Threat Intelligence: Alert Severity Field Standardisation and Query Optimisation

What Changed

Threat Intelligence solution updated to standardise alert severity field naming and improve query performance in IP entity detection rules.

Detection Logic

Updated IPEntity_AppServiceHTTPLogs analytic rule:

Renamed AlertPriority field to standard Severity field for consistency with Microsoft Sentinel alerting conventions
Removed duplicate time filter that caused unnecessary query overhead
Maintained confidence score thresholds: High (>82), Medium (>74), Low (≤74)
Updated rule version from 1.5.7 to 1.5.8

Security Impact (Visibility & Fidelity)

No change to detection logic or coverage — this is a field standardisation and performance optimisation. Existing detections continue to identify malicious IP addresses in App Service HTTP logs with the same fidelity.

Affected Files

Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_AppServiceHTTPLogs.yaml (packaging artefacts: mainTemplate.json, ReleaseNotes.md)

What Changed#

Detection Logic#

Security Impact (Visibility & Fidelity)#

Affected Files#

What Changed

Detection Logic

Security Impact (Visibility & Fidelity)

Affected Files