What Changed

This PR addresses two distinct production issues across 36 Analytic Rules in the Threat Intelligence (NEW) solution (v3.0.19).

Issue 1: Incorrect connectorId mappings (data source visibility gap)

Two rules had their requiredDataConnectors entries mapped to the wrong connectors:

  • DomainEntity_EmailEvents_Updated: connectorId was Office365, corrected to MicrosoftThreatProtection
  • DomainEntity_EmailUrlInfo_Updated: connectorId was Office365, corrected to MicrosoftThreatProtection

The EmailEvents and EmailUrlInfo tables are sourced from Microsoft Defender XDR (MicrosoftThreatProtection connector), not the Office 365 connector. This misconfiguration caused the Content Hub dependency graph to misrepresent which connector is required — users without the Defender XDR connector active may have had these TI-match rules silently deployed with no matching data flowing in.

Issue 2: Inconsistent capitalisation causing Playbook automation failures

All 36 Analytic Rules were renamed: “TI map” (lowercase m) became “TI Map” (uppercase M). Per PR discussion and linked GitHub issues, a customer Playbook performs case-sensitive string matching on incident titles to route enrichment logic. Rules with the lowercase variant silently skipped the automation — no errors were raised, incidents simply received no enrichment.

Detection Logic

No KQL query logic was modified in any rule. Only the name field, connectorId references, and version strings were changed. All detection logic, entity mappings, and thresholds remain identical.

Security Impact

  • Connector mapping fix: If your deployment has the EmailEvents or EmailUrlInfo TI-match rules active, verify the MicrosoftThreatProtection (Defender XDR) connector is enabled in your workspace. The previous metadata incorrectly suggested Office365 connector sufficed.
  • Naming fix: Automations performing case-sensitive matching on rule names against “TI map” will now need updating to “TI Map”. Automations that were silently failing on these incidents will resume normal triggering after upgrading the solution.

Affected Files

Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_CloudAppEvents_Updated.yaml
Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_CommonSecurityLog.yaml
Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_DnsEvents.yaml
Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_EmailEvents_Updated.yaml
Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_EmailUrlInfo_Updated.yaml
Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_PaloAlto.yaml
Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_SecurityAlert.yaml
Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_Syslog.yaml
Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_imWebSession.yaml
Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_AzureActivity.yaml
Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_CloudAppEvents_Updated.yaml
Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_EmailEvents_Updated.yaml
Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_OfficeActivity.yaml
Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_PaloAlto.yaml
Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_SecurityAlert.yaml
Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_SecurityEvent.yaml
Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_SigninLogs.yaml
Solutions/Threat Intelligence (NEW)/Analytic Rules/FileHashEntity_CommonSecurityLog.yaml
Solutions/Threat Intelligence (NEW)/Analytic Rules/FileHashEntity_DeviceFileEvents_Updated.yaml
Solutions/Threat Intelligence (NEW)/Analytic Rules/FileHashEntity_SecurityEvent.yaml
Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_AWSCloudTrail.yaml
Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_AppServiceHTTPLogs.yaml
Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_AzureFirewall.yaml
Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_AzureKeyVault.yaml
Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_AzureNetworkAnalytics.yaml
Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_CloudAppEvents_Updated.yaml
Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_OfficeActivity.yaml
Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_Workday_Updated.yaml
Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_imNetworkSession.yaml
Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_imWebSession.yaml
Solutions/Threat Intelligence (NEW)/Analytic Rules/Threat Intel Matches to GitHub Audit Logs.yaml
Solutions/Threat Intelligence (NEW)/Analytic Rules/URLEntity_CloudAppEvents_Updated.yaml
Solutions/Threat Intelligence (NEW)/Analytic Rules/URLEntity_EmailUrlInfo_Updated.yaml
Solutions/Threat Intelligence (NEW)/Analytic Rules/URLEntity_imWebSession.yaml
Solutions/Threat Intelligence (NEW)/Analytic Rules/imDns_DomainEntity_DnsEvents.yaml
Solutions/Threat Intelligence (NEW)/Analytic Rules/imDns_IPEntity_DnsEvents.yaml
Solutions/Threat Intelligence (NEW)/Data Connectors/template_PremiumMicrosoftDefenderThreatIntelligence.json
(packaging artefacts: 3.0.19.zip, ReleaseNotes.md, Solution_ThreatIntelligenceUpdated.json, createUiDefinition.json, mainTemplate.json)