What Changed
Microsoft optimized the TI map Domain entity to EmailUrlInfo analytic rule (version 1.0.5 → 1.0.6) by reordering query logic to deduplicate threat intelligence records earlier in the processing pipeline and simplify join operations.
Detection Logic
Primary data source: ThreatIntelligenceIndicator joined with EmailUrlInfo. Core logic processes URL and domain-based threat indicators by applying summarize arg_max function by Id, ObservableValue to get the latest record per indicator, then filters for active indicators. Entity types mapped include URL and IP entities from threat intelligence indicators.
Security Impact (Visibility & Fidelity)
The query reordering introduces a potential detection blind spot identified in code review: if the most recent TI record for a given indicator ID is inactive/expired but an earlier record is still valid, the arg_max operation keeps the inactive record and subsequent filtering removes it entirely. This could result in missing threat intelligence matches against active indicators that would have been caught by the previous logic.
Additionally, the removal of timestamp validation and summarize operations on email data may produce nondeterministic results when multiple EmailUrlInfo records exist for the same URL, potentially affecting match reliability.
MITRE Mapping
MITRE mapping unavailable — YAML diff does not include relevantTechniques fields.
Affected Files
Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_EmailUrlInfo_Updated.yaml
(packaging artefacts: 3.0.16.zip, ReleaseNotes.md, mainTemplate.json)