What Changed
Threat Intelligence imDns_IPEntity_DnsEvents detection rule updated from version 1.2.9 to 1.2.10, correcting alert description field mapping from {{Type}} to {{ThreatType}}.
Detection Logic
KQL logic unavailable — YAML not included in diff context.
Security Impact (Visibility & Fidelity)
The alert description format referenced a non-existent {{Type}} field, causing DNS-based threat intelligence alerts to display incomplete context about IP indicators. This prevented SOC analysts from understanding the specific threat classification (malware C2, phishing infrastructure, botnet, etc.) directly from alert descriptions, requiring additional investigation steps to determine threat context.
Affected Files
Solutions/Threat Intelligence (NEW)/Analytic Rules/imDns_IPEntity_DnsEvents.yaml