Add files via upload

Adding query which Identifies a match in CommonSecurityLog table from any Domain IOC from TI

Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml

@@ -0,0 +1,56 @@
+id: dd0a6029-ecef-4507-89c4-fc355ac52111
+name: (Preview) TI map Domain entity to CommonSecurityLog
+description: |
+  'Identifies a match in CommonSecurityLog table from any Domain IOC from TI'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: ThreatIntelligence
+    dataTypes:
+      - ThreatIntelligenceIndicator
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Impact
+query: |
+    let dt_lookBack = 1h;
+    let ioc_lookBack = 14d;
+    //Create a list of TLDs in our threat feed for later validation of extracted domains
+    let list_tlds = ThreatIntelligenceIndicator
+        | where TimeGenerated > ago(ioc_lookBack)
+        | where isnotempty(DomainName)
+        | extend DomainName = tolower(DomainName)
+        | extend parts = split(DomainName, '.')
+        | extend tld = parts[(array_length(parts)-1)]
+        | summarize count() by tostring(tld)
+        | summarize makelist(tld);
+        ThreatIntelligenceIndicator
+        | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
+        | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+        | where Active == true
+        // Picking up only IOC's that contain the entities we want
+        | where isnotempty(DomainName)
+        | join (
+            CommonSecurityLog
+            | extend IngestionTime = ingestion_time()
+            | where IngestionTime > ago(dt_lookBack)
+            | where DeviceEventClassID =~ 'url'
+            //Uncomment the line below to only alert on allowed connections
+            //| where DeviceAction !~ "block-url"
+            //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions
+            | extend PA_Url = columnifexists("RequestURL", "None")
+            | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith "PanOS", extract("([^\"]+)", 1, tolower(AdditionalExtensions)), trim('"', PA_Url))
+            | extend PA_Url = iif(PA_Url !startswith "http://" and ApplicationProtocol !~ "ssl", strcat('http://', PA_Url), iif(PA_Url !startswith "https://" and ApplicationProtocol =~ "ssl", strcat('https://', PA_Url), PA_Url))
+            | extend Domain = trim(@"""",tostring(parse_url(PA_Url).Host))
+            | where isnotempty(Domain)
+            | extend Domain = tolower(Domain)
+            | extend parts = split(Domain, '.')
+            //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on
+            | extend tld = parts[(array_length(parts)-1)]
+            //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match
+            | where tld in~ (list_tlds)
+            | extend CSL_TimeGenerated = TimeGenerated
+        ) on $left.DomainName==$right.Domain
+        | project LatestIndicatorTime, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CSL_TimeGenerated, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod
+        | extend timestamp = CSL_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url