Fix filtering and field normalisation so as to allow for URL type IOC

Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_imWebSession.yaml

@@ -35,8 +35,8 @@ query: |
     let DOMAIN_TI=ThreatIntelIndicators
     // Picking up only IOC's that contain the entities we want
     | extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0)))
-    | where IndicatorType == "domain-name"
-    | extend DomainName = tolower(ObservableValue)
+    | where IndicatorType == "domain-name" or ObservableKey == "url:value"
+    | extend DomainName = iff(IndicatorType == "domain-name",tolower(ObservableValue),tostring(split(replace_regex(ObservableValue,"\\?|/","@"),"@")[2]))
     | extend TrafficLightProtocolLevel = tostring(parse_json(AdditionalFields).TLPLevel)
     | extend IndicatorId = tostring(split(Id, "--")[2])
     | extend Url = iff(ObservableKey == "url:value", ObservableValue, "")
@@ -82,5 +82,5 @@ customDetails:
 alertDetailsOverride:
   alertDisplayNameFormat: A web request from {{SrcIpAddr}} to hostname  {{domain}} matched an IoC
   alertDescriptionFormat: A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator.
-version: 1.0.11
+version: 1.0.12
 kind: Scheduled

Solutions/Threat Intelligence (NEW)/Package/createUiDefinition.json

@@ -60,99 +60,43 @@
             "name": "dataconnectors1-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "This Solution installs the data connector for Threat Intelligence. You can get Threat Intelligence custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+              "text": "This Solution installs the data connector for Threat Intelligence (NEW). You can get Threat Intelligence (NEW) custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
             }
           },
           {
             "name": "dataconnectors2-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "The data connectors installed are:"
+              "text": "This Solution installs the data connector for Threat Intelligence (NEW). You can get Threat Intelligence (NEW) custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
             }
           },
           {
-            "name": "DC1",
-            "type": "Microsoft.Common.Section",
-            "label": "(1)\t\tThreat Intelligence Platforms",
-            "elements": [
-              {
-                "name": "DC1-text",
-                "type": "Microsoft.Common.TextBlock",
-                "options": {
-                  "text": "Use this connector to send threat indicators to Microsoft Sentinel from your Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MindMeld, MISP, or other integrated applications."
-                }
-              }
-            ]
-          },
-          {
-            "name": "DC2",
-            "type": "Microsoft.Common.Section",
-            "label": "(2)\t\tThreat Intelligence - TAXII",
-            "elements": [
-              {
-                "name": "DC2-text",
-                "type": "Microsoft.Common.TextBlock",
-                "options": {
-                  "text": "Use this connector to bring in threat intelligence to Microsoft Sentinel from a TAXII 2.0 or 2.1 server."
-                }
-              }
-            ]
+            "name": "dataconnectors3-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "This Solution installs the data connector for Threat Intelligence (NEW). You can get Threat Intelligence (NEW) custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+            }
           },
           {
-            "name": "DC3",
-            "type": "Microsoft.Common.Section",
-            "label": "(3)\t\tThreat Intelligence Upload Indicators API",
-            "elements": [
-              {
-                "name": "DC3-text",
-                "type": "Microsoft.Common.TextBlock",
-                "options": {
-                  "text": "Microsoft Sentinel offer a data plane API to bring in threat intelligence from your Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MineMeld, MISP, or other integrated applications. Threat indicators can include IP addresses, domains, URLs, file hashes and email addresses."
-                }
-              }
-            ]
+            "name": "dataconnectors4-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "This Solution installs the data connector for Threat Intelligence (NEW). You can get Threat Intelligence (NEW) custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+            }
           },
           {
-            "name": "DC4",
-            "type": "Microsoft.Common.Section",
-            "label": "(4)\t\tMicrosoft Defender Threat Intelligence",
-            "elements": [
-              {
-                "name": "DC4-text",
-                "type": "Microsoft.Common.TextBlock",
-                "options": {
-                  "text": "Microsoft Sentinel provides you the capability to import threat intelligence generated by Microsoft to enable monitoring, alerting and hunting. Use this data connector to import Indicators of Compromise (IOCs) from Microsoft Defender Threat Intelligence (MDTI) into Microsoft Sentinel. Threat indicators can include IP addresses, domains, URLs, and file hashes, etc."
-                }
-              }
-            ]
+            "name": "dataconnectors5-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "This Solution installs the data connector for Threat Intelligence (NEW). You can get Threat Intelligence (NEW) custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+            }
           },
           {
-            "name": "DC5",
-            "type": "Microsoft.Common.Section",
-            "label": "(5)\t\tPremium Microsoft Defender Threat Intelligence",
-            "elements": [
-              {
-                "name": "DC5-text",
-                "type": "Microsoft.Common.TextBlock",
-                "options": {
-                  "text": "Microsoft Sentinel provides you the capability to import threat intelligence generated by Microsoft to enable monitoring, alerting and hunting. Use this data connector to import Indicators of Compromise (IOCs) from Microsoft Defender Threat Intelligence (MDTI) into Microsoft Sentinel. Threat indicators can include IP addresses, domains, URLs, and file hashes, etc. Note: This is a paid connector. To use and ingest data from it, please purchase the \"MDTI API Access\" SKU from the Partner Center."
-                }
-              }
-            ]
-          },
-		  {
-            "name": "DC6",
-            "type": "Microsoft.Common.Section",
-            "label": "(6)\t\tThreat Intelligence - TAXII Export",
-            "elements": [
-              {
-                "name": "DC6-text",
-                "type": "Microsoft.Common.TextBlock",
-                "options": {
-                  "text": "Microsoft Sentinel integrates with TAXII 2.1 servers to enable exporting of your threat intelligence objects."
-                }
-              }
-            ]
+            "name": "dataconnectors6-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "This Solution installs the data connector for Threat Intelligence (NEW). You can get Threat Intelligence (NEW) custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+            }
           },
           {
             "name": "dataconnectors-parser-text",

Solutions/Threat Intelligence (NEW)/ReleaseNotes.md

@@ -1,5 +1,6 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                          |
 |-------------|--------------------------------|---------------------------------------------|
+| 3.0.12      | 11-12-2025                     | Fixed the logic to allow for URL type indicators in rule. 	 |
 | 3.0.11      | 02-12-2025                     | Update Threat Intelligence package and release notes 	 |
 | 3.0.10      | 20-11-2025                     | Update Syntax for IPEntity_CloudAppEvents_Updated.yaml Rule		 |
 | 3.0.9       | 07-11-2025                     | Updated EmailEntity_CloudAppEvents_Updated.yaml to adjust lookback periods to match the query period and frequency. |