataConnectors:
- EmailEvents
- connectorId: ThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
- connectorId: ThreatIntelligenceTaxii
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
- connectorId: MicrosoftDefenderThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
Expand Down Expand Up @@ -63,5 +63,5 @@ entityMappings:
columnName: Name
- identifier: UPNSuffix
columnName: UPNSuffix
version: 1.0.4
version: 1.0.5
kind: Scheduled
8 changes: 4 additions & 4 deletions Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_OfficeActivity.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,13 @@ requiredDataConnectors:
- OfficeActivity
- connectorId: ThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
- connectorId: ThreatIntelligenceTaxii
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
- connectorId: MicrosoftDefenderThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
Expand Down Expand Up @@ -75,5 +75,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: Url
version: 1.2.10
version: 1.2.11
kind: Scheduled
8 changes: 4 additions & 4 deletions Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_PaloAlto.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,13 @@ requiredDataConnectors:
- CommonSecurityLog
- connectorId: ThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
- connectorId: ThreatIntelligenceTaxii
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
- connectorId: MicrosoftDefenderThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
Expand Down Expand Up @@ -71,5 +71,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: Url
version: 1.2.8
version: 1.2.9
kind: Scheduled
8 changes: 4 additions & 4 deletions Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_SecurityAlert.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,13 @@ requiredDataConnectors:
- SecurityAlert
- connectorId: ThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
- connectorId: ThreatIntelligenceTaxii
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
- connectorId: MicrosoftDefenderThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
- ThreatIntelIndicators
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
Expand Down Expand Up @@ -80,5 +80,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: Url
version: 1.2.10
version: 1.2.11
kind: Scheduled
Loading
Loading