Skip to content

Fix EmailEntity_PaloAlto join condition: DestinationUserID → DestinationUserName #14006

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
Copilot wants to merge 2 commits into from
+18 −16
Closed

Fix EmailEntity_PaloAlto join condition: DestinationUserID → DestinationUserName #14006

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
83b0ce4
Initial plan
Copilot Apr 7, 2026
7de06dd
Fix join condition in EmailEntity_PaloAlto: use DestinationUserName i…
Copilot Apr 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 8 additions & 8 deletions Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_PaloAlto.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,26 +43,26 @@ query: |
| project-reorder *, TrafficLightProtocolLevel, EmailSenderAddress, EmailSourceDomain, Type
// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
| join kind=innerunique (
CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) and isnotempty(DestinationUserID)
CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) and isnotempty(DestinationUserName)
// Filtering PAN Logs for specific event type to match relevant email entities
| where DeviceVendor == "Palo Alto Networks" and DeviceEventClassID == "wildfire" and ApplicationProtocol in ("smtp","pop3")
| extend DestinationUserID = tolower(DestinationUserID)
| where DestinationUserID matches regex emailregex
| extend DestinationUserName = tolower(DestinationUserName)
| where DestinationUserName matches regex emailregex
| extend CommonSecurityLog_TimeGenerated = TimeGenerated
)
on $left.EmailSenderAddress == $right.DestinationUserID
on $left.EmailSenderAddress == $right.DestinationUserName
| where CommonSecurityLog_TimeGenerated < ValidUntil
| extend Description = tostring(parse_json(Data).description)
| extend ActivityGroupNames = extract(@"ActivityGroup:(\S+)", 1, tostring(parse_json(Data).labels))
| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by Id, DestinationUserID
| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, Id, ValidUntil, Confidence, EmailSenderAddress, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort,
| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by Id, DestinationUserName
| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, Id, ValidUntil, Confidence, EmailSenderAddress, DestinationUserName, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort,
DestinationIP, DestinationPort, Protocol, ApplicationProtocol, Url//, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType,
| extend timestamp = CommonSecurityLog_TimeGenerated
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: DestinationUserID
columnName: DestinationUserName
- entityType: IP
fieldMappings:
- identifier: Address
Expand All @@ -71,5 +71,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: Url
version: 1.2.9
version: 1.2.10
kind: Scheduled
1 change: 1 addition & 0 deletions Solutions/Threat Intelligence (NEW)/ReleaseNotes.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
| 3.0.17 | 07-04-2026 | Fixed join condition in **EmailEntity_PaloAlto** analytic rule to use `DestinationUserName` instead of `DestinationUserID` for correct email address matching |
| 3.0.16 | 25-03-2026 | Optimized **TI map Domain entity to EmailUrlInfo** analytic rule with deduplication and filters |
| 3.0.15 | 09-03-2026 | Update **IPEntity_DuoSecurity Analytic Rule** |
| 3.0.14 | 16-02-2026 | Added **Analytic Rule** for URL IOC |
Expand Down
16 changes: 8 additions & 8 deletions Solutions/Threat Intelligence/Analytic Rules/EmailEntity_PaloAlto.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,25 +36,25 @@ query: |
| where Active == true and ExpirationDateTime > now()
// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
| join kind=innerunique (
CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) and isnotempty(DestinationUserID)
CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) and isnotempty(DestinationUserName)
// Filtering PAN Logs for specific event type to match relevant email entities
| where DeviceVendor == "Palo Alto Networks" and DeviceEventClassID == "wildfire" and ApplicationProtocol in ("smtp","pop3")
| extend DestinationUserID = tolower(DestinationUserID)
| where DestinationUserID matches regex emailregex
| extend DestinationUserName = tolower(DestinationUserName)
| where DestinationUserName matches regex emailregex
| extend CommonSecurityLog_TimeGenerated = TimeGenerated
)
on $left.EmailSenderAddress == $right.DestinationUserID
on $left.EmailSenderAddress == $right.DestinationUserName
| where CommonSecurityLog_TimeGenerated < ExpirationDateTime
| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, DestinationUserID
| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, DestinationUserName
| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient,
EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort,
EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserName, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort,
DestinationIP, DestinationPort, Protocol, ApplicationProtocol
| extend timestamp = CommonSecurityLog_TimeGenerated
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: DestinationUserID
columnName: DestinationUserName
- entityType: IP
fieldMappings:
- identifier: Address
Expand All @@ -63,5 +63,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: Url
version: 1.2.6
version: 1.2.7
kind: Scheduled
1 change: 1 addition & 0 deletions Solutions/Threat Intelligence/ReleaseNotes.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
| 3.1.4 | 07-04-2026 | Fixed join condition in **EmailEntity_PaloAlto** analytic rule to use `DestinationUserName` instead of `DestinationUserID` for correct email address matching |
| 3.1.3 | 20-01-2026 | Updated **Analytical Rule** to include the missing column. |
| 3.1.2 | 26-06-2025 | Updated TI Map IP Entity to CommonSecurityLog **Analytical Rules** to exclude private ips |
| 3.1.1 | 22-01-2025 | Fixed feature flag configs for PMDTI, MDTI, and UploadAPI based on the new FeatureStates. Fix api-version and documentation link for UploadAPI. |
Expand Down