docs: Add SKU prerequisite note for threat intelligence deny mode

Author: duongau

articles/networking/security/includes/25537.md

@@ -15,6 +15,9 @@ ms.custom: Network-Secure-Recommendation
 ---
 Azure Firewall Threat Intelligence-based filtering alerts and denies traffic from and to known malicious IP addresses, fully qualified domain names (FQDNs), and URLs sourced from the Microsoft Threat Intelligence feed. When enabled, Azure Firewall evaluates traffic against threat intelligence rules before applying network address translation (NAT), network, or application rules. This check verifies that Threat Intelligence is enabled in "Alert and deny" mode in the Azure Firewall policy. Without this feature enabled, the environment remains exposed to known malicious IPs, domains, and URLs, creating risk of compromise or data exfiltration.
 
+> [!NOTE]
+> "Alert and deny" mode requires Azure Firewall Standard or Premium. Azure Firewall Basic supports alert mode only. For a full feature comparison, see [Choose the right Azure Firewall SKU](/azure/firewall/choose-firewall-sku).
+
 **Remediation action**
 
 - [Azure Firewall threat intelligence configuration](/azure/firewall-manager/threat-intelligence-settings)