79 строки
4.0 KiB
YAML
79 строки
4.0 KiB
YAML
id: ec21493c-2684-4acd-9bc2-696dbad72426
|
|
name: (Preview) TI map Domain entity to PaloAlto
|
|
description: |
|
|
'Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI'
|
|
severity: Medium
|
|
requiredDataConnectors:
|
|
- connectorId: PaloAltoNetworks
|
|
dataTypes:
|
|
- CommonSecurityLog
|
|
- connectorId: ThreatIntelligence
|
|
dataTypes:
|
|
- ThreatIntelligenceIndicator
|
|
- connectorId: ThreatIntelligenceTaxii
|
|
dataTypes:
|
|
- ThreatIntelligenceIndicator
|
|
queryFrequency: 1h
|
|
queryPeriod: 14d
|
|
triggerOperator: gt
|
|
triggerThreshold: 0
|
|
tactics:
|
|
- Impact
|
|
query: |
|
|
|
|
let dt_lookBack = 1h;
|
|
let ioc_lookBack = 14d;
|
|
//Create a list of TLDs in our threat feed for later validation of extracted domains
|
|
let list_tlds = ThreatIntelligenceIndicator
|
|
| where TimeGenerated > ago(ioc_lookBack)
|
|
| where isnotempty(DomainName)
|
|
| extend DomainName = tolower(DomainName)
|
|
| extend parts = split(DomainName, '.')
|
|
| extend tld = parts[(array_length(parts)-1)]
|
|
| summarize count() by tostring(tld)
|
|
| summarize make_list(tld);
|
|
ThreatIntelligenceIndicator
|
|
| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
|
|
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
|
|
| where Active == true
|
|
// Picking up only IOC's that contain the entities we want
|
|
| where isnotempty(DomainName)
|
|
| join (
|
|
CommonSecurityLog
|
|
| extend IngestionTime = ingestion_time()
|
|
| where IngestionTime > ago(dt_lookBack)
|
|
| where DeviceVendor =~ 'Palo Alto Networks'
|
|
| where DeviceEventClassID =~ 'url'
|
|
//Uncomment the line below to only alert on allowed connections
|
|
//| where DeviceAction !~ "block-url"
|
|
//Extract domain from RequestURL, if not present extarct it from AdditionalExtentions
|
|
| extend PA_Url = columnifexists("RequestURL", "None")
|
|
| extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith "PanOS", extract("([^\"]+)", 1, tolower(AdditionalExtensions)), trim('"', PA_Url))
|
|
| extend PA_Url = iif(PA_Url !startswith "http://" and ApplicationProtocol !~ "ssl", strcat('http://', PA_Url), iif(PA_Url !startswith "https://" and ApplicationProtocol =~ "ssl", strcat('https://', PA_Url), PA_Url))
|
|
| extend Domain = trim(@"""",tostring(parse_url(PA_Url).Host))
|
|
| where isnotempty(Domain)
|
|
| extend Domain = tolower(Domain)
|
|
| extend parts = split(Domain, '.')
|
|
//Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on
|
|
| extend tld = parts[(array_length(parts)-1)]
|
|
//Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match
|
|
| where tld in~ (list_tlds)
|
|
| extend CommonSecurityLog_TimeGenerated = TimeGenerated
|
|
) on $left.DomainName==$right.Domain
|
|
| where CommonSecurityLog_TimeGenerated >= TimeGenerated and CommonSecurityLog_TimeGenerated < ExpirationDateTime
|
|
| project LatestIndicatorTime, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod
|
|
| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url
|
|
entityMappings:
|
|
- entityType: Host
|
|
fieldMappings:
|
|
- identifier: FullName
|
|
columnName: HostCustomEntity
|
|
- entityType: IP
|
|
fieldMappings:
|
|
- identifier: Address
|
|
columnName: IPCustomEntity
|
|
- entityType: URL
|
|
fieldMappings:
|
|
- identifier: Url
|
|
columnName: URLCustomEntity
|
|
version: 1.0.0 |