Skip to content

Analytic Rules Leads to FPs: Preview - TI map IP entity to Cloud App Events #11272

New issue
New issue
Closed
Closed
Analytic Rules Leads to FPs: Preview - TI map IP entity to Cloud App Events#11272

Description

@nicolonsky

nicolonsky
openedon Oct 15, 2024

The Analytics Rule: Preview - TI map IP entity to Cloud App Events generates false positives if the MCAS column doesn't contain any IP address but due to the join null / empty values are matched.

https://github.com/Azure/Azure-Sentinel/blob/56d63527e9de3b840307776c999ae96e54e7a80f/Solutions/Threat%20Intelligence/Analytic%20Rules/IPEntity_CloudAppEvents.yaml#L39C65-L39C102

Changing the join to remove empty MCAS IPs should resolve this:

 | join kind=innerunique (
    CloudAppEvents
      // --> Remove empty IPs
      | where isnotempty(IPAddress)
      | where TimeGenerated >= ago(dt_lookBack)
      | extend CloudAppEvents_TimeGenerated = TimeGenerated) on $left.TI_ipEntity == $right.IPAddress
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

Labels

Analytic Rules

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions