Analytic Rules Leads to FPs: Preview - TI map IP entity to Cloud App Events

[nicolonsky]

The Analytics Rule: Preview - TI map IP entity to Cloud App Events generates false positives if the MCAS column doesn't contain any IP address but due to the join null / empty values are matched.

https://github.com/Azure/Azure-Sentinel/blob/56d63527e9de3b840307776c999ae96e54e7a80f/Solutions/Threat%20Intelligence/Analytic%20Rules/IPEntity_CloudAppEvents.yaml#L39C65-L39C102

Changing the join to remove empty MCAS IPs should resolve this:

 | join kind=innerunique (
    CloudAppEvents
      // --> Remove empty IPs
      | where isnotempty(IPAddress)
      | where TimeGenerated >= ago(dt_lookBack)
      | extend CloudAppEvents_TimeGenerated = TimeGenerated) on $left.TI_ipEntity == $right.IPAddress

[v-rusraut]

Hi @nicolonsky, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks!

[v-rusraut]

Hi @nicolonsky , as you have already raised a PR to fix this, our team is currently reviewing it. Once the PR is merged, we will close this issue.