https://github.com/microsoft/mstic/tree/master/RapidReleaseTI

Last updated four months ago. Microsoft published multiple analytic rules in Sentinel that use this list as basis for detection and they are increasingly firing off false positives.
Maybe update the list or deprecate the analytic rules in Sentinel relating to RapidTI rules?

My suggestion would be to change all those analytic rules to just use the ThreatIntelligenceIndicator table, and then CTI personnel can spend time maintaining all IOCs within the ThreatIntelligenceTable, which would typically be from MISP, TAXII servers etc.

Spelling of Nobelium has changed in the file name - Note - Double "L"
NEW - Indicators/May21-NOBELLIUM/May21NOBELLIUMIoCs.csv
PREVIOUS - Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv

This is causing issues in rules linking to the raw content

I believe the Github actions bot that updated the IP address ranges from Azure has stopped working correctly. The last time it was updated was 3 weeks ago, and previously it was updated every week.

https://github.com/microsoft/mstic/commits/master/PublicFeeds/MSFTIPRanges/ServiceTags_Public.json

I believe it has also stopped working in Sentinel repository.

Hi, really appreciate you maintaining this list, we use it in Sentinel analytic rules for alerting on NordVPN activity. I was wondering if you plan on creating similar lists for Telegram and CactusVPN servers ?

There are important files that Microsoft projects should all have that are not present in this repository. A pull request has been opened to add the missing file(s). When the pr is merged this issue will be closed automatically.

Microsoft teams can learn more about this effort and share feedback within the open source guidance available internally.

Merge this pull request