What Changed
Fixed broken logic condition in IPEntity_CloudAppEvents_Updated analytic rule by removing erroneous OR clause that caused rule to always evaluate to true.
Security Impact (Visibility & Fidelity)
The IPEntity_CloudAppEvents detection was completely broken due to malformed logic condition. The OR clause caused the rule to fire on ALL IP addresses, including revoked or deleted threat intelligence indicators, generating massive false positive alerts. This created alert fatigue and masked legitimate threats in deployment environments using Threat Intelligence (NEW) solution.
Detection Logic
Primary data source: CloudAppEvents joined with ThreatIntelligenceIndicator
- Removed OR isnotempty(NetworkSourceIP) condition that bypassed proper indicator validation
- Query now correctly filters for active indicators only (IsActive and ValidUntil checks)
- Logic aligned with similar threat intelligence analytic rules
Affected Files
Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_CloudAppEvents_Updated.yaml
(packaging artefacts: mainTemplate.json, createUiDefinition.json, 3.0.10.zip, Solution_ThreatIntelligenceUpdated.json, ReleaseNotes.md)