From b2bb247076c6dd684df3a0b16162c5de8dbd216f Mon Sep 17 00:00:00 2001
From: aprakash13 <aprakash@microsoft.com>
Date: Wed, 11 Sep 2024 17:09:57 -0700
Subject: [PATCH] =?UTF-8?q?Adding=20entity=20mapping=20to=20the=20URLEntit?=
 =?UTF-8?q?y=5FCloudAppEvents.yaml=20Also=20it=20seemd=20that=20the=20URL?=
 =?UTF-8?q?=20field=20wasn't=20being=20parsed=20correctly.=20The=20extract?=
 =?UTF-8?q?=20function=20seemed=20to=20have=20a=20semicolon=20at=20the=20e?=
 =?UTF-8?q?nd,=20which=20suggested=20that=20URLs=20were=20expected=20to=20?=
 =?UTF-8?q?end=20with=20a=20semicolon=E2=80=94it=20seems=20this=20isn't=20?=
 =?UTF-8?q?always=20the=20case.=20Removing=20the=20semicolons=20in=20three?=
 =?UTF-8?q?=20yaml=20files.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../Analytic Rules/URLEntity_AuditLogs.yaml   |  4 +--
 .../URLEntity_CloudAppEvents.yaml             | 35 ++++++++++++++++---
 .../URLEntity_OfficeActivity.yaml             |  4 +--
 3 files changed, 34 insertions(+), 9 deletions(-)

diff --git a/Solutions/Threat Intelligence/Analytic Rules/URLEntity_AuditLogs.yaml b/Solutions/Threat Intelligence/Analytic Rules/URLEntity_AuditLogs.yaml
index f1b0940055..83ab10e6f5 100644
--- a/Solutions/Threat Intelligence/Analytic Rules/URLEntity_AuditLogs.yaml	
+++ b/Solutions/Threat Intelligence/Analytic Rules/URLEntity_AuditLogs.yaml	
@@ -30,7 +30,7 @@ query: |
   let AuditEvents = materialize(AuditLogs
     | where TimeGenerated >= ago(dt_lookBack)
     // Extract the URL that is contained within the JSON data
-    | extend Url = extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);", 1,tostring(TargetResources))
+    | extend Url = extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)", 1,tostring(TargetResources))
     | where isnotempty(Url)
     | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
     | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)
@@ -73,5 +73,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: Url
-version: 1.2.7
+version: 1.2.8
 kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Threat Intelligence/Analytic Rules/URLEntity_CloudAppEvents.yaml b/Solutions/Threat Intelligence/Analytic Rules/URLEntity_CloudAppEvents.yaml
index 726b2b48da..86bc837431 100644
--- a/Solutions/Threat Intelligence/Analytic Rules/URLEntity_CloudAppEvents.yaml	
+++ b/Solutions/Threat Intelligence/Analytic Rules/URLEntity_CloudAppEvents.yaml	
@@ -23,16 +23,41 @@ query: |
   let ioc_lookBack = 14d;
   ThreatIntelligenceIndicator
   | where TimeGenerated >= ago(ioc_lookBack)
+  | where isnotempty(Url)
   | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
   | where Active == true and ExpirationDateTime > now()
   | join kind=innerunique (CloudAppEvents
-  | extend Url = extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);", 1, tostring(ActivityObjects))
-  | extend userPrincipalName = tostring(parse_json(tostring(AccountId)).userPrincipalName)
+  | where TimeGenerated >= ago(dt_lookBack)
+  | extend Url = extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)", 1, tostring(ActivityObjects))
+  | extend userPrincipalName = tostring(RawEventData.UserId)
   | extend TargetResourceDisplayName = tostring(ActivityObjects[0].displayName)
   | extend CloudApps_TimeGenerated = TimeGenerated) on Url
   | where CloudApps_TimeGenerated < ExpirationDateTime
   | summarize CloudApps_TimeGenerated = argmax(CloudApps_TimeGenerated, *) by IndicatorId, Url
-  | extend Description = max_CloudApps_TimeGenerated_Description, ActivityGroupNames = max_CloudApps_TimeGenerated_ActivityGroupNames, ThreatType = max_CloudApps_TimeGenerated_ThreatType, ExpirationDateTime = max_CloudApps_TimeGenerated_ExpirationDateTime, ConfidenceScore = max_CloudApps_TimeGenerated_ConfidenceScore
-  | project CloudApps_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore
-version: 1.0.2
+  | extend Description = max_CloudApps_TimeGenerated_Description, ActivityGroupNames = max_CloudApps_TimeGenerated_ActivityGroupNames, ThreatType = max_CloudApps_TimeGenerated_ThreatType, ExpirationDateTime = max_CloudApps_TimeGenerated_ExpirationDateTime, ConfidenceScore = max_CloudApps_TimeGenerated_ConfidenceScore, IPAddress = max_CloudApps_TimeGenerated_IPAddress, AccountObjectId = max_CloudApps_TimeGenerated_AccountObjectId, AccountDisplayName = max_CloudApps_TimeGenerated_AccountDisplayName, ObjectName = max_CloudApps_TimeGenerated_ObjectName, Application= max_CloudApps_TimeGenerated_Application, ApplicationID = max_CloudApps_TimeGenerated_ApplicationId, userPrincipalName = max_CloudApps_TimeGenerated_userPrincipalName
+  | project CloudApps_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, IPAddress, userPrincipalName, AccountObjectId, AccountDisplayName, ObjectName, Application, ApplicationID
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: ObjectGuid
+        columnName: AccountObjectId
+      - identifier: FullName
+        columnName: userPrincipalName
+      - identifier: DisplayName
+        columnName: AccountDisplayName
+  - entityType: URL
+    fieldMappings:
+      - identifier: Url
+        columnName: Url
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPAddress
+  - entityType: CloudApplication
+    fieldMappings:
+      - identifier: Name
+        columnName: Application
+      - identifier: AppId
+        columnName: ApplicationID
+version: 1.0.3
 kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Threat Intelligence/Analytic Rules/URLEntity_OfficeActivity.yaml b/Solutions/Threat Intelligence/Analytic Rules/URLEntity_OfficeActivity.yaml
index 30fd5338ed..f55f6a5726 100644
--- a/Solutions/Threat Intelligence/Analytic Rules/URLEntity_OfficeActivity.yaml	
+++ b/Solutions/Threat Intelligence/Analytic Rules/URLEntity_OfficeActivity.yaml	
@@ -38,7 +38,7 @@ query: |
   // OfficeActivity
   // | where TimeGenerated >= ago(dt_lookBack)
   // //Extract the Url from a number of potential fields
-  // | extend Url = iif(OfficeWorkload == "AzureActiveDirectory",extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))
+  // | extend Url = iif(OfficeWorkload == "AzureActiveDirectory",extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))
   // | where isnotempty(Url)
   // // Ensure we get a clean URL
   // | extend Url = tostring(split(Url, ';')[0])
@@ -65,5 +65,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: Url
-version: 1.2.8
+version: 1.2.9
 kind: Scheduled