What Changed
Fixed a DCR transform logic error that incorrectly populated the ip_s field with UUID values from malware URL indicators instead of limiting it to actual IP addresses from IP reputation feeds.
Security Impact (Visibility & Fidelity)
The connector was unconditionally setting ip_s=tostring(p.identifier) for all indicator types. For the malware_urls feed, p.identifier contains a UUID (e.g., d483a221-c06b-51a0-b795-2c8caa5afd1a), not an IP address. This resulted in 1,111 malware URL indicators having UUIDs stored in the ip_s field, polluting IP-based queries and analytics.
This was a data fidelity issue, not a functional failure:
- The Cyren High-Risk IP Indicators analytic rule was unaffected because malware URL rows lack risk_d values, so toint(null) >= 80 filtered them out naturally
- IOC-push playbooks to SentinelOne, CrowdStrike, and Defender were already correctly using payload.url for URL indicators
- Ad-hoc queries filtering on ip_s returned 1,111 false positive rows containing UUIDs instead of IP addresses
The fix changes the transform to ip_s=iif(tostring(p.type) == “ip”, tostring(p.identifier), “”), ensuring only IP-type indicators populate the IP field while URL indicators leave it empty (URLs remain correctly stored in url_s).
Affected Files
Solutions/CyrenThreatIntelligence/Data Connectors/CyrenThreatIntel_CCF/Cyren_DCR.json
(packaging artefacts: 3.0.5.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_Cyren.json, mainTemplate.json)