diff --git a/Solutions/CofenseTriage/Data Connectors/CofenseTriageDataConnector/CofenseBasedIndicatorCreator/cofense_to_sentinel_mapping.py b/Solutions/CofenseTriage/Data Connectors/CofenseTriageDataConnector/CofenseBasedIndicatorCreator/cofense_to_sentinel_mapping.py index 77f6704f49..60aa5746e2 100644 --- a/Solutions/CofenseTriage/Data Connectors/CofenseTriageDataConnector/CofenseBasedIndicatorCreator/cofense_to_sentinel_mapping.py +++ b/Solutions/CofenseTriage/Data Connectors/CofenseTriageDataConnector/CofenseBasedIndicatorCreator/cofense_to_sentinel_mapping.py @@ -117,7 +117,6 @@ class CofenseToSentinelMapping: data = {} continue indicator_id = indicator.get("id", "") - data["properties"]["externalId"] = indicator_id data["properties"]["displayName"] = "Cofense Triage : {}".format( indicator_id ) @@ -181,7 +180,8 @@ class CofenseToSentinelMapping: LOGS_STARTS_WITH, __method_name, COFENSE_TO_SENTINEL ) ) - self.microsoft_obj.create_indicator(data) + indicator_response = self.microsoft_obj.create_indicator(data) + indicator_externalId = indicator_response.get("properties", {}).get("externalId", "") applogger.debug( "{}(method={}) : {}: indicator created successfully.".format( LOGS_STARTS_WITH, __method_name, COFENSE_TO_SENTINEL @@ -190,6 +190,7 @@ class CofenseToSentinelMapping: updated_at = indicator.get("attributes", {}).get("updated_at", "") reportdata = { "indicator_id": indicator_id, + "external_id": "{}-{}".format(indicator_externalId, source_cofence), "report_link": report_link, "updated_at": updated_at } diff --git a/Solutions/CofenseTriage/Data Connectors/CofenseTriageDataConnector/CofenseBasedIndicatorCreator/sentinel.py b/Solutions/CofenseTriage/Data Connectors/CofenseTriageDataConnector/CofenseBasedIndicatorCreator/sentinel.py index b9c99c31d5..db880962a1 100644 --- a/Solutions/CofenseTriage/Data Connectors/CofenseTriageDataConnector/CofenseBasedIndicatorCreator/sentinel.py +++ b/Solutions/CofenseTriage/Data Connectors/CofenseTriageDataConnector/CofenseBasedIndicatorCreator/sentinel.py @@ -68,7 +68,7 @@ class MicrosoftSentinel: response_json, ) ) - return + return response_json elif response.status_code == 429: applogger.error( "{}(method={}) : {} : trying again error 429.".format( diff --git a/Solutions/CofenseTriage/Package/2.0.1.zip b/Solutions/CofenseTriage/Package/2.0.1.zip new file mode 100644 index 0000000000..00d384e0da Binary files /dev/null and b/Solutions/CofenseTriage/Package/2.0.1.zip differ diff --git a/Solutions/CofenseTriage/Package/createUiDefinition.json b/Solutions/CofenseTriage/Package/createUiDefinition.json index e6e36e7088..8bdd950a15 100644 --- a/Solutions/CofenseTriage/Package/createUiDefinition.json +++ b/Solutions/CofenseTriage/Package/createUiDefinition.json @@ -100,6 +100,20 @@ "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data" } } + }, + { + "name": "workbook1", + "type": "Microsoft.Common.Section", + "label": null, + "elements": [ + { + "name": "workbook1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": null + } + } + ] } ] } diff --git a/Solutions/CofenseTriage/Package/mainTemplate.json b/Solutions/CofenseTriage/Package/mainTemplate.json index b7d1929b3f..54e02cb99b 100644 --- a/Solutions/CofenseTriage/Package/mainTemplate.json +++ b/Solutions/CofenseTriage/Package/mainTemplate.json @@ -85,7 +85,7 @@ "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]" ], "properties": { - "description": "CofenseTriageThreatIndicatorsWorkbook Workbook with template version 2.0.0", + "description": "CofenseTriageThreatIndicatorsWorkbook Workbook with template version 2.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -103,7 +103,7 @@ }, "properties": { "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"value::selected\"],\"parameters\":[{\"id\":\"a4b4e975-fa7c-46a3-b669-850aacc88134\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"🔎 Guide\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"id\":\"314d02bf-4691-43fa-af59-d67073c8b8fa\"},{\"id\":\"e6ded9a1-a83c-4762-938d-5bf8ff3d3d38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"/subscriptions/ec3e5f16-67b5-40aa-9289-23311c95451c\"]},{\"id\":\"e3225ed0-6210-40a1-b2d0-66e42ffa71d6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| order by name asc\\r\\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\\r\\n| mvexpand All limit 100\\r\\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"15b2c181-7397-43c1-900a-28e175ae8a6f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":604800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":604800000}],\"allowCustom\":true},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"Parameter Selectors\"},{\"type\":1,\"content\":{\"json\":\"# [Cofense Triage Threat Indicators](https://cofense.com/product-services/cofense-triage/)\\n---\\n\\nCofense Triage is a phishing analysis and investigation platform. Cofense Triage ingests employee-reported suspicious emails and automatically analyzes emails to identify phishing threats. Cofense Triage’s API allows security teams to bidirectionally exchange threat indicators and ingest Cofense Triage threat indicators into Microsoft Sentinel. In addition, Microsoft Sentinel can write threat indicators into Cofense Triage.\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"customWidth\":\"79\",\"name\":\"Workbook Overview\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://cofense.com/wp-content/uploads/2022/06/cofense.png?width=500&height=400) \"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"customWidth\":\"20\",\"name\":\"Microsoft Sentinel Logo\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select cofense indicators from the table\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n iff(isnotempty(Url), \\\"URL\\\",\\r\\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, 1h),SourceSystem\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=stacked \",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Cofense Indicators Imported into Sentinel by Indicator Type and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"SourceSystem\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"SourceSystem\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem, bin(TimeGenerated, 1h)\\r\\n| render barchart kind=stacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Cofense Indicators Imported into Sentinel by Indicator Provider and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n iff(isnotempty(Url), \\\"URL\\\",\\r\\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Active Cofense Indicators by Indicator Type\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Active Cofense Indicators by Indicator Source\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by tostring(ConfidenceScore)\\r\\n| order by CountOfIndicators desc \\r\\n| render piechart\",\"size\":3,\"showAnalytics\":true,\"title\":\"Number of Active Cofense Indicators by Confidence Score\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DomainQuery=view() { \\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(DomainName)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by DomainName\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"DomainEntry\\\"\\r\\n};\\r\\nlet UrlQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(Url)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by Url\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"UrlEntry\\\"\\r\\n};\\r\\nlet FileHashQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(FileHashValue)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by FileHashValue\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"FileHashEntry\\\"\\r\\n};\\r\\nlet IPQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(NetworkIP) or isnotempty(NetworkSourceIP)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by NetworkIP, NetworkSourceIP\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"IPEntry\\\"\\r\\n};\\r\\nlet EmailAddressQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSenderAddress)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSenderAddress\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailAddressEntry\\\"\\r\\n};\\r\\nlet EmailMessageQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSubject)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSubject\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailMessageEntry\\\"\\r\\n};\\r\\nlet SingleSourceIndicators=view(){\\r\\n DomainQuery\\r\\n | union UrlQuery\\r\\n | union FileHashQuery\\r\\n | union IPQuery\\r\\n | union EmailAddressQuery\\r\\n | union EmailMessageQuery\\r\\n | where array_length(todynamic(SourceSystemArray))==1\\r\\n | summarize sum(count_) by SourceSystemArray\\r\\n | extend counter=1 \\r\\n};\\r\\nlet MultipleSourceIndicators=view(){\\r\\n DomainQuery\\r\\n | union UrlQuery\\r\\n | union FileHashQuery\\r\\n | union IPQuery\\r\\n | union EmailAddressQuery\\r\\n | union EmailMessageQuery\\r\\n | where array_length(todynamic(SourceSystemArray))!=1\\r\\n | summarize sum(count_) by SourceSystemArray\\r\\n | extend counter=1\\r\\n};\\r\\nlet CountOfActiveIndicatorsBySource=view(){\\r\\n ThreatIntelligenceIndicator\\r\\n | where SourceSystem startswith \\\"Cofense :\\\"\\r\\n // latest data of cofense indicator to avoid duplicates\\r\\n | summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n\\t| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n | where ExpirationDateTime > now() and Active == true\\r\\n | summarize count() by SourceSystem\\r\\n | project SourceSystem, count_\\r\\n};\\r\\nSingleSourceIndicators\\r\\n| join kind=fullouter MultipleSourceIndicators on counter \\r\\n| where SourceSystemArray contains todynamic(SourceSystemArray)[0] \\r\\n| order by SourceSystemArray\\r\\n| extend solitary_count=sum_count_\\r\\n| summarize shared_count = sum(sum_count_1) by SourceSystemArray, solitary_count\\r\\n| extend total_count = shared_count + solitary_count\\r\\n| extend unique_percentage = round(toreal(solitary_count)/toreal(total_count)*100, 1)\\r\\n| extend IndicatorSource = tostring(todynamic(SourceSystemArray)[0])\\r\\n| join kind=inner CountOfActiveIndicatorsBySource on $left.IndicatorSource == $right.SourceSystem\\r\\n| order by unique_percentage desc\\r\\n| project Source=IndicatorSource, UniquenessPercentage=unique_percentage, ActiveIndicators = count_\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Uniqueness of Cofense Threat Intelligence Sources\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"View\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ActiveIndicators\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_thresholds_Source_0\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_Source_0\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"name\":\"query - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| join Report_links_data_CL on $left.ExternalIndicatorId == $right.indicator_id_s\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| extend [\\\"Threat Indicator Link\\\"] = strcat(\\\"https://reltest6.phishmecloud.com/threat_indicators/\\\", indicator_id_s)\\r\\n| project-rename URL = Url, [\\\"Date [Local Time]\\\"] = updated_at_t, [\\\"Triage Indicator ID\\\"] = ExternalIndicatorId, [\\\"Confidence Score\\\"] = ConfidenceScore, [\\\"Threat Type\\\"] = ThreatType, [\\\"Host Name\\\"] = DomainName, [\\\"File Hash Type\\\"] = FileHashType, [\\\"File Hash Value\\\"] = FileHashValue\\r\\n| project [\\\"Triage Indicator ID\\\"], [\\\"Threat Indicator Link\\\"], [\\\"Confidence Score\\\"], [\\\"Threat Type\\\"], Tags, [\\\"Host Name\\\"], URL, [\\\"File Hash Type\\\"], [\\\"File Hash Value\\\"], [\\\"Date [Local Time]\\\"]\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Cofense Threat Indicators Data\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Threat Indicator Link\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}}],\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"Triage Indicator ID\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Triage Indicator ID\",\"sortOrder\":1}]},\"name\":\"query - 6\"},{\"type\":1,\"content\":{\"json\":\"_If more than one workspace is selected, then the latest updated indicators will be in the above Cofense Threat Indicators Data Grid View._\",\"style\":\"info\"},\"name\":\"text - 7\"}]},\"name\":\"Indicators Ingestion\"}],\"fromTemplateId\":\"sentinel-CofenseTriageThreatIndicators\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"value::selected\"],\"parameters\":[{\"id\":\"a4b4e975-fa7c-46a3-b669-850aacc88134\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"🔎 Guide\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"id\":\"314d02bf-4691-43fa-af59-d67073c8b8fa\"},{\"id\":\"e6ded9a1-a83c-4762-938d-5bf8ff3d3d38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"/subscriptions/ec3e5f16-67b5-40aa-9289-23311c95451c\"]},{\"id\":\"e3225ed0-6210-40a1-b2d0-66e42ffa71d6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| order by name asc\\r\\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\\r\\n| mvexpand All limit 100\\r\\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"15b2c181-7397-43c1-900a-28e175ae8a6f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":604800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":604800000}],\"allowCustom\":true},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"Parameter Selectors\"},{\"type\":1,\"content\":{\"json\":\"# [Cofense Triage Threat Indicators](https://cofense.com/product-services/cofense-triage/)\\n---\\n\\nCofense Triage is a phishing analysis and investigation platform. Cofense Triage ingests employee-reported suspicious emails and automatically analyzes emails to identify phishing threats. Cofense Triage’s API allows security teams to bidirectionally exchange threat indicators and ingest Cofense Triage threat indicators into Microsoft Sentinel. In addition, Microsoft Sentinel can write threat indicators into Cofense Triage.\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Workbook Overview\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select cofense indicators from the table\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n iff(isnotempty(Url), \\\"URL\\\",\\r\\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, 1h),SourceSystem\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=stacked \",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Cofense Indicators Imported into Sentinel by Indicator Type and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"SourceSystem\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"SourceSystem\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem, bin(TimeGenerated, 1h)\\r\\n| render barchart kind=stacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Cofense Indicators Imported into Sentinel by Indicator Provider and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n iff(isnotempty(Url), \\\"URL\\\",\\r\\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Active Cofense Indicators by Indicator Type\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Active Cofense Indicators by Indicator Source\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by tostring(ConfidenceScore)\\r\\n| order by CountOfIndicators desc \\r\\n| render piechart\",\"size\":3,\"showAnalytics\":true,\"title\":\"Number of Active Cofense Indicators by Confidence Score\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DomainQuery=view() { \\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(DomainName)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by DomainName\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"DomainEntry\\\"\\r\\n};\\r\\nlet UrlQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(Url)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by Url\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"UrlEntry\\\"\\r\\n};\\r\\nlet FileHashQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(FileHashValue)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by FileHashValue\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"FileHashEntry\\\"\\r\\n};\\r\\nlet IPQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(NetworkIP) or isnotempty(NetworkSourceIP)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by NetworkIP, NetworkSourceIP\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"IPEntry\\\"\\r\\n};\\r\\nlet EmailAddressQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSenderAddress)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSenderAddress\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailAddressEntry\\\"\\r\\n};\\r\\nlet EmailMessageQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSubject)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSubject\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailMessageEntry\\\"\\r\\n};\\r\\nlet SingleSourceIndicators=view(){\\r\\n DomainQuery\\r\\n | union UrlQuery\\r\\n | union FileHashQuery\\r\\n | union IPQuery\\r\\n | union EmailAddressQuery\\r\\n | union EmailMessageQuery\\r\\n | where array_length(todynamic(SourceSystemArray))==1\\r\\n | summarize sum(count_) by SourceSystemArray\\r\\n | extend counter=1 \\r\\n};\\r\\nlet MultipleSourceIndicators=view(){\\r\\n DomainQuery\\r\\n | union UrlQuery\\r\\n | union FileHashQuery\\r\\n | union IPQuery\\r\\n | union EmailAddressQuery\\r\\n | union EmailMessageQuery\\r\\n | where array_length(todynamic(SourceSystemArray))!=1\\r\\n | summarize sum(count_) by SourceSystemArray\\r\\n | extend counter=1\\r\\n};\\r\\nlet CountOfActiveIndicatorsBySource=view(){\\r\\n ThreatIntelligenceIndicator\\r\\n | where SourceSystem startswith \\\"Cofense :\\\"\\r\\n // latest data of cofense indicator to avoid duplicates\\r\\n | summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n\\t| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n | where ExpirationDateTime > now() and Active == true\\r\\n | summarize count() by SourceSystem\\r\\n | project SourceSystem, count_\\r\\n};\\r\\nSingleSourceIndicators\\r\\n| join kind=fullouter MultipleSourceIndicators on counter \\r\\n| where SourceSystemArray contains todynamic(SourceSystemArray)[0] \\r\\n| order by SourceSystemArray\\r\\n| extend solitary_count=sum_count_\\r\\n| summarize shared_count = sum(sum_count_1) by SourceSystemArray, solitary_count\\r\\n| extend total_count = shared_count + solitary_count\\r\\n| extend unique_percentage = round(toreal(solitary_count)/toreal(total_count)*100, 1)\\r\\n| extend IndicatorSource = tostring(todynamic(SourceSystemArray)[0])\\r\\n| join kind=inner CountOfActiveIndicatorsBySource on $left.IndicatorSource == $right.SourceSystem\\r\\n| order by unique_percentage desc\\r\\n| project Source=IndicatorSource, UniquenessPercentage=unique_percentage, ActiveIndicators = count_\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Uniqueness of Cofense Threat Intelligence Sources\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"View\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ActiveIndicators\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_thresholds_Source_0\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_Source_0\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"name\":\"query - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| extend external_id = strcat(ExternalIndicatorId, \\\"-\\\", SourceSystem)\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| join Report_links_data_CL on $left.external_id == $right.external_id_s\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| extend [\\\"Threat Indicator Link\\\"] = strcat(\\\"https://reltest6.phishmecloud.com/threat_indicators/\\\", indicator_id_s)\\r\\n| project-rename URL = Url, [\\\"Date [Local Time]\\\"] = updated_at_t, [\\\"Triage Indicator ID\\\"] = indicator_id_s, [\\\"Confidence Score\\\"] = ConfidenceScore, [\\\"Threat Type\\\"] = ThreatType, [\\\"Host Name\\\"] = DomainName, [\\\"File Hash Type\\\"] = FileHashType, [\\\"File Hash Value\\\"] = FileHashValue\\r\\n| project [\\\"Triage Indicator ID\\\"], [\\\"Threat Indicator Link\\\"], [\\\"Confidence Score\\\"], [\\\"Threat Type\\\"], Tags, [\\\"Host Name\\\"], URL, [\\\"File Hash Type\\\"], [\\\"File Hash Value\\\"], [\\\"Date [Local Time]\\\"]\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Cofense Threat Indicators Data\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Threat Indicator Link\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}}],\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"Triage Indicator ID\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Triage Indicator ID\",\"sortOrder\":1}]},\"name\":\"query - 6\"},{\"type\":1,\"content\":{\"json\":\"_If more than one workspace is selected, then the latest updated indicators will be in the above Cofense Threat Indicators Data Grid View._\",\"style\":\"info\"},\"name\":\"text - 7\"}]},\"name\":\"Indicators Ingestion\"}],\"fromTemplateId\":\"sentinel-CofenseTriageThreatIndicators\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -133,9 +133,6 @@ "email": "support@cofense.com", "tier": "Partner", "link": "https://cofense.com/contact-support/" - }, - "dependencies": { - "operator": "AND" } } } @@ -170,7 +167,7 @@ "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]" ], "properties": { - "description": "CofenseTriage data connector with template version 2.0.0", + "description": "CofenseTriage data connector with template version 2.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -606,7 +603,7 @@ "apiVersion": "2022-01-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "2.0.0", + "version": "2.0.1", "kind": "Solution", "contentSchemaVersion": "2.0.0", "contentId": "[variables('_solutionId')]", diff --git a/Solutions/CofenseTriage/Workbooks/CofenseTriageThreatIndicators.json b/Solutions/CofenseTriage/Workbooks/CofenseTriageThreatIndicators.json index c22aa8ef0b..c9f520949e 100644 --- a/Solutions/CofenseTriage/Workbooks/CofenseTriageThreatIndicators.json +++ b/Solutions/CofenseTriage/Workbooks/CofenseTriageThreatIndicators.json @@ -128,22 +128,8 @@ "comparison": "isEqualTo", "value": "Yes" }, - "customWidth": "79", "name": "Workbook Overview" }, - { - "type": 1, - "content": { - "json": "![Image Name](https://cofense.com/wp-content/uploads/2022/06/cofense.png?width=500&height=400) " - }, - "conditionalVisibility": { - "parameterName": "Help", - "comparison": "isEqualTo", - "value": "Yes" - }, - "customWidth": "20", - "name": "Microsoft Sentinel Logo" - }, { "type": 12, "content": { @@ -154,7 +140,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "ThreatIntelligenceIndicator\r\n// Select cofense indicators from the table\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\r\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\r\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \"IP\",\r\n iff(isnotempty(Url), \"URL\",\r\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \"Email\",\r\n iff(isnotempty(FileHashValue), \"File\",\r\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \"Domain\",\r\n \"Other\")))))\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, 1h),SourceSystem\r\n| order by CountOfIndicators desc \r\n| render barchart kind=stacked ", + "query": "ThreatIntelligenceIndicator\r\n// Select cofense indicators from the table\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\r\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \"IP\",\r\n iff(isnotempty(Url), \"URL\",\r\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \"Email\",\r\n iff(isnotempty(FileHashValue), \"File\",\r\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \"Domain\",\r\n \"Other\")))))\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, 1h),SourceSystem\r\n| order by CountOfIndicators desc \r\n| render barchart kind=stacked ", "size": 0, "showAnalytics": true, "title": "Number of Cofense Indicators Imported into Sentinel by Indicator Type and Date", @@ -187,7 +173,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "ThreatIntelligenceIndicator\r\n// Select Cofense indicators from the table\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by SourceSystem, bin(TimeGenerated, 1h)\r\n| render barchart kind=stacked", + "query": "ThreatIntelligenceIndicator\r\n// Select Cofense indicators from the table\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by SourceSystem, bin(TimeGenerated, 1h)\r\n| render barchart kind=stacked", "size": 0, "showAnalytics": true, "title": "Number of Cofense Indicators Imported into Sentinel by Indicator Provider and Date", @@ -206,7 +192,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "ThreatIntelligenceIndicator\r\n// Select Cofense indicators from the table\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\r\n| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\r\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \"IP\",\r\n iff(isnotempty(Url), \"URL\",\r\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \"Email\",\r\n iff(isnotempty(FileHashValue), \"File\",\r\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \"Domain\",\r\n \"Other\")))))\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by IndicatorType\r\n| order by CountOfIndicators desc \r\n| render barchart kind=unstacked", + "query": "ThreatIntelligenceIndicator\r\n// Select Cofense indicators from the table\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\r\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \"IP\",\r\n iff(isnotempty(Url), \"URL\",\r\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \"Email\",\r\n iff(isnotempty(FileHashValue), \"File\",\r\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \"Domain\",\r\n \"Other\")))))\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by IndicatorType\r\n| order by CountOfIndicators desc \r\n| render barchart kind=unstacked", "size": 0, "showAnalytics": true, "title": "Number of Active Cofense Indicators by Indicator Type", @@ -225,7 +211,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "ThreatIntelligenceIndicator\r\n// Select Cofense indicators from the table\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\r\n| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by SourceSystem\r\n| order by CountOfIndicators desc \r\n| render barchart kind=unstacked", + "query": "ThreatIntelligenceIndicator\r\n// Select Cofense indicators from the table\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by SourceSystem\r\n| order by CountOfIndicators desc \r\n| render barchart kind=unstacked", "size": 0, "showAnalytics": true, "title": "Number of Active Cofense Indicators by Indicator Source", @@ -244,7 +230,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "ThreatIntelligenceIndicator\r\n// Select Cofense indicators from the table\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\r\n| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by tostring(ConfidenceScore)\r\n| order by CountOfIndicators desc \r\n| render piechart", + "query": "ThreatIntelligenceIndicator\r\n// Select Cofense indicators from the table\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by tostring(ConfidenceScore)\r\n| order by CountOfIndicators desc \r\n| render piechart", "size": 3, "showAnalytics": true, "title": "Number of Active Cofense Indicators by Confidence Score", @@ -263,7 +249,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let DomainQuery=view() { \r\nThreatIntelligenceIndicator\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(DomainName)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by DomainName\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"DomainEntry\"\r\n};\r\nlet UrlQuery=view(){\r\nThreatIntelligenceIndicator\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(Url)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by Url\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"UrlEntry\"\r\n};\r\nlet FileHashQuery=view(){\r\nThreatIntelligenceIndicator\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(FileHashValue)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by FileHashValue\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"FileHashEntry\"\r\n};\r\nlet IPQuery=view(){\r\nThreatIntelligenceIndicator\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(NetworkIP) or isnotempty(NetworkSourceIP)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by NetworkIP, NetworkSourceIP\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"IPEntry\"\r\n};\r\nlet EmailAddressQuery=view(){\r\nThreatIntelligenceIndicator\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(EmailSenderAddress)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSenderAddress\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"EmailAddressEntry\"\r\n};\r\nlet EmailMessageQuery=view(){\r\nThreatIntelligenceIndicator\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(EmailSubject)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSubject\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"EmailMessageEntry\"\r\n};\r\nlet SingleSourceIndicators=view(){\r\n DomainQuery\r\n | union UrlQuery\r\n | union FileHashQuery\r\n | union IPQuery\r\n | union EmailAddressQuery\r\n | union EmailMessageQuery\r\n | where array_length(todynamic(SourceSystemArray))==1\r\n | summarize sum(count_) by SourceSystemArray\r\n | extend counter=1 \r\n};\r\nlet MultipleSourceIndicators=view(){\r\n DomainQuery\r\n | union UrlQuery\r\n | union FileHashQuery\r\n | union IPQuery\r\n | union EmailAddressQuery\r\n | union EmailMessageQuery\r\n | where array_length(todynamic(SourceSystemArray))!=1\r\n | summarize sum(count_) by SourceSystemArray\r\n | extend counter=1\r\n};\r\nlet CountOfActiveIndicatorsBySource=view(){\r\n ThreatIntelligenceIndicator\r\n | where SourceSystem startswith \"Cofense :\"\r\n // latest data of cofense indicator to avoid duplicates\r\n | summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\r\n\t| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n | where ExpirationDateTime > now() and Active == true\r\n | summarize count() by SourceSystem\r\n | project SourceSystem, count_\r\n};\r\nSingleSourceIndicators\r\n| join kind=fullouter MultipleSourceIndicators on counter \r\n| where SourceSystemArray contains todynamic(SourceSystemArray)[0] \r\n| order by SourceSystemArray\r\n| extend solitary_count=sum_count_\r\n| summarize shared_count = sum(sum_count_1) by SourceSystemArray, solitary_count\r\n| extend total_count = shared_count + solitary_count\r\n| extend unique_percentage = round(toreal(solitary_count)/toreal(total_count)*100, 1)\r\n| extend IndicatorSource = tostring(todynamic(SourceSystemArray)[0])\r\n| join kind=inner CountOfActiveIndicatorsBySource on $left.IndicatorSource == $right.SourceSystem\r\n| order by unique_percentage desc\r\n| project Source=IndicatorSource, UniquenessPercentage=unique_percentage, ActiveIndicators = count_\r\n\r\n", + "query": "let DomainQuery=view() { \r\nThreatIntelligenceIndicator\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(DomainName)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by DomainName\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"DomainEntry\"\r\n};\r\nlet UrlQuery=view(){\r\nThreatIntelligenceIndicator\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(Url)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by Url\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"UrlEntry\"\r\n};\r\nlet FileHashQuery=view(){\r\nThreatIntelligenceIndicator\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(FileHashValue)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by FileHashValue\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"FileHashEntry\"\r\n};\r\nlet IPQuery=view(){\r\nThreatIntelligenceIndicator\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(NetworkIP) or isnotempty(NetworkSourceIP)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by NetworkIP, NetworkSourceIP\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"IPEntry\"\r\n};\r\nlet EmailAddressQuery=view(){\r\nThreatIntelligenceIndicator\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(EmailSenderAddress)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSenderAddress\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"EmailAddressEntry\"\r\n};\r\nlet EmailMessageQuery=view(){\r\nThreatIntelligenceIndicator\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(EmailSubject)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSubject\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"EmailMessageEntry\"\r\n};\r\nlet SingleSourceIndicators=view(){\r\n DomainQuery\r\n | union UrlQuery\r\n | union FileHashQuery\r\n | union IPQuery\r\n | union EmailAddressQuery\r\n | union EmailMessageQuery\r\n | where array_length(todynamic(SourceSystemArray))==1\r\n | summarize sum(count_) by SourceSystemArray\r\n | extend counter=1 \r\n};\r\nlet MultipleSourceIndicators=view(){\r\n DomainQuery\r\n | union UrlQuery\r\n | union FileHashQuery\r\n | union IPQuery\r\n | union EmailAddressQuery\r\n | union EmailMessageQuery\r\n | where array_length(todynamic(SourceSystemArray))!=1\r\n | summarize sum(count_) by SourceSystemArray\r\n | extend counter=1\r\n};\r\nlet CountOfActiveIndicatorsBySource=view(){\r\n ThreatIntelligenceIndicator\r\n | where SourceSystem startswith \"Cofense :\"\r\n // latest data of cofense indicator to avoid duplicates\r\n | summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n\t| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n | where ExpirationDateTime > now() and Active == true\r\n | summarize count() by SourceSystem\r\n | project SourceSystem, count_\r\n};\r\nSingleSourceIndicators\r\n| join kind=fullouter MultipleSourceIndicators on counter \r\n| where SourceSystemArray contains todynamic(SourceSystemArray)[0] \r\n| order by SourceSystemArray\r\n| extend solitary_count=sum_count_\r\n| summarize shared_count = sum(sum_count_1) by SourceSystemArray, solitary_count\r\n| extend total_count = shared_count + solitary_count\r\n| extend unique_percentage = round(toreal(solitary_count)/toreal(total_count)*100, 1)\r\n| extend IndicatorSource = tostring(todynamic(SourceSystemArray)[0])\r\n| join kind=inner CountOfActiveIndicatorsBySource on $left.IndicatorSource == $right.SourceSystem\r\n| order by unique_percentage desc\r\n| project Source=IndicatorSource, UniquenessPercentage=unique_percentage, ActiveIndicators = count_\r\n\r\n", "size": 0, "showAnalytics": true, "title": "Uniqueness of Cofense Threat Intelligence Sources", @@ -321,7 +307,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "ThreatIntelligenceIndicator\r\n// latest data of cofense indicator to avoid duplicates\r\n| join Report_links_data_CL on $left.ExternalIndicatorId == $right.indicator_id_s\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\r\n| extend [\"Threat Indicator Link\"] = strcat(\"https://reltest6.phishmecloud.com/threat_indicators/\", indicator_id_s)\r\n| project-rename URL = Url, [\"Date [Local Time]\"] = updated_at_t, [\"Triage Indicator ID\"] = ExternalIndicatorId, [\"Confidence Score\"] = ConfidenceScore, [\"Threat Type\"] = ThreatType, [\"Host Name\"] = DomainName, [\"File Hash Type\"] = FileHashType, [\"File Hash Value\"] = FileHashValue\r\n| project [\"Triage Indicator ID\"], [\"Threat Indicator Link\"], [\"Confidence Score\"], [\"Threat Type\"], Tags, [\"Host Name\"], URL, [\"File Hash Type\"], [\"File Hash Value\"], [\"Date [Local Time]\"]\r\n", + "query": "ThreatIntelligenceIndicator\r\n| extend external_id = strcat(ExternalIndicatorId, \"-\", SourceSystem)\r\n// latest data of cofense indicator to avoid duplicates\r\n| join Report_links_data_CL on $left.external_id == $right.external_id_s\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| extend [\"Threat Indicator Link\"] = strcat(\"https://reltest6.phishmecloud.com/threat_indicators/\", indicator_id_s)\r\n| project-rename URL = Url, [\"Date [Local Time]\"] = updated_at_t, [\"Triage Indicator ID\"] = indicator_id_s, [\"Confidence Score\"] = ConfidenceScore, [\"Threat Type\"] = ThreatType, [\"Host Name\"] = DomainName, [\"File Hash Type\"] = FileHashType, [\"File Hash Value\"] = FileHashValue\r\n| project [\"Triage Indicator ID\"], [\"Threat Indicator Link\"], [\"Confidence Score\"], [\"Threat Type\"], Tags, [\"Host Name\"], URL, [\"File Hash Type\"], [\"File Hash Value\"], [\"Date [Local Time]\"]\r\n", "size": 0, "showAnalytics": true, "title": "Cofense Threat Indicators Data",