Skip to content

Creating Analytic Rule for URL IOC#13637

Open
v-utpalkumar wants to merge 12 commits intomasterfrom
v-utpal_Creating_AnalyticRule_for_URL_IOC
Open

Creating Analytic Rule for URL IOC#13637
v-utpalkumar wants to merge 12 commits intomasterfrom
v-utpal_Creating_AnalyticRule_for_URL_IOC

Conversation

@v-utpalkumar
Copy link
Contributor

@v-utpalkumar v-utpalkumar commented Feb 16, 2026
edited
Loading

Change(s):

  • This is a new rule.

Reason for Change(s):

  • The rule based on domain-name IOC is already in place, but the customer is requesting a rule based on url IOC also.

Version Updated:

  • Not required (new rule)

Testing Completed: Below is a summary of the testing performed, including the corresponding screenshots.

  • The query was executed in the Log Analytics workspace and returned no errors.
  • The main template has been successfully deployed without errors.
  • Validation completed successfully, and the analytic rule was saved as part of the Sentinel Custom deployment.
image image image image image

@v-utpalkumar v-utpalkumar requested review from a team as code owners February 16, 2026 13:11
@contentautomationbot
Copy link

contentautomationbot bot commented Feb 16, 2026

Hello how are you I am GitHub bot
😀😀
I see that you changed templates under the detections/analytic rules folder. Did you remember to update the version of the templates you changed?
If not, and if you want customers to be aware that a new version of this template is available, please update the version property of the template you changed.

@v-atulyadav v-atulyadav added Solution Solution specialty review needed Analytic Rules labels Feb 16, 2026
@v-utpalkumar
Copy link
Contributor Author

v-utpalkumar commented Feb 18, 2026

Test Screenshots Document: Threat_Intelligence_URL_WebSession.docx

@rahul0216 rahul0216 requested a review from Copilot February 18, 2026 13:12
Copilot AI reviewed Feb 18, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces a new analytic rule for URL-based Indicator of Compromise (IOC) detection, complementing the existing domain-name IOC rule at customer request.

Changes:

  • Added new analytic rule URLEntity_imWebSession.yaml to detect malicious URLs in web session events using ASIM schema
  • Updated solution metadata to reflect the addition of the 52nd analytic rule
  • Added release notes entry for version 3.0.14

Reviewed changes

Copilot reviewed 4 out of 6 changed files in this pull request and generated 2 comments.

File Description
Solutions/Threat Intelligence (NEW)/ReleaseNotes.md Documents the addition of URL IOC analytic rule in version 3.0.14
Solutions/Threat Intelligence (NEW)/Package/createUiDefinition.json Updates UI definition to include the new analytic rule and increments total count to 52
Solutions/Threat Intelligence (NEW)/Data/Solution_ThreatIntelligenceUpdated.json Adds reference to the new URLEntity_imWebSession.yaml rule file
Solutions/Threat Intelligence (NEW)/Analytic Rules/URLEntity_imWebSession.yaml New analytic rule file implementing URL IOC detection against web session events

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@Azure Azure deleted a comment from Copilot AI Feb 18, 2026
rahul0216
rahul0216 reviewed Feb 18, 2026
View reviewed changes
Copy link
Collaborator

@rahul0216 rahul0216 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please address the inline comments.

rahul0216
rahul0216 approved these changes Feb 19, 2026
View reviewed changes
Copy link
Collaborator

@rahul0216 rahul0216 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good.

@v-utpalkumar v-utpalkumar linked an issue Feb 19, 2026 that may be closed by this pull request
Analytic rule "TI map Domain entity to Web Session Events (ASIM Web Session schema)" not processing Url #13238
Open
@v-utpalkumar v-utpalkumar mentioned this pull request Feb 19, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@rahul0216 rahul0216 rahul0216 approved these changes

Assignees

@v-shukore v-shukore

Labels

Analytic Rules Content-Package Solution Solution specialty review needed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Analytic rule "TI map Domain entity to Web Session Events (ASIM Web Session schema)" not processing Url

5 participants

@v-utpalkumar @rahul0216 @v-atulyadav @v-shukore @v-kasghosh

Comments