What Changed
Fixed broken IP entity detection rule in AppService HTTP logs by adding missing AlertPriority column to the query output and alertDetailsOverride configuration.
Security Impact (Visibility & Fidelity)
The IPEntity_AppServiceHTTPLogs analytic rule was completely broken due to missing AlertPriority column reference. Deployments using Threat Intelligence solution v3.1.2 or earlier could not create this detection rule - causing a complete detection blind spot for threat intelligence indicators matching AppService HTTP logs. Per PR discussion, the template failed to upload in the UI without this fix.
Detection Logic
Primary data source: AppServiceHTTPLogs joined with ThreatIntelligenceIndicator
- Correlates inbound IP addresses from AppService logs against active threat intelligence indicators
- Query now properly includes AlertPriority field in projection for severity mapping
- Uses alertSeverityColumnName configuration to set incident severity based on AlertPriority
Affected Files
Solutions/Threat Intelligence/Analytic Rules/IPEntity_AppServiceHTTPLogs.yaml
(packaging artefacts: mainTemplate.json, createUiDefinition.json, 3.1.3.zip, Solution_ThreatIntelligenceTemplateSpec.json, ReleaseNotes.md)