Investigating Issue with IP-ASO Based Threat Rules

Update timeline

1. monitoring Jan 23, 2026, 06:35 PM UTC

   We are addressing a surge in detections related to IP-ASO rules (for example, activity outside AWS, Azure, or GCP). This was triggered by changes in ASO naming conventions. Actions Taken: • 16:30 UTC (Completed): Impacted detection rules have been suspended to prevent further false positive alerts. • 17:15 UTC (In Progress): Our team is currently investigating the root cause of the ASO name changes and identifying all affected variations. • Ongoing (In Progress): We are developing a logic update to account for the new ASO names. The rules will be resumed once the update is validated and released.

2. monitoring Jan 23, 2026, 07:48 PM UTC

   Fix Deployment in Progress Actions Taken: • 17:30 UTC (Completed): Suspended the impacted detection rules to prevent additional false positive alerts. • 20:00 UTC (Completed): Confirmed the root cause as an upstream ASN data update that changed ASO naming and triggered detections. • Ongoing (In Progress): Deploying a hotfix to update detection logic and align with the updated naming.

3. resolved Jan 24, 2026, 01:15 AM UTC

   We identified an issue that caused an increase in false alerts from a subset of Threat Detection Rules. To prevent additional noise, we temporarily paused the affected alerting while we confirmed the cause and deployed a fix. The hotfix has now been fully deployed, and the affected detections are operating normally again.