Update Syntax for IPEntity_CloudAppEvents_Updated.yaml Rule

[joseph-matter]

Required items, please complete

Change(s):

• Updated Syntax for IPEntity_CloudAppEvents_Updated.yaml.
• Removed or isnotempty(NetworkSourceIP) from condition statement.
• Incremented Alert Version

Reason for Change(s):

• Including the OR condition in this statement causes the entire statement to always evaluate to true and causes the rule to fire on IP Addresses that are revoked or deleted within the ThreatIntelIndicators table.
• Removed OR condition in line with similar analytics rule so condition works as expected.

Version Updated:

• Yes

Testing Completed:

• Yes

Checked that the validations are passing and have addressed any issues that are present:

• Yes

[v-shukore]

Hello @joseph-matter, please package the solution using V3 tool
https://github.com/Azure/Azure-Sentinel/blob/master/Tools/Create-Azure-Sentinel-Solution/V3/README.md

[joseph-matter]

Hello @v-shukore I added a commit for packaging the solution.

[v-shukore]

Hi @joseph-matter, please resolve branch conflicts. Thanks!

[joseph-matter]

Hello @v-shukore , the merge conflicts seemed to arise from incrementing the template version. Do I just increment the version of the analytics rule itself or the analtics rule and the template version both?

[joseph-matter]

@microsoft-github-policy-service agree company="Capgemini"

[v-shukore]

Hi @joseph-matter, to resolve branch conflicts, please pull the latest updates from master and ensure your main template remains in this PR. Thanks!

[joseph-matter]

@v-shukore Merge conflicts resolved

[v-shukore]

Hi @joseph-matter, amm-ttk is failing because there is a hardcoded URL in the maintemplate at line 951. Please replace or remove that URL from the maintemplate to resolve the issue. Thanks!

[joseph-matter]

@v-shukore Corrected