Fixed Emailaddress field to match with TI
This commit is contained in:
ashwin-patil
Родитель
a65f9881f6
Коммит
ceac069524
|
|
@ -28,17 +28,17 @@ query: |
|
|||
| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
|
||||
| where Active == true
|
||||
//Filtering the table for Email related IOCs
|
||||
| where isnotempty(EmailRecipient)
|
||||
| where isnotempty(EmailSenderAddress)
|
||||
| join (
|
||||
AzureActivity | where TimeGenerated >= ago(dt_lookBack) and isnotempty(Caller)
|
||||
| extend Caller = tolower(Caller)
|
||||
| where Caller matches regex emailregex
|
||||
| extend AzureActivity_TimeGenerated = TimeGenerated
|
||||
)
|
||||
on $left.EmailRecipient == $right.Caller
|
||||
on $left.EmailSenderAddress == $right.Caller
|
||||
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
|
||||
| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, AzureActivity_TimeGenerated,
|
||||
EmailSenderName, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, Category, OperationName,
|
||||
EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, Category, OperationName,
|
||||
OperationNameValue, ActivityStatus, ResourceGroup, SubscriptionId
|
||||
| extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url
|
||||
entityMappings:
|
||||
|
|
|
|||
|
|
@ -28,16 +28,16 @@ query: |
|
|||
| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
|
||||
| where Active == true
|
||||
//Filtering the table for Email related IOCs
|
||||
| where isnotempty(EmailRecipient)
|
||||
| where isnotempty(EmailSenderAddress)
|
||||
| join (
|
||||
OfficeActivity | where TimeGenerated >= ago(dt_lookBack) and isnotempty(UserId)
|
||||
| where UserId matches regex emailregex
|
||||
| extend OfficeActivity_TimeGenerated = TimeGenerated
|
||||
)
|
||||
on $left.EmailRecipient == $right.UserId
|
||||
on $left.EmailSenderAddress == $right.UserId
|
||||
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
|
||||
| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, OfficeActivity_TimeGenerated,
|
||||
EmailSenderName, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters
|
||||
EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters
|
||||
| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@ query: |
|
|||
| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
|
||||
| where Active == true
|
||||
//Filtering the table for Email related IOCs
|
||||
| where isnotempty(EmailRecipient)
|
||||
| where isnotempty(EmailSenderAddress)
|
||||
| join (
|
||||
CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) and isnotempty(DestinationUserID)
|
||||
// Filtering PAN Logs for specific event type to match relevant email entities
|
||||
|
|
@ -37,10 +37,10 @@ query: |
|
|||
| where DestinationUserID matches regex emailregex
|
||||
| extend CommonSecurityLog_TimeGenerated = TimeGenerated
|
||||
)
|
||||
on $left.EmailRecipient == $right.DestinationUserID
|
||||
on $left.EmailSenderAddress == $right.DestinationUserID
|
||||
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
|
||||
| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated,
|
||||
EmailSenderName, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction,
|
||||
EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction,
|
||||
SourceIP, SourcePort, DestinationIP, DestinationPort, Protocol, ApplicationProtocol
|
||||
| extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url
|
||||
entityMappings:
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@ query: |
|
|||
| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
|
||||
| where Active == true
|
||||
//Filtering the table for Email related IOCs
|
||||
| where isnotempty(EmailRecipient)
|
||||
| where isnotempty(EmailSenderAddress)
|
||||
| join (
|
||||
SecurityAlert | where TimeGenerated >= ago(dt_lookBack)
|
||||
// Converting Entities into dynamic data type and use mv-expand to unpack the array
|
||||
|
|
@ -41,10 +41,10 @@ query: |
|
|||
| where EntityEmail matches regex emailregex
|
||||
| extend SecurityAlert_TimeGenerated = TimeGenerated
|
||||
)
|
||||
on $left.EmailRecipient == $right.EntityEmail
|
||||
on $left.EmailSenderAddress == $right.EntityEmail
|
||||
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
|
||||
| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SecurityAlert_TimeGenerated,
|
||||
EmailSenderName, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType,
|
||||
EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType,
|
||||
AlertSeverity, Entities, ProviderName, VendorName
|
||||
| extend timestamp = SecurityAlert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url
|
||||
entityMappings:
|
||||
|
|
|
|||
|
|
@ -28,18 +28,18 @@ query: |
|
|||
| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
|
||||
| where Active == true
|
||||
//Filtering the table for Email related IOCs
|
||||
| where isnotempty(EmailRecipient)
|
||||
| where isnotempty(EmailSenderAddress)
|
||||
| join (
|
||||
SecurityEvent | where TimeGenerated >= ago(dt_lookBack) and isnotempty(TargetUserName)
|
||||
//Normalizing the column to lower case for exact match with EmailRecipient column
|
||||
//Normalizing the column to lower case for exact match with EmailSenderAddress column
|
||||
| extend TargetUserName = tolower(TargetUserName)
|
||||
// renaming timestamp column so it is clear the log this came from SecurityEvent table
|
||||
| extend SecurityEvent_TimeGenerated = TimeGenerated
|
||||
)
|
||||
on $left.EmailRecipient == $right.TargetUserName
|
||||
on $left.EmailSenderAddress == $right.TargetUserName
|
||||
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
|
||||
| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SecurityEvent_TimeGenerated,
|
||||
EmailSenderName, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType,
|
||||
EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType,
|
||||
LogonTypeName, LogonProcessName, Status, SubStatus
|
||||
| extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress, HostCustomEntity = Computer, URLCustomEntity = Url
|
||||
entityMappings:
|
||||
|
|
|
|||
|
|
@ -28,10 +28,10 @@ query: |
|
|||
| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
|
||||
| where Active == true
|
||||
//Filtering the table for Email related IOCs
|
||||
| where isnotempty(EmailRecipient)
|
||||
| where isnotempty(EmailSenderAddress)
|
||||
| join (
|
||||
SigninLogs | where TimeGenerated >= ago(dt_lookBack) and isnotempty(UserPrincipalName)
|
||||
//Normalizing the column to lower case for exact match with EmailRecipient column
|
||||
//Normalizing the column to lower case for exact match with EmailSenderAddress column
|
||||
| extend UserPrincipalName = tolower(UserPrincipalName)
|
||||
| where UserPrincipalName matches regex emailregex
|
||||
| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)
|
||||
|
|
@ -39,10 +39,10 @@ query: |
|
|||
// renaming timestamp column so it is clear the log this came from SigninLogs table
|
||||
| extend SigninLogs_TimeGenerated = TimeGenerated
|
||||
)
|
||||
on $left.EmailRecipient == $right.UserPrincipalName
|
||||
on $left.EmailSenderAddress == $right.UserPrincipalName
|
||||
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
|
||||
| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SigninLogs_TimeGenerated,
|
||||
EmailSenderName, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName,
|
||||
EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName,
|
||||
StatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP
|
||||
| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url
|
||||
entityMappings:
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче