63 строки
2.5 KiB
YAML
63 строки
2.5 KiB
YAML
id: f30a47c1-65fb-42b1-a7f4-00941c12550b
|
|
name: TI map URL entity to SecurityAlert data
|
|
description: |
|
|
'Identifies a match in SecurityAlert data from any URL IOC from TI'
|
|
severity: Medium
|
|
requiredDataConnectors:
|
|
- connectorId: MicrosoftCloudAppSecurity
|
|
dataTypes:
|
|
- SecurityAlert
|
|
- connectorId: AzureSecurityCenter
|
|
dataTypes:
|
|
- SecurityAlert
|
|
- connectorId: ThreatIntelligence
|
|
dataTypes:
|
|
- ThreatIntelligenceIndicator
|
|
- connectorId: ThreatIntelligenceTaxii
|
|
dataTypes:
|
|
- ThreatIntelligenceIndicator
|
|
queryFrequency: 1h
|
|
queryPeriod: 14d
|
|
triggerOperator: gt
|
|
triggerThreshold: 0
|
|
tactics:
|
|
- Impact
|
|
query: |
|
|
|
|
let dt_lookBack = 1h;
|
|
let ioc_lookBack = 14d;
|
|
ThreatIntelligenceIndicator
|
|
| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
|
|
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
|
|
| where Active == true
|
|
// Picking up only IOC's that contain the entities we want
|
|
| where isnotempty(Url)
|
|
// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
|
|
| join kind=innerunique (
|
|
SecurityAlert
|
|
| where TimeGenerated >= ago(dt_lookBack)
|
|
| extend MSTI = case(AlertName has "TI map" and VendorName == "Microsoft" and ProductName == 'Azure Sentinel', true, false)
|
|
| where MSTI == false
|
|
// Extract URL from JSON data
|
|
| extend Url = extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)", 1,Entities)
|
|
// We only want alerts that actually contain URL data
|
|
| where isnotempty(Url)
|
|
// Extract hostname from JSON data for entity mapping
|
|
| extend Compromised_Host = tostring(parse_json(ExtendedProperties).["Compromised Host"])
|
|
| extend Alert_TimeGenerated = TimeGenerated
|
|
) on Url
|
|
| where Alert_TimeGenerated < ExpirationDateTime
|
|
| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName
|
|
| project Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host
|
|
| extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url
|
|
entityMappings:
|
|
- entityType: Host
|
|
fieldMappings:
|
|
- identifier: FullName
|
|
columnName: HostCustomEntity
|
|
- entityType: URL
|
|
fieldMappings:
|
|
- identifier: Url
|
|
columnName: URLCustomEntity
|
|
version: 1.2.2
|
|
kind: Scheduled |