What Changed
The “TI map Domain entity to SecurityAlert” analytic rule has been updated with a critical self-exclusion filter to prevent recursive alert generation. The rule now filters out its own alerts from the SecurityAlert table before processing, breaking an infinite feedback loop.
Detection Logic
- Primary data source: SecurityAlert table (14-day lookback)
- Core logic: Extracts domain entities from SecurityAlert records, joins against ThreatIntelligenceIndicator table for known malicious domains, requires active indicators with confidence ≥ 50
- Key fix: Added | where AlertName != “TI map Domain entity to SecurityAlert” filter to exclude the rule’s own alerts from source data
- Entity types mapped: IP, URL entities from both the original alert and the threat intelligence match
Security Impact (Detection Quality)
This update resolves a recursive alert generation issue where the rule was processing its own generated alerts, creating an infinite loop of duplicate detections. Prior to this fix, deployments would experience alert noise and potential performance degradation as the rule continuously triggered on its own output. The fix improves detection quality by ensuring each malicious domain indicator generates exactly one alert rather than cascading duplicates.
Affected Files
Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_SecurityAlert.yaml
(packaging artefacts: 3.0.17.zip, ReleaseNotes.md, mainTemplate.json)