Clarification on Join Condition in EmailEntity_PaloAlto Analytic Rule

[SudBuddy]

Hi Team,
I have a question regarding the join condition used in the following analytic rule:
https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat%20Intelligence/Analytic%20Rules/EmailEntity_PaloAlto.yaml

Specifically, at line 45, the join condition is defined as:
on $left.EmailSenderAddress == $right.DestinationUserID

Could you please confirm if joining on DestinationUserID is correct in this context?
Alternatively, would it be more appropriate to use DestinationUserName instead, depending on the data mapping and field semantics?
I want to ensure the join logic aligns correctly with the intended entities and avoids any mismatch in results.

[v-kasghosh]

Hey @SudBuddy , Thanks for flagging this. We will investigate this issue and get back to you with some updates. Thanks!

[v-utpalkumar]

Hello @SudBuddy! We reviewed the value formats for both fields (DestinationUserID and EmailSenderAddress), and they appear identical. Based on this, we assume the implementation is correct and that it will trigger the alert as expected. Please refer to the attached screenshots for your reference. Please feel free to share your thoughts on this. Thank you!

[v-kasghosh]

Hello @SudBuddy ,
Gentle Reminder: We are waiting for your response on this issue. If you still need to keep this issue active, please respond to it in the next 2 days. If we don't receive response by the time, we will close this issue.

[SudBuddy]

@v-utpalkumar, DestinationUserID looks like a system level identifier and not a real mail address which can match with IOC's what I will suggest kindly reverify if you could see any match from DestinationUserID in EmailSender address. If any matches found then no need to make any changes in rule.
But I believe if not found then rule needs to be corrected.

Please also check the above some suggestions provided in Draft PR.

[v-utpalkumar]

Hello @SudBuddy! We have verified the structure of the values captured in the DestinationUserID and EmailSenderAddress fields, and both are identical in nature. A screenshot has been attached above for your reference.

The pull request was created by mistake and has now been removed, as it was not required. We will proceed with closing this issue, but please feel free to reopen it anytime if you’d like to discuss further or need additional clarification.

We appreciate you initiating this discussion. Thank you for your patience and cooperation!