Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update DomainEntity_EmailUrlInfo.yaml #11369

Closed
wants to merge 17 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
id: 87cc75df-d7b2-44f1-b064-ee924edfc879
name: TI map Domain entity to EmailUrlInfo
description: |
'Identifies a match in EmailUrlInfo table from any Domain IOC from TI.'
Identifies a match in EmailUrlInfo table from any Domain IOC from TI.
severity: Medium
requiredDataConnectors:
- connectorId: Office365
Expand All @@ -25,44 +25,60 @@ tactics:
relevantTechniques:
- T1566
query: |
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
let EmailUrlInfo_ = materialize(EmailUrlInfo
| where isnotempty(UrlDomain)
| where TimeGenerated > ago(dt_lookBack)
| project-rename Email_Url = Url);
let Domains = EmailUrlInfo_
| distinct UrlDomain
| summarize make_list(UrlDomain);
let Candidates = ThreatIntelligenceIndicator
| where isnotempty(DomainName)
| where TimeGenerated >= ago(ioc_lookBack)
| extend TI_Domain = tolower(DomainName)
| where TI_Domain in (Domains)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| where Active == true and ExpirationDateTime > now()
| where Description !contains_cs "State: inactive;" and Description !contains_cs "State: falsepos;"
| join kind=innerunique EmailUrlInfo_ on $left.TI_Domain == $right.UrlDomain
| join kind=innerunique (EmailEvents | where TimeGenerated >= ago(dt_lookBack) | project-rename EmailEvents_TimeGenerated = TimeGenerated) on $left.NetworkMessageId == $right.NetworkMessageId
| where DeliveryLocation !has "Quarantine"
// Customize and uncomment the following line to remove security related mailboxes
//| where tolower(RecipientEmailAddress) !in ("[email protected]", "[email protected]")
| where EmailEvents_TimeGenerated < ExpirationDateTime
| summarize EmailEvents_TimeGenerated = arg_max(EmailEvents_TimeGenerated, *) by IndicatorId, RecipientEmailAddress;
let Candidate_Domains = Candidates | distinct TI_Domain | summarize make_list(TI_Domain);
ThreatIntelligenceIndicator
| where isnotempty(Url)
| where TimeGenerated > ago(ioc_lookBack)
| extend Host = tostring(parse_url(Url).Host)
| where Host in (Candidate_Domains)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| where Active == true and ExpirationDateTime > now()
| where Description !contains_cs "State: inactive;" and Description !contains_cs "State: falsepos;"
| join kind=innerunique (Candidates | extend parsed_url = parse_url(Email_Url) | extend BaseUrl = strcat(parsed_url.Scheme, "://", parsed_url.Host, parsed_url.Path)) on $left.Url == $right.BaseUrl
| where DeliveryAction !has "Blocked"
| project EmailEvents_TimeGenerated, RecipientEmailAddress, IndicatorId, TI_Domain, ConfidenceScore, Description, Tags, TrafficLightProtocolLevel, Url = Email_Url, DeliveryAction, DeliveryLocation, EmailDirection, NetworkMessageId, AuthenticationDetails, SenderFromAddress, SenderIPv4, Subject
| extend Name = tostring(split(RecipientEmailAddress, '@', 0)[0]), UPNSuffix = tostring(split(RecipientEmailAddress, '@', 1)[0])
| extend timestamp = EmailEvents_TimeGenerated
let dt_lookBack = 1h; // Define the lookback period for email data as 1 hour
let ioc_lookBack = 14d; // Define the lookback period for threat intelligence data as 14 days
let EmailUrlInfo_ = EmailUrlInfo
| where isnotempty(Url) or isnotempty(UrlDomain) // Filter for non-empty URLs or URL domains
| where TimeGenerated >= ago(dt_lookBack) // Filter for records within the lookback period
| extend Url = tolower(Url), UrlDomain = tolower(UrlDomain) // Convert URLs and domains to lowercase
| extend EmailUrlInfo_TimeGenerated = TimeGenerated; // Create a new column for the time generated
let EmailEvents_ = EmailEvents
| where TimeGenerated >= ago(dt_lookBack); // Filter email events within the lookback period
let TI_Indicators = ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack) // Filter threat intelligence indicators within the lookback period
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId // Get the latest indicator time for each IndicatorId
| where Active == true and ExpirationDateTime > now(); // Filter for active indicators that haven't expired
let TI_Urls = TI_Indicators
| where isnotempty(Url) // Filter for non-empty URLs
| extend Url = tolower(Url) // Convert URLs to lowercase
| join kind=innerunique (EmailUrlInfo_) on Url // Join with email URL info on URL
| where EmailUrlInfo_TimeGenerated < ExpirationDateTime // Ensure email info was generated before the indicator expired
| summarize EmailUrlInfo_TimeGenerated = arg_max(EmailUrlInfo_TimeGenerated, *) by IndicatorId, Url // Get the latest email info for each indicator
| project
EmailUrlInfo_TimeGenerated,
Description,
ActivityGroupNames,
IndicatorId,
ThreatType,
ExpirationDateTime,
ConfidenceScore,
Url,
UrlLocation,
NetworkMessageId; // Select relevant columns
let TI_Domains = TI_Indicators
| where isnotempty(DomainName) // Filter for non-empty domain names
| extend DomainName = tolower(DomainName) // Convert domain names to lowercase
| join kind=innerunique (EmailUrlInfo_) on $left.DomainName == $right.UrlDomain // Join with email URL info on domain name
| where EmailUrlInfo_TimeGenerated < ExpirationDateTime // Ensure email info was generated before the indicator expired
| summarize EmailUrlInfo_TimeGenerated = arg_max(EmailUrlInfo_TimeGenerated, *) by IndicatorId, UrlDomain // Get the latest email info for each indicator
| project
EmailUrlInfo_TimeGenerated,
Description,
ActivityGroupNames,
IndicatorId,
ThreatType,
ExpirationDateTime,
ConfidenceScore,
UrlDomain,
UrlLocation,
NetworkMessageId; // Select relevant columns
union TI_Urls, TI_Domains // Combine URL and domain threat intelligence data
| extend timestamp = EmailUrlInfo_TimeGenerated // Add a timestamp column
| join kind=inner (EmailEvents_) on NetworkMessageId // Join with email events on network message ID
| where DeliveryAction !has "Blocked" // Filter out blocked delivery actions
| extend
Name = tostring(split(RecipientEmailAddress, '@', 0)),
UPNSuffix = tostring(split(RecipientEmailAddress, '@', 1)); // Extract name and UPN suffix from recipient email address
entityMappings:
- entityType: Account
fieldMappings:
Expand All @@ -76,5 +92,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: Url
version: 1.0.2
version: 1.0.3
kind: Scheduled
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
id: a924d317-03d2-4420-a71f-4d347bda4bd8
name: TI map IP entity to Workday(ASimAuditEventLogs)
description: |
Detects a match in Workday activity from any IP Indicator of Compromise (IOC) provided by Threat Intelligence (TI).
severity: Medium
requiredDataConnectors:
- connectorId: ThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
- connectorId: ThreatIntelligenceTaxii
dataTypes:
- ThreatIntelligenceIndicator
- connectorId: Workday
dataTypes:
- Workday
- connectorId: MicrosoftDefenderThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandAndControl
relevantTechniques:
- T1071
query: |
let dtLookBack = 1h; // Define the lookback period for audit events
let ioc_lookBack = 14d; // Define the lookback period for threat intelligence indicators
ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack) // Filter threat intelligence indicators within the lookback period
| where isnotempty(NetworkIP)
or isnotempty(EmailSourceIpAddress)
or isnotempty(NetworkDestinationIP)
or isnotempty(NetworkSourceIP) // Filter for indicators with relevant IP fields
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId // Get the latest indicator time for each IndicatorId
| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress) // Combine IP fields into a single entity
| where Active == true and ExpirationDateTime > now() // Filter for active indicators that have not expired
| join kind=inner (
ASimAuditEventLogs
| where EventVendor == "Workday" // Filter for Workday events
| where TimeGenerated >= ago(dtLookBack) // Filter events within the lookback period
| where isnotempty(DvcIpAddr) // Filter for events with a device IP address
| extend WD_TimeGenerated = EventStartTime // Rename the event start time column
| project WD_TimeGenerated, ActorUsername, DvcIpAddr, Operation, Object // Select relevant columns
)
on $left.TI_ipEntity == $right.DvcIpAddr // Join on the IP entity
| project
LatestIndicatorTime,
Description,
ActivityGroupNames,
IndicatorId,
ThreatType,
Url,
ExpirationDateTime,
ConfidenceScore,
WD_TimeGenerated,
ActorUsername,
DvcIpAddr,
Operation,
Object // Select relevant columns after the join
| extend
timestamp = WD_TimeGenerated,
Name = tostring(split(ActorUsername, '@', 0)),
UPNSuffix = tostring(split(ActorUsername, '@', 1)) // Add additional fields for timestamp, name, and UPN suffix
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: ActorUsername
- identifier: Name
columnName: Name
- identifier: UPNSuffix
columnName: UPNSuffix
- entityType: IP
fieldMappings:
- identifier: Address
columnName: DvcIpAddr
version: 1.0.0
kind: Scheduled
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,8 @@
"Analytic Rules/EmailEntity_CloudAppEvents.yaml",
"Analytic Rules/FileHashEntity_CloudAppEvents.yaml",
"Analytic Rules/IPEntity_CloudAppEvents.yaml",
"Analytic Rules/URLEntity_CloudAppEvents.yaml"
"Analytic Rules/URLEntity_CloudAppEvents.yaml",
"Analytic Rules/IPEntity_Workday.yaml"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Threat Intelligence\\",
Expand Down
Binary file modified Solutions/Threat Intelligence/Package/3.0.8.zip
Binary file not shown.
Binary file not shown.
98 changes: 28 additions & 70 deletions Solutions/Threat Intelligence/Package/createUiDefinition.json
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Threat%20Intelligence/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Threat Intelligence solution contains data connectors for import of supported STIX objects into Microsoft Sentinel, analytic rules for matching TI data with event data, workbook, and hunting queries. Threat indicators can be malicious IP's, URL's, filehashes, domains, email addresses etc.\n\n**Data Connectors:** 5, **Workbooks:** 1, **Analytic Rules:** 52, **Hunting Queries:** 5\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Threat%20Intelligence/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Threat Intelligence solution contains data connectors for import of supported STIX objects into Microsoft Sentinel, analytic rules for matching TI data with event data, workbook, and hunting queries. Threat indicators can be malicious IP's, URL's, filehashes, domains, email addresses etc.\n\n**Data Connectors:** 5, **Workbooks:** 1, **Analytic Rules:** 53, **Hunting Queries:** 5\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
Expand Down Expand Up @@ -67,84 +67,28 @@
"name": "dataconnectors2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The data connectors installed are:"
"text": "This Solution installs the data connector for Threat Intelligence. You can get Threat Intelligence custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
"name": "DC1",
"type": "Microsoft.Common.Section",
"label": "(1)\t\tThreat Intelligence Platforms",
"elements": [
{
"name": "DC1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Use this connector to send threat indicators to Microsoft Sentinel from your Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MindMeld, MISP, or other integrated applications."
}
}
]
},
{
"name": "DC2",
"type": "Microsoft.Common.Section",
"label": "(2)\t\tThreat Intelligence - TAXII",
"elements": [
{
"name": "DC1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Use this connector to bring in threat intelligence to Microsoft Sentinel from a TAXII 2.0 or 2.1 server."
}
}
]
},
{
"name": "DC3",
"type": "Microsoft.Common.Section",
"label": "(3)\t\tThreat Intelligence Upload Indicators API",
"elements": [
{
"name": "DC1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Microsoft Sentinel offer a data plane API to bring in threat intelligence from your Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MineMeld, MISP, or other integrated applications. Threat indicators can include IP addresses, domains, URLs, file hashes and email addresses."
}
}
]
},
{
"name": "DC4",
"type": "Microsoft.Common.Section",
"label": "(4)\t\tMicrosoft Defender Threat Intelligence",
"elements": [
{
"name": "DC1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Microsoft Sentinel provides you the capability to import threat intelligence generated by Microsoft to enable monitoring, alerting and hunting. Use this data connector to import Indicators of Compromise (IOCs) from Microsoft Defender Threat Intelligence (MDTI) into Microsoft Sentinel. Threat indicators can include IP addresses, domains, URLs, and file hashes, etc."
}
}
]
"name": "dataconnectors3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for Threat Intelligence. You can get Threat Intelligence custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
"name": "DC5",
"type": "Microsoft.Common.Section",
"label": "(5)\t\tPremium Microsoft Defender Threat Intelligence",
"elements": [
{
"name": "DC1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Microsoft Sentinel provides you the capability to import threat intelligence generated by Microsoft to enable monitoring, alerting and hunting. Use this data connector to import Indicators of Compromise (IOCs) from Microsoft Defender Threat Intelligence (MDTI) into Microsoft Sentinel. Threat indicators can include IP addresses, domains, URLs, and file hashes, etc. Note: This is a paid connector. To use and ingest data from it, please purchase the \"MDTI API Access\" SKU from the Partner Center."
}
}
]
"name": "dataconnectors4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for Threat Intelligence. You can get Threat Intelligence custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
"name": "dataconnectors3-text",
"name": "dataconnectors5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "After installing the solution, configure and enable these data connectors by following guidance in Manage solution view."
"text": "This Solution installs the data connector for Threat Intelligence. You can get Threat Intelligence custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
Expand Down Expand Up @@ -954,6 +898,20 @@
}
}
]
},
{
"name": "analytic53",
"type": "Microsoft.Common.Section",
"label": "TI map IP entity to Workday(ASimAuditEventLogs)",
"elements": [
{
"name": "analytic53-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects a match in Workday activity from any IP Indicator of Compromise (IOC) provided by Threat Intelligence (TI)."
}
}
]
}
]
},
Expand Down
Loading
Loading