57 строки
2.2 KiB
YAML
57 строки
2.2 KiB
YAML
id: 233441b9-cc92-4c9b-87fa-73b855fcd4b8
|
|
name: Preview - TI map File entity to Security Event
|
|
description: |
|
|
'Identifies a match in Security Event data from any FileName IOC from TI.
|
|
As File name matches can create noise, this is best as hunting query'
|
|
requiredDataConnectors:
|
|
- connectorId: SecurityEvents
|
|
dataTypes:
|
|
- SecurityEvent
|
|
- connectorId: ThreatIntelligence
|
|
dataTypes:
|
|
- ThreatIntelligenceIndicator
|
|
- connectorId: ThreatIntelligenceTaxii
|
|
dataTypes:
|
|
- ThreatIntelligenceIndicator
|
|
tactics:
|
|
- Impact
|
|
query: |
|
|
|
|
let starttime = todatetime('{{StartTimeISO}}');
|
|
let endtime = todatetime('{{EndTimeISO}}');
|
|
let ioc_lookBack = 14d;
|
|
ThreatIntelligenceIndicator
|
|
| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
|
|
| where Active == true
|
|
| where isnotempty(FileName)
|
|
// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
|
|
| join kind=innerunique (
|
|
SecurityEvent
|
|
| where TimeGenerated between(starttime..endtime)
|
|
| where EventID in ("4688","8002","4648","4673")
|
|
| where isnotempty(Process)
|
|
| extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID
|
|
)
|
|
on $left.FileName == $right.Process
|
|
| where SecurityEvent_TimeGenerated < ExpirationDateTime
|
|
| summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, Process
|
|
| project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,
|
|
FileName, Computer, IpAddress, Account, Event, Activity
|
|
| extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress, URLCustomEntity = Url
|
|
entityMappings:
|
|
- entityType: Account
|
|
fieldMappings:
|
|
- identifier: FullName
|
|
columnName: AccountCustomEntity
|
|
- entityType: Host
|
|
fieldMappings:
|
|
- identifier: FullName
|
|
columnName: HostCustomEntity
|
|
- entityType: IP
|
|
fieldMappings:
|
|
- identifier: Address
|
|
columnName: IPCustomEntity
|
|
- entityType: URL
|
|
fieldMappings:
|
|
- identifier: Url
|
|
columnName: URLCustomEntity |