You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Analytics Rule: Preview - TI map IP entity to Cloud App Events generates false positives if the MCAS column doesn't contain any IP address but due to the join null / empty values are matched.
The Analytics Rule:
Preview - TI map IP entity to Cloud App Events
generates false positives if the MCAS column doesn't contain any IP address but due to the join null / empty values are matched.https://github.com/Azure/Azure-Sentinel/blob/56d63527e9de3b840307776c999ae96e54e7a80f/Solutions/Threat%20Intelligence/Analytic%20Rules/IPEntity_CloudAppEvents.yaml#L39C65-L39C102
Changing the join to remove empty MCAS IPs should resolve this:
The text was updated successfully, but these errors were encountered: