What Changed
Updated lookback periods in the EmailEntity_CloudAppEvents_Updated analytic rule to fix query timing alignment issues. The dt_lookBack period was reduced from 10 days to 1 hour, and ioc_lookBack from 30 days to 14 days to match the rule’s configured query period and frequency.
Detection Logic
- Primary data source: ThreatIntelIndicators joined with CloudAppEvents
- Core logic: Joins active threat intelligence email indicators against cloud application events on User field, filtering for valid email addresses via regex
- Entity types mapped: Account (User_Id, UPNSuffix)
- Detection timing: Now properly aligned with 1-hour query window instead of 10-day lookback mismatch
MITRE Mapping
- T1566: Phishing (email-based threat intelligence correlation)
Affected Files
Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_CloudAppEvents_Updated.yaml
(packaging artefacts: Solution_ThreatIntelligenceUpdated.json, mainTemplate.json, createUiDefinition.json, 3.0.9.zip, ReleaseNotes.md)