regex replace with ipv4_is_private

2022-03-14 11:10:08 -07:00 · 2022-03-14 11:10:08 -07:00 · 9a0d1fa7bd
--- a/Detections/MultipleDataSources/SigninFirewallCorrelation.yaml
+++ b/Detections/MultipleDataSources/SigninFirewallCorrelation.yaml
@ -25,13 +25,11 @@ relevantTechniques:
  - T1078
 query: |

-  let PrivateIPregex = @'^127\.|^10\.|^172\.1[6-9]\.|^172\.2[0-9]\.|^172\.3[0-1]\.|^192\.168\.';
  let aadFunc = (tableName:string){
  CommonSecurityLog
  | where DeviceVendor =~ "Cisco"
  | where DeviceAction =~ "denied"
-  | extend SourceIPType = iff(SourceIP matches regex PrivateIPregex,"private" ,"public" )
-  | where SourceIPType == "public"
+  | where ipv4_is_private(SourceIP) == false
  | summarize count() by SourceIP
  | join (
      // Successful signins from IPs blocked by the firewall solution are suspect
@ -54,5 +52,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
--- a/Detections/MultipleDataSources/TimeSeriesAnomaly-MultiVendor_DataExfiltration.yaml
+++ b/Detections/MultipleDataSources/TimeSeriesAnomaly-MultiVendor_DataExfiltration.yaml
@ -33,14 +33,13 @@ query: |
  let timeframe = 1h;
  let scorethreshold = 5;
  let bytessentperhourthreshold = 10;
-  let PrivateIPregex = @'^127\.|^10\.|^172\.1[6-9]\.|^172\.2[0-9]\.|^172\.3[0-1]\.|^192\.168\.';
  let TimeSeriesData = (union isfuzzy=true
  (
  VMConnection
  | where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))
  | where isnotempty(DestinationIp) and isnotempty(SourceIp)
-  | extend DestinationIpType = iff(DestinationIp matches regex PrivateIPregex,"private" ,"public" )
-  | where DestinationIpType == "public" | extend DeviceVendor = "VMConnection"
+  | where ipv4_is_private(DestinationIP) == false
+  | extend DeviceVendor = "VMConnection"
  | project TimeGenerated, BytesSent, DeviceVendor
  | make-series TotalBytesSent=sum(BytesSent) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor
  ),
@ -48,8 +47,7 @@ query: |
  CommonSecurityLog
  | where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))
  | where isnotempty(DestinationIP) and isnotempty(SourceIP)
-  | extend DestinationIpType = iff(DestinationIP matches regex PrivateIPregex,"private" ,"public" )
-  | where DestinationIpType == "public"
+  | where ipv4_is_private(DestinationIP) == false
  | project TimeGenerated, SentBytes, DeviceVendor
  | make-series TotalBytesSent=sum(SentBytes) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor
  )
@ -70,8 +68,7 @@ query: |
  | where TimeGenerated > ago(2d)
  | extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour
  | where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours
-  | extend DestinationIpType = iff(DestinationIP matches regex PrivateIPregex,"private" ,"public" )
-  | where DestinationIpType == "public"
+  | where ipv4_is_private(DestinationIP) == false
  | extend SentBytesinMB = ((SentBytes / 1024)/1024), ReceivedBytesinMB = ((ReceivedBytes / 1024)/1024)
  | summarize HourlyCount = count(), TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort,100), TotalSentBytesinMB = sum(SentBytesinMB), TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)
  | where TotalSentBytesinMB > bytessentperhourthreshold
@ -87,8 +84,7 @@ query: |
  | extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour
  | where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours
  | extend SourceIP = SourceIp, DestinationIP = DestinationIp
-  | extend DestinationIpType = iff(DestinationIp matches regex PrivateIPregex,"private" ,"public" )
-  | where DestinationIpType == "public" | extend DeviceVendor = "VMConnection"
+  | where ipv4_is_private(DestinationIP) == false | extend DeviceVendor = "VMConnection"
  | extend SentBytesinMB = ((BytesSent / 1024)/1024), ReceivedBytesinMB = ((BytesReceived / 1024)/1024)
  | summarize HourlyCount = count(),TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort, 100), TotalSentBytesinMB = sum(SentBytesinMB),TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)
  | where TotalSentBytesinMB > bytessentperhourthreshold
--- a/Detections/Syslog/ssh_NewlyInternetExposed.yaml
+++ b/Detections/Syslog/ssh_NewlyInternetExposed.yaml
@ -17,7 +17,6 @@ relevantTechniques:
  - T1078
 query: |

-  let PrivateIPregex = @'^127\.|^10\.|^172\.1[6-9]\.|^172\.2[0-9]\.|^172\.3[0-1]\.|^192\.168\.'; 
  let avgthreshold = 0;
  let probabilityLimit = 0.01;
  let ssh_logins = Syslog
@ -25,9 +24,9 @@ query: |
  | where SyslogMessage has "Accepted"
  | extend SourceIP = extract("(([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.(([0-9]{1,3})))",1,SyslogMessage) 
  | where isnotempty(SourceIP)
-  | extend ipType = iff(SourceIP matches regex PrivateIPregex,"private" ,"public");
+  | extend result = ipv4_is_private(SourceIP)
  ssh_logins 
-  | summarize privatecount=countif(ipType=="private"), publiccount=countif(ipType=="public") by HostName, HostIP, bin(EventTime, 1d)
+  | summarize privatecount=countif(result== true), publiccount=countif(result==false) by HostName, HostIP, bin(EventTime, 1d)
  | summarize 
  publicIPLoginHistory  = make_list(pack('IPCount', publiccount,  'logon_time', EventTime)),
  privateIPLoginHistory = make_list(pack('IPCount', privatecount, 'logon_time', EventTime)) by HostName, HostIP
@ -55,12 +54,12 @@ query: |
  // Optionally retrieve the original raw data for those logins that we've identified as potentially suspect
  // | join kind=rightsemi (
  //   ssh_logins
-  //  | where ipType == "public"
+  //  | where result == false
  //  ) on HostName
 entityMappings:
  - entityType: Host
    fieldMappings:
      - identifier: FullName
        columnName: HostCustomEntity
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled
--- a/Queries/MultipleDataSources/NetworkConnectionldap_log4j.yaml
+++ b/Queries/MultipleDataSources/NetworkConnectionldap_log4j.yaml
@ -21,7 +21,6 @@ tags:
  - log4j 
  - log4shell
 query: |
-  let PrivateIPregex = @'^127\.|^10\.|^172\.1[6-9]\.|^172\.2[0-9]\.|^172\.3[0-1]\.|^192\.168\.';
  let Port = dynamic(['389', '1389']); 
  (union isfuzzy=true
  (DeviceNetworkEvents
@ -36,8 +35,7 @@ query: |
  (VMConnection
  | where ProcessName has_any ("javaw","java")
  | where DestinationPort in ('389', '1389')
-  | extend DestinationIpType = iff(DestinationIp matches regex PrivateIPregex,"private" ,"public" )
-  | where DestinationIpType == "public"
+  | where ipv4_is_private(DestinationIP) == false
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by TimeGenerated, SourceIP = SourceIp , DestinationIP = DestinationIp, DestinationPort,  BytesReceived, BytesSent, ProcessName, Computer
  | extend timestamp = StartTime, IPCustomEntity = DestinationIP, HostCustomEntity = Computer
  )
--- a/Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml
+++ b/Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml
@ -33,7 +33,6 @@ query: |
  let binvalue = 1;
  let bintime = make_timespan(binvalue,0);
  let avgCalc = starttime/1h;
-  let PrivateIPregex = @'^127\.|^10\.|^172\.1[6-9]\.|^172\.2[0-9]\.|^172\.3[0-1]\.|^192\.168\.';
  // Identify all domain lookups before start time and after lookback time
  let DomainLookups = DnsEvents
  | where TimeGenerated between(ago(lookback)..starttime)
@ -70,15 +69,13 @@ query: |
  | extend DnsIPAddress = tostring(DnsIPAddress)
  | distinct LookupStartTime, LookupEndTime, ClientIP, Domain, DnsIPAddress, LookupCountToday, DailyAvgLookupCountOverLookback
  | extend IPCustomEntity = DnsIPAddress
-  | extend DnsIPType = iff(DnsIPAddress matches regex PrivateIPregex,"private" ,"public" )
-  | where DnsIPType =="public"
+  | where ipv4_is_private(DnsIPAddress) == false
  ;
  let DataMovement = ( union isfuzzy=true
  (CommonSecurityLog
  | where TimeGenerated between(starttime..endtime)
  | where DeviceVendor =="Palo Alto Networks" and Activity == "TRAFFIC"
-  | extend DestinationIPType = iff(DestinationIP matches regex PrivateIPregex,"private" ,"public" )
-  | where DestinationIPType =="public"
+  | where ipv4_is_private(DestinationIP) == false
  | project DataType = DeviceVendor, TimeGenerated, SourceIP , SourcePort , DestinationIP, DestinationPort, ReceivedBytes, SentBytes
  | sort by SourceIP asc, SourcePort asc,TimeGenerated asc, DestinationIP asc, DestinationPort asc
  | summarize sum(ReceivedBytes), sum(SentBytes), ConnectionCount = count() by DataType, SourceIP, SourcePort, DestinationIP, DestinationPort
@ -88,8 +85,7 @@ query: |
  (WireData
  | where TimeGenerated between(starttime..endtime)
  | where Direction == "Outbound"
-  | extend RemoteIPType = iff(RemoteIP matches regex PrivateIPregex,"private" ,"public" )
-  | where RemoteIPType =="public"
+  | where ipv4_is_private(RemoteIP) == false
  | project DataType = Type, TimeGenerated , SourceIP = LocalIP , SourcePort = LocalPortNumber , DestinationIP = RemoteIP, DestinationPort = RemotePortNumber, ReceivedBytes, SentBytes
  | summarize sum(ReceivedBytes), sum(SentBytes), ConnectionCount = count() by DataType, SourceIP, SourcePort, DestinationIP, DestinationPort
  | extend IPCustomEntity = DestinationIP
@ -99,8 +95,7 @@ query: |
  (VMConnection
  | where TimeGenerated between(starttime..endtime)
  | where Direction == "outbound"
-  | extend DestinationIPType = iff(DestinationIp matches regex PrivateIPregex,"private" ,"public" )
-  | where DestinationIPType =="public"
+  | where ipv4_is_private(DestinationIp) == false
  | project DataType = Type, TimeGenerated, SourceIP = SourceIp , DestinationIP = DestinationIp, DestinationPort, ReceivedBytes = BytesReceived, SentBytes = BytesSent
  | summarize sum(ReceivedBytes), sum(SentBytes), ConnectionCount = count() by DataType, SourceIP, DestinationIP, DestinationPort
  | sort by sum_SentBytes desc
--- a/Queries/W3CIISLog/Potential_IIS_CodeInject.yaml
+++ b/Queries/W3CIISLog/Potential_IIS_CodeInject.yaml
@ -19,15 +19,13 @@ query: |
  // for any returns that are gt or equal to the default of 50
  let cIP_MethodCountLimit = 50;
  // Exclude private ip ranges from cIP list
-  let PrivateIPregex = @'^127\.|^10\.|^172\.1[6-9]\.|^172\.2[0-9]\.|^172\.3[0-1]\.|^192\.168\.';
  // Exclude common csMethods, add/modify this list as needed for your environment
  let csMethodExclude = dynamic(['GET', 'DEBUG', 'DELETE', 'LOCK', 'MKCOL', 'MOVE', 'PATCH', 'POST', 'PROPPATCH', 
  'PUT', 'SEARCH', 'TRACE', 'TRACK', 'UNLOCK', 'OPTIONS', 'HEAD', 'RPC_IN_DATA', 'RPC_OUT_DATA', 'PROPFIND','BITS_POST','CCM_POST']);
  // Include in the list expected IPs where remote methods such as vuln scanning may be expected for your environment
  let expectedIPs = dynamic(['X.X.X.X', 'Y.Y.Y.Y']);
  let codeInjectionAttempts = W3CIISLog
-  | extend cIPType = iff(cIP matches regex PrivateIPregex,"private" ,"public" )
-  | where cIPType =="public"
+  | where ipv4_is_private(cIP) == false
  | where cIP !in (expectedIPs)
  | project TimeGenerated, cIP, csUserName, csMethod, csCookie, csHost, sIP, scStatus, csUriStem, csUriQuery, csUserAgent, csReferer 
  // Throwing entire record into a single string column for attributable string matching
--- a/Queries/WireData/WireDataBeacon.yaml
+++ b/Queries/WireData/WireDataBeacon.yaml
@ -22,11 +22,9 @@ query: |
  let TimeDeltaThreshold = 10;
  let TotalEventsThreshold = 15;
  let PercentBeaconThreshold = 95;
-  let PrivateIPregex = @'^127\.|^10\.|^172\.1[6-9]\.|^172\.2[0-9]\.|^172\.3[0-1]\.|^192\.168\.';
  WireData
  | where TimeGenerated > lookback
-  | extend RemoteIPType = iff(RemoteIP matches regex PrivateIPregex,"private" ,"public" )
-  | where RemoteIPType =="public"
+  | where ipv4_is_private(RemoteIP) == false
  | project TimeGenerated , LocalIP , LocalPortNumber , RemoteIP, RemotePortNumber, ReceivedBytes, SentBytes
  | sort by LocalIP asc,TimeGenerated asc, RemoteIP asc, RemotePortNumber asc
  | serialize