Skip to content

Fix EmailEntity_PaloAlto join condition: DestinationUserID → DestinationUserName#14006

Draft
Copilot wants to merge 2 commits intomasterfrom
copilot/clarification-join-condition-emailentity-paloalto
Draft

Fix EmailEntity_PaloAlto join condition: DestinationUserID → DestinationUserName#14006
Copilot wants to merge 2 commits intomasterfrom
copilot/clarification-join-condition-emailentity-paloalto

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 7, 2026
edited
Loading

In PaloAlto CEF logs, DestinationUserID is a system-level account identifier (e.g. 1761761851203431902@playhop.com) — not a real email address — while DestinationUserName holds the actual user email. The join EmailSenderAddress == DestinationUserID could produce missed matches or false negatives when ID values don't correspond to real sender addresses.

Change(s):

  • Replaced all DestinationUserID references with DestinationUserName in both rule variants:
    • Solutions/Threat Intelligence/Analytic Rules/EmailEntity_PaloAlto.yaml
    • Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_PaloAlto.yaml
  • Affected locations per file: isnotempty() filter, extend tolower(), where matches regex, join condition, summarize by, project, and entityMappings
// Before
CommonSecurityLog | where isnotempty(DestinationUserID)
| extend DestinationUserID = tolower(DestinationUserID)
| where DestinationUserID matches regex emailregex
...
on $left.EmailSenderAddress == $right.DestinationUserID

// After
CommonSecurityLog | where isnotempty(DestinationUserName)
| extend DestinationUserName = tolower(DestinationUserName)
| where DestinationUserName matches regex emailregex
...
on $left.EmailSenderAddress == $right.DestinationUserName

Reason for Change(s):

  • DestinationUserName is the semantically correct CEF field for the user's email address in PaloAlto WildFire SMTP/POP3 logs; DestinationUserID is an opaque system identifier

Version Updated:

  • Solutions/Threat Intelligence/Analytic Rules/EmailEntity_PaloAlto.yaml: 1.2.6 → 1.2.7
  • Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_PaloAlto.yaml: 1.2.9 → 1.2.10

Testing Completed:

  • Yes — KQL and YAML validation checks passed; no remaining DestinationUserID references in either file

Checked that the validations are passing and have addressed any issues that are present:

  • Yes

Copilot AI linked an issue Apr 7, 2026 that may be closed by this pull request
Clarification on Join Condition in EmailEntity_PaloAlto Analytic Rule #13957
Open
@v-sabiraj
Fix join condition in EmailEntity_PaloAlto: use DestinationUserName i…
7de06dd 
…nstead of DestinationUserID

Agent-Logs-Url: https://github.com/Azure/Azure-Sentinel/sessions/2de15fe4-9af7-42df-8bfb-34c9f37993e5

Co-authored-by: v-sabiraj <94349919+v-sabiraj@users.noreply.github.com>
Copilot AI changed the title [WIP] Clarify join condition in EmailEntity_PaloAlto analytic rule Fix EmailEntity_PaloAlto join condition: DestinationUserID → DestinationUserName Apr 7, 2026
Copilot AI requested a review from v-sabiraj April 7, 2026 11:38
@v-sabiraj v-sabiraj removed a link to an issue Apr 7, 2026
Clarification on Join Condition in EmailEntity_PaloAlto Analytic Rule #13957
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@v-sabiraj v-sabiraj Awaiting requested review from v-sabiraj

At least 1 approving review is required to merge this pull request.

Assignees

@v-sabiraj v-sabiraj

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@v-sabiraj