What Changed
Fixed critical configuration mismatch in SWG Abnormal Deny Rate analytic rule where queryPeriod (25h) was insufficient for the defined 5-day learning window.
Security Impact (Visibility & Fidelity)
Detection logic broken due to insufficient historical data: The rule defines a 5-day learning period for baseline computation but was only retrieving 25 hours of data, preventing proper baseline establishment for anomaly detection.
Root cause: queryPeriod = 25h could not provide sufficient historical data for LearningPeriod = 5d baseline calculation, causing the rule to operate with incomplete or invalid baselines.
Current state: Updated queryPeriod to 7d ensures full coverage of the 5-day learning window with buffer, enabling proper statistical baseline computation for detecting abnormal deny rates in Global Secure Access traffic.
Detection Logic
Primary data source: NetworkAccessTrafficLogs from Global Secure Access connector. The rule now properly retrieves 7 days of data to establish baselines for source-to-destination IP deny rate patterns, enabling detection of suspicious traffic blocking patterns that may indicate reconnaissance or attack attempts.
Impact Assessment
This was a data fidelity gap affecting anomaly detection accuracy — the rule would either fail to generate meaningful baselines or produce false positives due to insufficient statistical foundation.
Affected Files
Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Deny Rate.yaml
(packaging artefacts: 3.0.3.zip, ReleaseNotes.md, Solution_GlobalSecureAccess.json, mainTemplate.json)