What Changed
Updated Global Secure Access solution (v3.0.4) with critical detection fix and enhanced traffic type coverage:
Analytic Rule Fix: GSA - TI URL Entity rule had a broken regex pattern replace(@’[|]|"""’, …) that corrupted URL indicator parsing, leaving leading quotation marks in IndicatorType. This caused zero alerts from URL-based threat intelligence detections.
Workbook Enhancement: 25 queries in GSAM365EnrichedEvents.json and 1 query in GSANetworkTraffic.json updated from TrafficType == ‘microsoft365’ to TrafficType in (‘microsoft365’, ’entra’) to include the new Entra traffic type.
Security Impact
Detection Gap Closed: The TI URL Entity rule was completely non-functional due to regex corruption. Deployments running previous versions had zero threat intelligence coverage for URL indicators since installation — this represents a critical blind spot for web-based threat detection.
Visibility Enhancement: Workbook queries now include Entra traffic type, preventing visibility gaps as Global Secure Access expands traffic categorization. Without this update, Entra-classified traffic would be excluded from security analysis dashboards.
Detection Logic
Primary data source: NetworkAccessTraffic, ThreatIntelligenceIndicator Core logic: Joins threat intelligence URL indicators against Global Secure Access destination URLs, requiring active indicators with valid TLP levels Entity types: URL, IP, Account (UserId)
MITRE Mapping
Coverage remains unchanged — rule functionality restored rather than expanded.
Affected Files
Solutions/Global Secure Access/Analytic Rules/GSA - TI URL Entity.yaml
Solutions/Global Secure Access/Workbooks/GSAM365EnrichedEvents.json
Solutions/Global Secure Access/Workbooks/GSANetworkTraffic.json
(packaging artefacts: 3.0.4.zip, ReleaseNotes.md, Solution_GlobalSecureAccess.json, mainTemplate.json)