From 8493019e79ea32dc22c654a2e1b32b775749ed1e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 10 Jun 2022 08:15:46 +0200 Subject: [PATCH 1/2] Update URLEntity_OfficeActivity.yaml --- .../URLEntity_OfficeActivity.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Detections/ThreatIntelligenceIndicator/URLEntity_OfficeActivity.yaml b/Detections/ThreatIntelligenceIndicator/URLEntity_OfficeActivity.yaml index 0390c90e0f..7237696e2d 100644 --- a/Detections/ThreatIntelligenceIndicator/URLEntity_OfficeActivity.yaml +++ b/Detections/ThreatIntelligenceIndicator/URLEntity_OfficeActivity.yaml @@ -37,7 +37,7 @@ query: | | extend Url = tostring(split(Url, ';')[0]) | extend OfficeActivity_TimeGenerated = TimeGenerated // Project a single user identity that we can use for entity mapping - | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Vlaue))) + | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Value))) ) on Url | where OfficeActivity_TimeGenerated < ExpirationDateTime | summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, Url @@ -53,5 +53,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: URLCustomEntity -version: 1.2.1 -kind: Scheduled \ No newline at end of file +version: 1.2.2 +kind: Scheduled From 4ae19d84386e9f5d1871ce1a7fbdadc89b89c78d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 10 Jun 2022 08:28:47 +0200 Subject: [PATCH 2/2] Update URLEntity_OfficeActivity.yaml --- .../ThreatIntelligenceIndicator/URLEntity_OfficeActivity.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Detections/ThreatIntelligenceIndicator/URLEntity_OfficeActivity.yaml b/Detections/ThreatIntelligenceIndicator/URLEntity_OfficeActivity.yaml index 7237696e2d..0c11cb2b56 100644 --- a/Detections/ThreatIntelligenceIndicator/URLEntity_OfficeActivity.yaml +++ b/Detections/ThreatIntelligenceIndicator/URLEntity_OfficeActivity.yaml @@ -28,7 +28,7 @@ query: | | where isnotempty(Url) // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated | join kind=innerunique ( - OfficeActivity + OfficeActivity | where TimeGenerated >= ago(dt_lookBack) //Extract the Url from a number of potential fields | extend Url = iif(OfficeWorkload == "AzureActiveDirectory",extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))