diff --git a/Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_PaloAlto.yaml b/Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_PaloAlto.yaml
index c007dd0420e..162ee32308f 100644
--- a/Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_PaloAlto.yaml	
+++ b/Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_PaloAlto.yaml	
@@ -43,26 +43,26 @@ query: |
   | project-reorder *, TrafficLightProtocolLevel, EmailSenderAddress, EmailSourceDomain, Type
   // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
   | join kind=innerunique (
-      CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) and isnotempty(DestinationUserID)
+      CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) and isnotempty(DestinationUserName)
       // Filtering PAN Logs for specific event type to match relevant email entities
       | where DeviceVendor == "Palo Alto Networks" and  DeviceEventClassID == "wildfire" and ApplicationProtocol in ("smtp","pop3")
-      | extend DestinationUserID = tolower(DestinationUserID)
-      | where DestinationUserID matches regex emailregex
+      | extend DestinationUserName = tolower(DestinationUserName)
+      | where DestinationUserName matches regex emailregex
       | extend CommonSecurityLog_TimeGenerated = TimeGenerated
   )
-  on $left.EmailSenderAddress == $right.DestinationUserID
+  on $left.EmailSenderAddress == $right.DestinationUserName
   | where CommonSecurityLog_TimeGenerated < ValidUntil
   | extend Description = tostring(parse_json(Data).description)
   | extend ActivityGroupNames = extract(@"ActivityGroup:(\S+)", 1, tostring(parse_json(Data).labels))
-  | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by Id, DestinationUserID
-  | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, Id, ValidUntil, Confidence, EmailSenderAddress, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort,
+  | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by Id, DestinationUserName
+  | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, Id, ValidUntil, Confidence, EmailSenderAddress, DestinationUserName, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort,
   DestinationIP, DestinationPort, Protocol, ApplicationProtocol, Url//,  EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType,
   | extend timestamp = CommonSecurityLog_TimeGenerated
 entityMappings:
   - entityType: Account
     fieldMappings:
       - identifier: Name
-        columnName: DestinationUserID
+        columnName: DestinationUserName
   - entityType: IP
     fieldMappings:
       - identifier: Address
@@ -71,5 +71,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: Url
-version: 1.2.9
+version: 1.2.10
 kind: Scheduled
diff --git a/Solutions/Threat Intelligence (NEW)/ReleaseNotes.md b/Solutions/Threat Intelligence (NEW)/ReleaseNotes.md
index 4c9d8ed98ee..ebd753dc7ce 100644
--- a/Solutions/Threat Intelligence (NEW)/ReleaseNotes.md	
+++ b/Solutions/Threat Intelligence (NEW)/ReleaseNotes.md	
@@ -1,5 +1,6 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                          |
 |-------------|--------------------------------|---------------------------------------------|
+| 3.0.17      | 07-04-2026                     | Fixed join condition in **EmailEntity_PaloAlto** analytic rule to use `DestinationUserName` instead of `DestinationUserID` for correct email address matching |
 | 3.0.16      | 25-03-2026                     | Optimized **TI map Domain entity to EmailUrlInfo** analytic rule with deduplication and filters |
 | 3.0.15      | 09-03-2026                     | Update **IPEntity_DuoSecurity Analytic Rule**                |
 | 3.0.14      | 16-02-2026                     | Added **Analytic Rule** for URL IOC                  |
diff --git a/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_PaloAlto.yaml b/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_PaloAlto.yaml
index 96cf9f4fb49..bab14f3a70c 100644
--- a/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_PaloAlto.yaml	
+++ b/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_PaloAlto.yaml	
@@ -36,25 +36,25 @@ query: |
   | where Active == true and ExpirationDateTime > now()
   // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
   | join kind=innerunique (
-      CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) and isnotempty(DestinationUserID)
+      CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) and isnotempty(DestinationUserName)
       // Filtering PAN Logs for specific event type to match relevant email entities
       | where DeviceVendor == "Palo Alto Networks" and  DeviceEventClassID == "wildfire" and ApplicationProtocol in ("smtp","pop3")
-      | extend DestinationUserID = tolower(DestinationUserID)
-      | where DestinationUserID matches regex emailregex
+      | extend DestinationUserName = tolower(DestinationUserName)
+      | where DestinationUserName matches regex emailregex
       | extend CommonSecurityLog_TimeGenerated = TimeGenerated
   )
-  on $left.EmailSenderAddress == $right.DestinationUserID
+  on $left.EmailSenderAddress == $right.DestinationUserName
   | where CommonSecurityLog_TimeGenerated < ExpirationDateTime
-  | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, DestinationUserID
+  | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, DestinationUserName
   | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient,
-  EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort,
+  EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserName, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort,
   DestinationIP, DestinationPort, Protocol, ApplicationProtocol
   | extend timestamp = CommonSecurityLog_TimeGenerated
 entityMappings:
   - entityType: Account
     fieldMappings:
       - identifier: Name
-        columnName: DestinationUserID
+        columnName: DestinationUserName
   - entityType: IP
     fieldMappings:
       - identifier: Address
@@ -63,5 +63,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: Url
-version: 1.2.6
+version: 1.2.7
 kind: Scheduled
diff --git a/Solutions/Threat Intelligence/ReleaseNotes.md b/Solutions/Threat Intelligence/ReleaseNotes.md
index 54ef7a20068..cda53adb575 100644
--- a/Solutions/Threat Intelligence/ReleaseNotes.md	
+++ b/Solutions/Threat Intelligence/ReleaseNotes.md	
@@ -1,5 +1,6 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                          |
 |-------------|--------------------------------|---------------------------------------------|
+| 3.1.4       | 07-04-2026                     | Fixed join condition in **EmailEntity_PaloAlto** analytic rule to use `DestinationUserName` instead of `DestinationUserID` for correct email address matching |
 | 3.1.3       | 20-01-2026                     | Updated **Analytical Rule** to include the missing column. |
 | 3.1.2       | 26-06-2025                     | Updated TI Map IP Entity to CommonSecurityLog **Analytical Rules** to exclude private ips |
 | 3.1.1       | 22-01-2025                     | Fixed feature flag configs for PMDTI, MDTI, and UploadAPI based on the new FeatureStates. Fix api-version and documentation link for UploadAPI. |