Updating to include URLCustomEntity where available.

2019-12-23 10:38:26 -08:00 · 2019-12-23 10:38:26 -08:00 · ba90e4555f
--- a/Detections/MultipleDataSources/NetworkEndpointCorrelation.yaml
+++ b/Detections/MultipleDataSources/NetworkEndpointCorrelation.yaml
@ -37,4 +37,4 @@ query: |
  | project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP 
  | extend suspectExeName = tolower(tostring(split(RequestURL, '/')[-1]))
  | join (endpointData) on $left.suspectExeName == $right.shortFileName 
-  | extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer
+  | extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL
--- a/Detections/OfficeActivity/SharePoint_Downloads_byNewIP.yaml
+++ b/Detections/OfficeActivity/SharePoint_Downloads_byNewIP.yaml
@ -43,6 +43,6 @@ query: |
  )
  on ClientIP
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by RecordType, Operation, UserType, UserId, ClientIP, OfficeWorkload, Site_Url
-  | extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP 
+  | extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url
  | order by Operation, UserId asc

--- a/Detections/OfficeActivity/SharePoint_Downloads_byNewUserAgent.yaml
+++ b/Detections/OfficeActivity/SharePoint_Downloads_byNewUserAgent.yaml
@ -45,6 +45,6 @@ query: |
  )
  on UserAgent
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by RecordType, Operation, UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url
-  | extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP
+  | extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url
  | order by UserAgent asc, Operation asc, UserId asc

--- a/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml
+++ b/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml
@ -47,5 +47,5 @@ query: |
        | extend DNS_TimeGenerated = TimeGenerated
    ) on $left.DomainName==$right.Name
    | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
-    | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated, Computer, ClientIP, Name, QueryType
-    | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP
+    | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Computer, ClientIP, Name, QueryType
+    | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url
--- a/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml
+++ b/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml
@ -57,5 +57,5 @@ query: |
        | extend Alert_Description = Description
    ) on $left.DomainName==$right.domain
    | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
-    | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr
-    | extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr
+    | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url
+    | extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url
--- a/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml
+++ b/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml
@ -47,5 +47,5 @@ query: |
        | extend Syslog_TimeGenerated = TimeGenerated
    ) on $left.DomainName==$right.domain
    | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
-    | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, domain, HostIP
-    | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP
+    | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, domain, HostIP, Url
+    | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url
--- a/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml
+++ b/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml
@ -34,7 +34,7 @@ query: |
  )
  on $left.EmailRecipient == $right.Caller
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
-  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AzureActivity_TimeGenerated, 
+  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, AzureActivity_TimeGenerated, 
  EmailSenderName, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, Category, OperationName, 
  OperationNameValue, ActivityStatus, ResourceGroup, SubscriptionId
-  | extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress
+  | extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url
--- a/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml
+++ b/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml
@ -33,6 +33,6 @@ query: |
  )
  on $left.EmailRecipient == $right.UserId
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
-  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, OfficeActivity_TimeGenerated, 
+  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, OfficeActivity_TimeGenerated, 
  EmailSenderName, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters
-  | extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP
+  | extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url
--- a/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml
+++ b/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml
@ -36,7 +36,7 @@ query: |
  )
  on $left.EmailRecipient == $right.DestinationUserID
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
-  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated, 
+  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated, 
  EmailSenderName, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, 
  SourceIP, SourcePort, DestinationIP, DestinationPort, Protocol, ApplicationProtocol
-  | extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP
+  | extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url
--- a/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml
+++ b/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml
@ -31,7 +31,8 @@ query: |
      // Converting Entities into dynamic data type and use mv-expand to unpack the array
      | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray
      // Parsing relevant entity column to filter type account and creating new column by combining account and UPNSuffix
-      | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name), EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)
+      | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name), 
+      EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)
      | where Entitytype =~ "account" 
      | extend EntityEmail = tolower(strcat(EntityName, "@", EntityUPNSuffix))
      | where EntityEmail matches regex emailregex
@ -39,6 +40,7 @@ query: |
  )
  on $left.EmailRecipient == $right.EntityEmail
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
-  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SecurityAlert_TimeGenerated, 
-  EmailSenderName, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType, AlertSeverity, Entities, ProviderName, VendorName 
-  | extend timestamp = SecurityAlert_TimeGenerated, AccountCustomEntity = EntityEmail
+  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SecurityAlert_TimeGenerated, 
+  EmailSenderName, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType, 
+  AlertSeverity, Entities, ProviderName, VendorName 
+  | extend timestamp = SecurityAlert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url
--- a/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml
+++ b/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml
@ -35,7 +35,7 @@ query: |
  )
  on $left.EmailRecipient == $right.TargetUserName
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
-  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SecurityEvent_TimeGenerated, 
+  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SecurityEvent_TimeGenerated, 
  EmailSenderName, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType, 
  LogonTypeName, LogonProcessName, Status, SubStatus 
-  | extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress, HostCustomEntity = Computer
+  | extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress, HostCustomEntity = Computer, URLCustomEntity = Url
--- a/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml
+++ b/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml
@ -38,7 +38,7 @@ query: |
  )
  on $left.EmailRecipient == $right.UserPrincipalName
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
-  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SigninLogs_TimeGenerated, 
+  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SigninLogs_TimeGenerated, 
  EmailSenderName, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName, 
  StatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP
-  | extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress
+  | extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url
--- a/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml
+++ b/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml
@ -31,5 +31,7 @@ query: |
  )
  on $left.FileHashValue == $right.FileHash
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
-  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, RequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity
-  | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName
+  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, 
+  CommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, 
+  RequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity
+  | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url
--- a/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml
+++ b/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml
@ -32,5 +32,6 @@ query: |
  )
  on $left.FileHashValue == $right.FileHash
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
-  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SecurityEvent_TimeGenerated, Process, FileHash, Computer, Account, Event
-  | extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
+  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, 
+  SecurityEvent_TimeGenerated, Process, FileHash, Computer, Account, Event
+  | extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url
--- a/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml
+++ b/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml
@ -37,7 +37,7 @@ query: |
  )
  on $left.TI_ipEntity == $right.SourceIpAddress
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
-  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AWSCloudTrail_TimeGenerated, 
+  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AWSCloudTrail_TimeGenerated, 
  TI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress, 
  NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress
-  | extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName
+  | extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url
--- a/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml
+++ b/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml
@ -37,6 +37,6 @@ query: |
  )
  on $left.TI_ipEntity == $right.CallerIpAddress
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
-  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AzureActivity_TimeGenerated, 
+  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AzureActivity_TimeGenerated, 
  TI_ipEntity, CallerIpAddress, Caller, OperationName, ActivityStatus, Category, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress
-  | extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller
+  | extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url
--- a/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml
+++ b/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml
@ -41,6 +41,6 @@ query: |
  )
  on $left.TI_ipEntity == $right.SingleIP
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
-  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated, 
+  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated, 
  TI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress
-  | extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer
+  | extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url
--- a/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml
+++ b/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml
@ -37,6 +37,6 @@ query: |
  )
  on $left.TI_ipEntity == $right.ClientIP
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
-  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, OfficeActivity_TimeGenerated, 
+  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, OfficeActivity_TimeGenerated, 
  TI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress
-  | extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId
+  | extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId, URLCustomEntity = Url
--- a/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml
+++ b/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml
@ -38,6 +38,6 @@ query: |
  )
  on $left.TI_ipEntity == $right.RemoteIp
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
-  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, VMConnection_TimeGenerated, 
+  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, VMConnection_TimeGenerated, 
  TI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress
-  | extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer
+  | extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url
--- a/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml
+++ b/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml
@ -39,7 +39,7 @@ query: |
  )
  on $left.TI_ipEntity == $right.cIP
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
-  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, 
+  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, 
  W3CIISLog_TimeGenerated, TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status, 
  NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress
-  | extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName
+  | extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url
--- a/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml
+++ b/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml
@ -38,6 +38,6 @@ query: |
  )
  on $left.TI_ipEntity == $right.RemoteIP
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
-  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, WireData_TimeGenerated, 
+  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, WireData_TimeGenerated, 
  TI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress
-  | extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer
+  | extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url
--- a/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml
+++ b/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml
@ -39,6 +39,6 @@ query: |
  )
  on $left.TI_ipEntity == $right.IPAddress
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
-  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SigninLogs_TimeGenerated, 
+  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SigninLogs_TimeGenerated, 
  TI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress
-  | extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress
+  | extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url
--- a/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml
+++ b/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml
@ -37,5 +37,5 @@ query: |
  ) on Url
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, 
-  Audit_TimeGenerated, OperationName, Identity, userPrincipalName, TargetResourceDisplayName
-  | extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName
+  Audit_TimeGenerated, OperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url
+  | extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url
--- a/Detections/ThreatIntelligenceIndicator/URLEntity_OfficeActivity.yaml
+++ b/Detections/ThreatIntelligenceIndicator/URLEntity_OfficeActivity.yaml
@ -38,5 +38,6 @@ query: |
    | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Vlaue))) 
  ) on Url
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
-  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, UserType, OfficeWorkload, Parameters, Office_TimeGenerated, Url, User
-  | extend timestamp = Office_TimeGenerated, AccountCustomEntity = User
+  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, 
+  UserType, OfficeWorkload, Parameters, Office_TimeGenerated, Url, User
+  | extend timestamp = Office_TimeGenerated, AccountCustomEntity = User, URLCustomEntity = Url
--- a/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml
+++ b/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml
@ -43,4 +43,4 @@ query: |
    | extend CSL_TimeGenerated = TimeGenerated
  ) on $left.Url == $right.PA_Url
  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, CSL_TimeGenerated, PA_Url, DeviceName
-  | extend timestamp = CSL_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName 
+  | extend timestamp = CSL_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url
--- a/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml
+++ b/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml
@ -40,5 +40,6 @@ query: |
    | extend Alert_TimeGenerated = TimeGenerated
  ) on Url
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
-  | project LatestIndicatorTime, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated, AlertName, AlertSeverity, Description, Url, Compromised_Host
-  | extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host
+  | project LatestIndicatorTime, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated, 
+  AlertName, AlertSeverity, Description, Url, Compromised_Host
+  | extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url
--- a/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml
+++ b/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml
@ -35,4 +35,4 @@ query: |
  ) on Url
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, Url, HostIP
-  | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP
+  | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url
--- a/Queries/Syslog/disabled_account_squid_usage.yaml
+++ b/Queries/Syslog/disabled_account_squid_usage.yaml
@ -39,5 +39,5 @@ query: |
  proxyEvents 
  | where Status !contains 'DENIED'
  | join kind=inner disabledAccounts on $left.User == $right.UserPrincipalName
-  | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName
+  | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, URLCustomEntity = URL
  
--- a/Queries/Syslog/squid_abused_tlds.yaml
+++ b/Queries/Syslog/squid_abused_tlds.yaml
@ -28,7 +28,7 @@ query: |
           Domain = extract("(([A-Z]+ [a-z]{4,5}:\\/\\/)|[A-Z]+ )([^ :\\/]*)",3,SyslogMessage)
  | extend TLD = extract("\\.[a-z]*$",0,Domain)
  | where TLD in ( ".click", ".club", ".download",  ".xxx", ".xyz")
-  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), clientCount = dcount(SourceIP) by TLD, User
+  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), clientCount = dcount(SourceIP) by TLD, User, URL
  | order by TLD asc, clientCount desc
-  | extend timestamp = StartTimeUtc, AccountCustomEntity = User
+  | extend timestamp = StartTimeUtc, AccountCustomEntity = User, URLCustomEntity = URL
  
--- a/Queries/Syslog/squid_malformed_requests.yaml
+++ b/Queries/Syslog/squid_malformed_requests.yaml
@ -28,7 +28,7 @@ query: |
           contentType = extract("([a-z/]+$)",1,SyslogMessage)
  | extend TLD = extract("\\.[a-z]*$",0,Domain)
  | where Domain !contains '.' and isnotempty(Domain)
-  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), badRequestCount = count() by Domain, SourceIP, User
+  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), badRequestCount = count() by Domain, SourceIP, User, URL
  | order by badRequestCount desc
-  | extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIP
+  | extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIP, URLCustomEntity = URL
  
--- a/Queries/ThreatIntelligenceIndicator/FileEntity_OfficeActivity.yaml
+++ b/Queries/ThreatIntelligenceIndicator/FileEntity_OfficeActivity.yaml
@ -27,6 +27,6 @@ query: |
  )
  on $left.FileName == $right.SourceFileName
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
-  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, 
+  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, 
  OfficeActivity_TimeGenerated, FileName, UserId, ClientIP, OfficeObjectId
-  | extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP
+  | extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url
--- a/Queries/ThreatIntelligenceIndicator/FileEntity_SecurityEvent.yaml
+++ b/Queries/ThreatIntelligenceIndicator/FileEntity_SecurityEvent.yaml
@ -28,6 +28,6 @@ query: |
  )
  on $left.FileName == $right.Process
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
-  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, 
+  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, 
  SecurityEvent_TimeGenerated, FileName, Computer, IpAddress, Account, Event, Activity  
-  | extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress
+  | extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress, URLCustomEntity = Url
--- a/Queries/ThreatIntelligenceIndicator/FileEntity_Syslog.yaml
+++ b/Queries/ThreatIntelligenceIndicator/FileEntity_Syslog.yaml
@ -28,6 +28,6 @@ query: |
  )
  on $left.TI_ProcessEntity == $right.ProcessName
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
-  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, 
+  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, 
  Syslog_TimeGenerated, FileName, Computer, HostIP, SyslogMessage  
-  | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP
+  | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url
--- a/Queries/ThreatIntelligenceIndicator/FileEntity_VMConnection.yaml
+++ b/Queries/ThreatIntelligenceIndicator/FileEntity_VMConnection.yaml
@ -28,6 +28,6 @@ query: |
  )
  on $left.TI_ProcessEntity == $right.ProcessName
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
-  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, 
+  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, 
  VMConnection_TimeGenerated, FileName, Computer, Direction, SourceIp, DestinationIp, RemoteIp, DestinationPort, Protocol 
-  | extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer
+  | extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url
--- a/Queries/ThreatIntelligenceIndicator/FileEntity_WireData.yaml
+++ b/Queries/ThreatIntelligenceIndicator/FileEntity_WireData.yaml
@ -28,6 +28,6 @@ query: |
  )
  on $left.FileName == $right.Process
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
-  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, 
+  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, 
  WireData_TimeGenerated, FileName, Computer, Direction, LocalIP, RemoteIP, LocalPortNumber, RemotePortNumber
-  | extend timestamp = WireData_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = RemoteIP
+  | extend timestamp = WireData_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = RemoteIP, URLCustomEntity = Url
--- a/Queries/ThreatIntelligenceIndicator/Sample-DNSEventsMatchToThreatIntel.yaml
+++ b/Queries/ThreatIntelligenceIndicator/Sample-DNSEventsMatchToThreatIntel.yaml
@ -21,5 +21,5 @@ query: |
    | summarize arg_max(TimeGenerated, *) by IndicatorId
    | summarize by Url) on $left.Name == $right.Url
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() 
-  by Computer, ClientIP, ThreatIntel_Related_Domain = Name
-  | extend timestamp = StartTimeUtc, HostCustomEntity = Computer, IPCustomEntity = ClientIP
+  by Computer, ClientIP, ThreatIntel_Related_Domain = Name, Url
+  | extend timestamp = StartTimeUtc, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url
--- a/Queries/W3CIISLog/Potential_IIS_CodeInject.yaml
+++ b/Queries/W3CIISLog/Potential_IIS_CodeInject.yaml
@ -66,5 +66,5 @@ query: |
  (union isfuzzy=true
  cIP_MethodHighCount, codeInjectAtt
  | sort by cIP_MethodCount desc, cIP desc, StartTimeUtc desc)
-  | extend timestamp = StartTimeUtc, IPCustomEntity = cIP, HostCustomEntity = csHost, AccountCustomEntity = csUserName
+  | extend timestamp = StartTimeUtc, IPCustomEntity = cIP, HostCustomEntity = csHost, AccountCustomEntity = csUserName, URLCustomEntity = csUriQuery