Adding entity mapping to the URLEntity_CloudAppEvents.yaml

Also it seemd that the URL field wasn't being parsed correctly. The extract function seemed to have a semicolon at the end, which suggested that URLs were expected to end with a semicolon—it seems this isn't always the case.
Removing the semicolons in three yaml files.

Solutions/Threat Intelligence/Analytic Rules/URLEntity_AuditLogs.yaml

@@ -30,7 +30,7 @@ query: |
   let AuditEvents = materialize(AuditLogs
     | where TimeGenerated >= ago(dt_lookBack)
     // Extract the URL that is contained within the JSON data
-    | extend Url = extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);", 1,tostring(TargetResources))
+    | extend Url = extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)", 1,tostring(TargetResources))
     | where isnotempty(Url)
     | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
     | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)
@@ -73,5 +73,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: Url
-version: 1.2.7
+version: 1.2.8
 kind: Scheduled

Solutions/Threat Intelligence/Analytic Rules/URLEntity_CloudAppEvents.yaml

@@ -23,16 +23,41 @@ query: |
   let ioc_lookBack = 14d;
   ThreatIntelligenceIndicator
   | where TimeGenerated >= ago(ioc_lookBack)
+  | where isnotempty(Url)
   | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
   | where Active == true and ExpirationDateTime > now()
   | join kind=innerunique (CloudAppEvents
-  | extend Url = extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);", 1, tostring(ActivityObjects))
-  | extend userPrincipalName = tostring(parse_json(tostring(AccountId)).userPrincipalName)
+  | where TimeGenerated >= ago(dt_lookBack)
+  | extend Url = extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)", 1, tostring(ActivityObjects))
+  | extend userPrincipalName = tostring(RawEventData.UserId)
   | extend TargetResourceDisplayName = tostring(ActivityObjects[0].displayName)
   | extend CloudApps_TimeGenerated = TimeGenerated) on Url
   | where CloudApps_TimeGenerated < ExpirationDateTime
   | summarize CloudApps_TimeGenerated = argmax(CloudApps_TimeGenerated, *) by IndicatorId, Url
-  | extend Description = max_CloudApps_TimeGenerated_Description, ActivityGroupNames = max_CloudApps_TimeGenerated_ActivityGroupNames, ThreatType = max_CloudApps_TimeGenerated_ThreatType, ExpirationDateTime = max_CloudApps_TimeGenerated_ExpirationDateTime, ConfidenceScore = max_CloudApps_TimeGenerated_ConfidenceScore
-  | project CloudApps_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore
-version: 1.0.2
+  | extend Description = max_CloudApps_TimeGenerated_Description, ActivityGroupNames = max_CloudApps_TimeGenerated_ActivityGroupNames, ThreatType = max_CloudApps_TimeGenerated_ThreatType, ExpirationDateTime = max_CloudApps_TimeGenerated_ExpirationDateTime, ConfidenceScore = max_CloudApps_TimeGenerated_ConfidenceScore, IPAddress = max_CloudApps_TimeGenerated_IPAddress, AccountObjectId = max_CloudApps_TimeGenerated_AccountObjectId, AccountDisplayName = max_CloudApps_TimeGenerated_AccountDisplayName, ObjectName = max_CloudApps_TimeGenerated_ObjectName, Application= max_CloudApps_TimeGenerated_Application, ApplicationID = max_CloudApps_TimeGenerated_ApplicationId, userPrincipalName = max_CloudApps_TimeGenerated_userPrincipalName
+  | project CloudApps_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, IPAddress, userPrincipalName, AccountObjectId, AccountDisplayName, ObjectName, Application, ApplicationID
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: ObjectGuid
+        columnName: AccountObjectId
+      - identifier: FullName
+        columnName: userPrincipalName
+      - identifier: DisplayName
+        columnName: AccountDisplayName
+  - entityType: URL
+    fieldMappings:
+      - identifier: Url
+        columnName: Url
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPAddress
+  - entityType: CloudApplication
+    fieldMappings:
+      - identifier: Name
+        columnName: Application
+      - identifier: AppId
+        columnName: ApplicationID
+version: 1.0.3
 kind: Scheduled

Solutions/Threat Intelligence/Analytic Rules/URLEntity_OfficeActivity.yaml

@@ -38,7 +38,7 @@ query: |
   // OfficeActivity
   // | where TimeGenerated >= ago(dt_lookBack)
   // //Extract the Url from a number of potential fields
-  // | extend Url = iif(OfficeWorkload == "AzureActiveDirectory",extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))
+  // | extend Url = iif(OfficeWorkload == "AzureActiveDirectory",extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))
   // | where isnotempty(Url)
   // // Ensure we get a clean URL
   // | extend Url = tostring(split(Url, ';')[0])
@@ -65,5 +65,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: Url
-version: 1.2.8
+version: 1.2.9
 kind: Scheduled