Global Secure Access: Enhanced Threat Intelligence Correlation and MCP Monitoring

What Changed

Global Secure Access solution updated to version 3.0.2 with three new threat intelligence correlation analytic rules and one new MCP (Model Context Protocol) monitoring workbook.

Detection Logic

Three new analytic rules added for threat intelligence correlation:

• TI Map Domain Entity: Correlates domain IOCs from ThreatIntelIndicators with NetworkAccessTraffic DestinationFqdn, targeting C&C communication
• TI Map IP Entity: Matches IP IOCs against NetworkAccessTraffic DestinationIp for malicious traffic detection
• TI Map URL Entity: Identifies URL IOCs in NetworkAccessTraffic DestinationUrl for web-based threats

All rules query 1-hour windows against 14-day threat intelligence lookback, targeting MITRE T1071 (Application Layer Protocol) for command and control detection.

MITRE Mapping

• T1071: Application Layer Protocol - All three rules detect command and control communications using standard application protocols through Global Secure Access traffic monitoring.

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/NetworkAccessTraffic.json
Solutions/Global Secure Access/Analytic Rules/GSA - TI Domain Entity.yaml
Solutions/Global Secure Access/Analytic Rules/GSA - TI IP Entity.yaml
Solutions/Global Secure Access/Analytic Rules/GSA - TI URL Entity.yaml
Solutions/Global Secure Access/Package/testParameters.json
Solutions/Global Secure Access/Workbooks/GSAMCPInsights.json
Workbooks/Images/Preview/GSAMCPInsightsBlack.png
Workbooks/Images/Preview/GSAMCPInsightsWhite.png
Workbooks/WorkbooksMetadata.json
(packaging artefacts: 3.0.2.zip, ReleaseNotes.md, Solution_GlobalSecureAccess.json, createUiDefinition.json, mainTemplate.json)