From 4731843f3704aa5cf0038a214b15ab688edba420 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 13:28:14 +0100 Subject: [PATCH 01/64] Update DomainEntity_CommonSecurityLog.yaml --- .../DomainEntity_CommonSecurityLog.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml b/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml index af9d172b249..9917a3191c9 100644 --- a/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml +++ b/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml @@ -55,7 +55,7 @@ query: | | where tld in~ (list_tlds) | extend CommonSecurityLog_TimeGenerated = TimeGenerated ) on $left.DomainName==$right.Domain - | where CommonSecurityLog_TimeGenerated >= TimeGenerated and CommonSecurityLog_TimeGenerated < ExpirationDateTime + | where CommonSecurityLog_TimeGenerated >= LatestIndicatorTime and CommonSecurityLog_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url entityMappings: @@ -72,4 +72,4 @@ entityMappings: - identifier: Url columnName: URLCustomEntity version: 1.1.0 -kind: Scheduled \ No newline at end of file +kind: Scheduled From 21b1059b1b02a7c258b18100016ed992095b8f37 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 13:29:17 +0100 Subject: [PATCH 02/64] Update DomainEntity_DnsEvents.yaml --- .../DomainEntity_DnsEvents.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml b/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml index 9e1579e45af..4f12b422ec9 100644 --- a/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml +++ b/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml @@ -49,8 +49,7 @@ query: | | where tld in~ (list_tlds) | extend DNS_TimeGenerated = TimeGenerated ) on $left.DomainName==$right.Name - | where DNS_TimeGenerated >= TimeGenerated and DNS_TimeGenerated < ExpirationDateTime - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where DNS_TimeGenerated >= LatestIndicatorTime and DNS_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Computer, ClientIP, Name, QueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url entityMappings: @@ -66,5 +65,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: URLCustomEntity -version: 1.1.1 -kind: Scheduled \ No newline at end of file +version: 1.1.2 +kind: Scheduled From 8695fb4a799caf22dac3e9893078937a8f2bc18d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 13:29:36 +0100 Subject: [PATCH 03/64] Update DomainEntity_CommonSecurityLog.yaml --- .../DomainEntity_CommonSecurityLog.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml b/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml index 9917a3191c9..5d575a71124 100644 --- a/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml +++ b/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml @@ -71,5 +71,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: URLCustomEntity -version: 1.1.0 +version: 1.1.1 kind: Scheduled From 7bc621b853842fa1677ba80a95f224c34bcef96e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 13:30:37 +0100 Subject: [PATCH 04/64] Update DomainEntity_PaloAlto.yaml --- .../ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml b/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml index 88d236d83f2..c27fa50809b 100644 --- a/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml +++ b/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml @@ -60,7 +60,7 @@ query: | | where tld in~ (list_tlds) | extend CommonSecurityLog_TimeGenerated = TimeGenerated ) on $left.DomainName==$right.Domain - | where CommonSecurityLog_TimeGenerated >= TimeGenerated and CommonSecurityLog_TimeGenerated < ExpirationDateTime + | where CommonSecurityLog_TimeGenerated >= LatestIndicatorTime and CommonSecurityLog_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url entityMappings: @@ -76,5 +76,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: URLCustomEntity -version: 1.1.0 -kind: Scheduled \ No newline at end of file +version: 1.1.1 +kind: Scheduled From c054580bad4c54ac07f27f4d490399376b0f542e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 13:31:35 +0100 Subject: [PATCH 05/64] Update DomainEntity_SecurityAlert.yaml --- .../DomainEntity_SecurityAlert.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml b/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml index 9ce3ebc21e5..a6999dbca7d 100644 --- a/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml +++ b/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml @@ -60,8 +60,7 @@ query: | | extend Alert_TimeGenerated = TimeGenerated | extend Alert_Description = Description ) on $left.DomainName==$right.domain - | where Alert_TimeGenerated >= TimeGenerated and Alert_TimeGenerated < ExpirationDateTime - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Alert_TimeGenerated >= LatestIndicatorTime and Alert_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url | extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url entityMappings: @@ -77,5 +76,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: URLCustomEntity -version: 1.1.1 -kind: Scheduled \ No newline at end of file +version: 1.1.2 +kind: Scheduled From e2ba8c218e023581bc8f36f252a3d0b80a223e90 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 13:32:37 +0100 Subject: [PATCH 06/64] Update DomainEntity_Syslog.yaml --- .../ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml b/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml index 256317b2186..8729a345c46 100644 --- a/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml +++ b/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml @@ -50,8 +50,7 @@ query: | | where tld in~ (list_tlds) | extend Syslog_TimeGenerated = TimeGenerated ) on $left.DomainName==$right.domain - | where Syslog_TimeGenerated >= TimeGenerated and Syslog_TimeGenerated < ExpirationDateTime - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Syslog_TimeGenerated >= LatestIndicatorTime and Syslog_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, domain, HostIP, Url | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url entityMappings: @@ -67,5 +66,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: URLCustomEntity -version: 1.1.1 -kind: Scheduled \ No newline at end of file +version: 1.1.2 +kind: Scheduled From 34337b4f1d0dee1bf7ff53e47c3edd45d4b86410 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 13:33:21 +0100 Subject: [PATCH 07/64] Update EmailEntity_AzureActivity.yaml --- .../EmailEntity_AzureActivity.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml b/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml index 99a6177c966..3eada3cbc84 100644 --- a/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml +++ b/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml @@ -37,8 +37,7 @@ query: | | extend AzureActivity_TimeGenerated = TimeGenerated ) on $left.EmailSenderAddress == $right.Caller - | where AzureActivity_TimeGenerated >= TimeGenerated and AzureActivity_TimeGenerated < ExpirationDateTime - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where AzureActivity_TimeGenerated >= LatestIndicatorTime and AzureActivity_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, AzureActivity_TimeGenerated, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, OperationNameValue, ActivityStatusValue, ResourceGroup, SubscriptionId @@ -56,5 +55,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: URLCustomEntity -version: 1.1.1 -kind: Scheduled \ No newline at end of file +version: 1.1.2 +kind: Scheduled From d14ac937ebfdf4b5bd0e286d8410823634eec6ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 13:33:52 +0100 Subject: [PATCH 08/64] Update EmailEntity_OfficeActivity.yaml --- .../EmailEntity_OfficeActivity.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml b/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml index ff17cd3dd24..82020a73ebc 100644 --- a/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml +++ b/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml @@ -36,8 +36,7 @@ query: | | extend OfficeActivity_TimeGenerated = TimeGenerated ) on $left.EmailSenderAddress == $right.UserId - | where OfficeActivity_TimeGenerated >= TimeGenerated and OfficeActivity_TimeGenerated < ExpirationDateTime - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where OfficeActivity_TimeGenerated >= LatestIndicatorTime and OfficeActivity_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, OfficeActivity_TimeGenerated, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters | extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url @@ -54,5 +53,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: URLCustomEntity -version: 1.1.1 -kind: Scheduled \ No newline at end of file +version: 1.1.2 +kind: Scheduled From e221db2b170a270bd9da66e5cbfc2da1342b0bb2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 13:34:35 +0100 Subject: [PATCH 09/64] Update EmailEntity_PaloAlto.yaml --- .../ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml b/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml index 0bbfc026907..79d2a38b0d8 100644 --- a/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml +++ b/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml @@ -39,8 +39,7 @@ query: | | extend CommonSecurityLog_TimeGenerated = TimeGenerated ) on $left.EmailSenderAddress == $right.DestinationUserID - | where CommonSecurityLog_TimeGenerated >= TimeGenerated and CommonSecurityLog_TimeGenerated < ExpirationDateTime - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where CommonSecurityLog_TimeGenerated >= LatestIndicatorTime and CommonSecurityLog_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort, DestinationIP, DestinationPort, Protocol, ApplicationProtocol @@ -58,5 +57,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: URLCustomEntity -version: 1.1.1 -kind: Scheduled \ No newline at end of file +version: 1.1.2 +kind: Scheduled From 989ca4d0af4515c47c9f5bbcf3e231f6b831e441 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 13:35:03 +0100 Subject: [PATCH 10/64] Update EmailEntity_SecurityAlert.yaml --- .../EmailEntity_SecurityAlert.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml b/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml index ae380ca473d..fedb02ae62d 100644 --- a/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml +++ b/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml @@ -43,8 +43,7 @@ query: | | extend Alert_TimeGenerated = TimeGenerated ) on $left.EmailSenderAddress == $right.EntityEmail - | where Alert_TimeGenerated >= TimeGenerated and Alert_TimeGenerated < ExpirationDateTime - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Alert_TimeGenerated >= LatestIndicatorTime and Alert_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType, AlertSeverity, Entities, ProviderName, VendorName @@ -58,5 +57,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: URLCustomEntity -version: 1.1.1 -kind: Scheduled \ No newline at end of file +version: 1.1.2 +kind: Scheduled From 90af7035bc28a7139af25802473c13eb9c1d187c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 13:35:32 +0100 Subject: [PATCH 11/64] Update EmailEntity_SecurityEvent.yaml --- .../EmailEntity_SecurityEvent.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml b/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml index d13bd818a84..70666469f67 100644 --- a/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml +++ b/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml @@ -38,8 +38,7 @@ query: | | extend SecurityEvent_TimeGenerated = TimeGenerated ) on $left.EmailSenderAddress == $right.TargetUserName - | where SecurityEvent_TimeGenerated >= TimeGenerated and SecurityEvent_TimeGenerated < ExpirationDateTime - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where SecurityEvent_TimeGenerated >= LatestIndicatorTime and SecurityEvent_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SecurityEvent_TimeGenerated, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType, LogonTypeName, LogonProcessName, Status, SubStatus @@ -61,5 +60,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: URLCustomEntity -version: 1.1.1 -kind: Scheduled \ No newline at end of file +version: 1.1.2 +kind: Scheduled From 764573dbf143f154890ec6d24c685090f82fa4b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 13:36:05 +0100 Subject: [PATCH 12/64] Update EmailEntity_SigninLogs.yaml --- .../EmailEntity_SigninLogs.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml b/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml index 7cfe0d2676d..84811a0782f 100644 --- a/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml +++ b/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml @@ -46,8 +46,7 @@ query: | | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type ) on $left.EmailSenderAddress == $right.UserPrincipalName - | where SigninLogs_TimeGenerated >= TimeGenerated and SigninLogs_TimeGenerated < ExpirationDateTime - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where SigninLogs_TimeGenerated >= LatestIndicatorTime and SigninLogs_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SigninLogs_TimeGenerated, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Type @@ -69,5 +68,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: URLCustomEntity -version: 1.1.1 -kind: Scheduled \ No newline at end of file +version: 1.1.2 +kind: Scheduled From 6f787ce717efe31c349eca51e1a3aa9e10ae07d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 13:36:48 +0100 Subject: [PATCH 13/64] Update FileHashEntity_CommonSecurityLog.yaml --- .../FileHashEntity_CommonSecurityLog.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml b/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml index eb519036420..88360895e1d 100644 --- a/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml +++ b/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml @@ -37,8 +37,7 @@ query: | | extend CommonSecurityLog_TimeGenerated = TimeGenerated ) on $left.FileHashValue == $right.FileHash - | where CommonSecurityLog_TimeGenerated >= TimeGenerated and CommonSecurityLog_TimeGenerated < ExpirationDateTime - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where CommonSecurityLog_TimeGenerated >= LatestIndicatorTime and CommonSecurityLog_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, RequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity @@ -60,5 +59,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: URLCustomEntity -version: 1.1.1 -kind: Scheduled \ No newline at end of file +version: 1.1.2 +kind: Scheduled From 39cfc4fa8a4217859128243e72e9cc2fe17146a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 13:38:58 +0100 Subject: [PATCH 14/64] Update FileHashEntity_SecurityEvent.yaml --- .../FileHashEntity_SecurityEvent.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml b/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml index b20affd6b2f..fff78aa6f4d 100644 --- a/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml +++ b/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml @@ -35,8 +35,7 @@ query: | | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID ) on $left.FileHashValue == $right.FileHash - | where SecurityEvent_TimeGenerated >= TimeGenerated and SecurityEvent_TimeGenerated < ExpirationDateTime - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where SecurityEvent_TimeGenerated >= LatestIndicatorTime and SecurityEvent_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SecurityEvent_TimeGenerated, Process, FileHash, Computer, Account, Event | extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url @@ -53,5 +52,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: URLCustomEntity -version: 1.1.1 -kind: Scheduled \ No newline at end of file +version: 1.1.2 +kind: Scheduled From 5f4655bc7ecd0176bec73db78ceafb5d74e7f1d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 13:39:36 +0100 Subject: [PATCH 15/64] Update IPEntity_AWSCloudTrail.yaml --- .../IPEntity_AWSCloudTrail.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml b/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml index a4285c26198..0a82aa91b6a 100644 --- a/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml @@ -40,8 +40,7 @@ query: | | extend AWSCloudTrail_TimeGenerated = TimeGenerated ) on $left.TI_ipEntity == $right.SourceIpAddress - | where AWSCloudTrail_TimeGenerated >= TimeGenerated and AWSCloudTrail_TimeGenerated < ExpirationDateTime - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where AWSCloudTrail_TimeGenerated >= LatestIndicatorTime and AWSCloudTrail_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AWSCloudTrail_TimeGenerated, TI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress @@ -59,5 +58,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: URLCustomEntity -version: 1.1.1 -kind: Scheduled \ No newline at end of file +version: 1.1.2 +kind: Scheduled From 40879309989fd5eede1e57d824717b596c64da5c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 13:41:22 +0100 Subject: [PATCH 16/64] Update IPEntity_AppServiceHTTPLogs.yaml --- .../IPEntity_AppServiceHTTPLogs.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml b/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml index 9a38686f011..d7677d23245 100644 --- a/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml @@ -39,7 +39,6 @@ query: | | extend AppService_TimeGenerated = TimeGenerated ) on $left.TI_ipEntity == $right.CIp - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AppService_TimeGenerated, TI_ipEntity, CsUsername, WebApp = split(_ResourceId, '/')[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = CsHost entityMappings: @@ -59,5 +58,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: URLCustomEntity -version: 1.1.1 -kind: Scheduled \ No newline at end of file +version: 1.1.2 +kind: Scheduled From 7671307dde2c51a605c36f8704d1940bfac36e5b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 13:42:05 +0100 Subject: [PATCH 17/64] Update IPEntity_AzureActivity.yaml --- .../IPEntity_AzureActivity.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml b/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml index 9a4e2d62bab..0433488ff32 100644 --- a/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml @@ -40,8 +40,7 @@ query: | | extend AzureActivity_TimeGenerated = TimeGenerated ) on $left.TI_ipEntity == $right.CallerIpAddress - | where AzureActivity_TimeGenerated >= TimeGenerated and AzureActivity_TimeGenerated < ExpirationDateTime - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where AzureActivity_TimeGenerated >= LatestIndicatorTime and AzureActivity_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AzureActivity_TimeGenerated, TI_ipEntity, CallerIpAddress, Caller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url @@ -58,5 +57,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: URLCustomEntity -version: 1.1.1 -kind: Scheduled \ No newline at end of file +version: 1.1.2 +kind: Scheduled From 7f4f49f473df38341585b5c161bf29e8cb58c8dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 13:42:54 +0100 Subject: [PATCH 18/64] Update IPEntity_AzureNetworkAnalytics.yaml --- .../IPEntity_AzureNetworkAnalytics.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml b/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml index 877f61f65f2..5a174c7b01a 100644 --- a/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml @@ -41,8 +41,7 @@ query: | | extend PIP = tostring(PIPs[0]) ) on $left.TI_ipEntity == $right.PIP - | where AzureNetworkAnalytics_CL_TimeGenerated >= TimeGenerated and AzureNetworkAnalytics_CL_TimeGenerated < ExpirationDateTime - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where AzureNetworkAnalytics_CL_TimeGenerated >= LatestIndicatorTime and AzureNetworkAnalytics_CL_TimeGenerated < ExpirationDateTime // Set to alert on Allowed NSG Flows from TI Public IP IOC | where FlowStatus_s == "A" | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AzureNetworkAnalytics_CL_TimeGenerated, @@ -62,4 +61,4 @@ entityMappings: - identifier: Url columnName: URLCustomEntity version: 1.1.1 -kind: Scheduled \ No newline at end of file +kind: Scheduled From 30219e124a4556b3fe0590374dc8879f3eebbf3b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 13:43:07 +0100 Subject: [PATCH 19/64] Update IPEntity_AzureNetworkAnalytics.yaml --- .../IPEntity_AzureNetworkAnalytics.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml b/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml index 5a174c7b01a..00a7fd57bae 100644 --- a/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml @@ -60,5 +60,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: URLCustomEntity -version: 1.1.1 +version: 1.1.2 kind: Scheduled From eb3bff0ee85079b7da00efeac5ddcbbb188d3907 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 13:43:51 +0100 Subject: [PATCH 20/64] Update IPEntity_DnsEvents.yaml --- .../ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml b/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml index 034e2c57f05..744bea4740c 100644 --- a/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml @@ -44,8 +44,7 @@ query: | | extend DNS_TimeGenerated = TimeGenerated ) on $left.TI_ipEntity == $right.SingleIP - | where DNS_TimeGenerated >= TimeGenerated and DNS_TimeGenerated < ExpirationDateTime - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where DNS_TimeGenerated >= LatestIndicatorTime and DNS_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated, TI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url @@ -62,5 +61,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: URLCustomEntity -version: 1.1.2 +version: 1.1.3 kind: Scheduled From 4deee2212df70ee3564ee6de6427863b38bf8dd0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 13:44:17 +0100 Subject: [PATCH 21/64] Update IPEntity_OfficeActivity.yaml --- .../IPEntity_OfficeActivity.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml b/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml index 959dd8463b9..469823d54ad 100644 --- a/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml @@ -40,8 +40,7 @@ query: | | extend OfficeActivity_TimeGenerated = TimeGenerated ) on $left.TI_ipEntity == $right.ClientIP - | where OfficeActivity_TimeGenerated >= TimeGenerated and OfficeActivity_TimeGenerated < ExpirationDateTime - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where OfficeActivity_TimeGenerated >= LatestIndicatorTime and OfficeActivity_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, OfficeActivity_TimeGenerated, TI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId, URLCustomEntity = Url @@ -58,5 +57,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: URLCustomEntity -version: 1.1.1 -kind: Scheduled \ No newline at end of file +version: 1.1.2 +kind: Scheduled From a77c079c262bde4af66fb52c8ed4fec436431760 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 13:44:45 +0100 Subject: [PATCH 22/64] Update IPEntity_VMConnection.yaml --- .../ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml b/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml index 4d7f9979ec2..b5c6558d57c 100644 --- a/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml @@ -41,8 +41,7 @@ query: | | extend VMConnection_TimeGenerated = TimeGenerated ) on $left.TI_ipEntity == $right.RemoteIp - | where VMConnection_TimeGenerated >= TimeGenerated and VMConnection_TimeGenerated < ExpirationDateTime - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where VMConnection_TimeGenerated >= LatestIndicatorTime and VMConnection_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, VMConnection_TimeGenerated, TI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url @@ -59,5 +58,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: URLCustomEntity -version: 1.1.1 -kind: Scheduled \ No newline at end of file +version: 1.1.2 +kind: Scheduled From 0d0676591fb5ccceebf39b9ac01e69ec40c55f80 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 13:45:19 +0100 Subject: [PATCH 23/64] Update IPEntity_W3CIISLog.yaml --- .../ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml b/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml index 90913fbd877..54799fee3e3 100644 --- a/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml @@ -42,8 +42,7 @@ query: | | extend W3CIISLog_TimeGenerated = TimeGenerated ) on $left.TI_ipEntity == $right.cIP - | where W3CIISLog_TimeGenerated >= TimeGenerated and W3CIISLog_TimeGenerated < ExpirationDateTime - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where W3CIISLog_TimeGenerated >= LatestIndicatorTime and W3CIISLog_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, W3CIISLog_TimeGenerated, TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress @@ -65,5 +64,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: URLCustomEntity -version: 1.1.1 -kind: Scheduled \ No newline at end of file +version: 1.1.2 +kind: Scheduled From d05b86dc88638b602a11610a5f76d0ca37d1e05b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 13:45:42 +0100 Subject: [PATCH 24/64] Update IPEntity_WireData.yaml --- .../ThreatIntelligenceIndicator/IPEntity_WireData.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml b/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml index 390b5ab7634..ad87ea46f05 100644 --- a/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml @@ -41,8 +41,7 @@ query: | | extend WireData_TimeGenerated = TimeGenerated ) on $left.TI_ipEntity == $right.RemoteIP - | where WireData_TimeGenerated >= TimeGenerated and WireData_TimeGenerated < ExpirationDateTime - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where WireData_TimeGenerated >= LatestIndicatorTime and WireData_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, WireData_TimeGenerated, TI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url @@ -59,5 +58,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: URLCustomEntity -version: 1.1.1 -kind: Scheduled \ No newline at end of file +version: 1.1.2 +kind: Scheduled From e34178648de2e7bd64ea2b2a1af7cce01d7588df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 13:46:48 +0100 Subject: [PATCH 25/64] Update IPentity_SigninLogs.yaml --- .../ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml b/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml index 5459a1cda05..31427b35361 100644 --- a/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml @@ -47,8 +47,7 @@ query: | | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type ) on $left.TI_ipEntity == $right.IPAddress - | where SigninLogs_TimeGenerated >= TimeGenerated and SigninLogs_TimeGenerated < ExpirationDateTime - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where SigninLogs_TimeGenerated >= LatestIndicatorTime and SigninLogs_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SigninLogs_TimeGenerated, TI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type | extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url @@ -69,5 +68,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: URLCustomEntity -version: 1.1.1 -kind: Scheduled \ No newline at end of file +version: 1.1.2 +kind: Scheduled From 80538e168a3c11ec6bec90088056ca76d6cda7fc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 13:47:11 +0100 Subject: [PATCH 26/64] Update URLEntity_AuditLogs.yaml --- .../ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml b/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml index d1bcfbe78b1..3a0cbb62e7d 100644 --- a/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml +++ b/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml @@ -39,8 +39,7 @@ query: | | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName) | extend Audit_TimeGenerated = TimeGenerated ) on Url - | where Audit_TimeGenerated >= TimeGenerated and Audit_TimeGenerated < ExpirationDateTime - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Audit_TimeGenerated >= LatestIndicatorTime and Audit_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Audit_TimeGenerated, OperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url | extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url @@ -57,5 +56,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: URLCustomEntity -version: 1.1.1 -kind: Scheduled \ No newline at end of file +version: 1.1.2 +kind: Scheduled From 7f3155cd720a1b529439a1b2929770c7614f4680 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 13:47:48 +0100 Subject: [PATCH 27/64] Update URLEntity_OfficeActivity.yaml --- .../URLEntity_OfficeActivity.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/Detections/ThreatIntelligenceIndicator/URLEntity_OfficeActivity.yaml b/Detections/ThreatIntelligenceIndicator/URLEntity_OfficeActivity.yaml index 1f152fcfaa7..e7a04531f20 100644 --- a/Detections/ThreatIntelligenceIndicator/URLEntity_OfficeActivity.yaml +++ b/Detections/ThreatIntelligenceIndicator/URLEntity_OfficeActivity.yaml @@ -38,8 +38,7 @@ query: | // Project a single user identity that we can use for entity mapping | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Vlaue))) ) on Url - | where OfficeActivity_TimeGenerated >= TimeGenerated and OfficeActivity_TimeGenerated < ExpirationDateTime - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where OfficeActivity_TimeGenerated >= LatestIndicatorTime and OfficeActivity_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, UserType, OfficeWorkload, Parameters, OfficeActivity_TimeGenerated, Url, User | extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = User, URLCustomEntity = Url @@ -52,5 +51,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: URLCustomEntity -version: 1.1.1 -kind: Scheduled \ No newline at end of file +version: 1.1.2 +kind: Scheduled From 531083e676f7946034b1d4668f844885e8750261 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 13:48:18 +0100 Subject: [PATCH 28/64] Update URLEntity_PaloAlto.yaml --- .../ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml b/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml index ff4fa4d0537..58ccfa3dd0b 100644 --- a/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml +++ b/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml @@ -45,7 +45,7 @@ query: | | where isnotempty(PA_Url) | extend CommonSecurityLog_TimeGenerated = TimeGenerated ) on $left.Url == $right.PA_Url - | where CommonSecurityLog_TimeGenerated >= TimeGenerated and CommonSecurityLog_TimeGenerated < ExpirationDateTime + | where CommonSecurityLog_TimeGenerated >= LatestIndicatorTime and CommonSecurityLog_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, CommonSecurityLog_TimeGenerated, PA_Url, DeviceName | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url entityMappings: @@ -61,5 +61,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: URLCustomEntity -version: 1.1.0 -kind: Scheduled \ No newline at end of file +version: 1.1.1 +kind: Scheduled From 52a40601dda7f3dfd13856e22125701c1ed4425b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 13:48:51 +0100 Subject: [PATCH 29/64] Update URLEntity_SecurityAlerts.yaml --- .../URLEntity_SecurityAlerts.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml b/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml index 262185c7c5e..5a5ffb51190 100644 --- a/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml +++ b/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml @@ -43,8 +43,7 @@ query: | | extend Compromised_Host = tostring(parse_json(ExtendedProperties).["Compromised Host"]) | extend Alert_TimeGenerated = TimeGenerated ) on Url - | where Alert_TimeGenerated >= TimeGenerated and Alert_TimeGenerated < ExpirationDateTime - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Alert_TimeGenerated >= LatestIndicatorTime and Alert_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated, AlertName, AlertSeverity, Description, Url, Compromised_Host | extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url @@ -57,5 +56,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: URLCustomEntity -version: 1.1.1 -kind: Scheduled \ No newline at end of file +version: 1.1.2 +kind: Scheduled From eb73dd50c3c92788aad5ad2ce8679ea60ff00d38 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 13:49:13 +0100 Subject: [PATCH 30/64] Update URLEntity_Syslog.yaml --- .../ThreatIntelligenceIndicator/URLEntity_Syslog.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml b/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml index ae429654144..476b1c8ecc9 100644 --- a/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml +++ b/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml @@ -37,8 +37,7 @@ query: | | where isnotempty(Url) | extend Syslog_TimeGenerated = TimeGenerated ) on Url - | where Syslog_TimeGenerated >= TimeGenerated and Syslog_TimeGenerated < ExpirationDateTime - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Syslog_TimeGenerated >= LatestIndicatorTime and Syslog_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, Url, HostIP | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url entityMappings: @@ -54,5 +53,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: URLCustomEntity -version: 1.1.1 -kind: Scheduled \ No newline at end of file +version: 1.1.2 +kind: Scheduled From a4ede61c210754b798e33752118caec9f37e4d9d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 20:52:14 +0100 Subject: [PATCH 31/64] Update DomainEntity_CommonSecurityLog.yaml --- .../DomainEntity_CommonSecurityLog.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml b/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml index 5d575a71124..13eec43d8a6 100644 --- a/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml +++ b/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml @@ -55,7 +55,7 @@ query: | | where tld in~ (list_tlds) | extend CommonSecurityLog_TimeGenerated = TimeGenerated ) on $left.DomainName==$right.Domain - | where CommonSecurityLog_TimeGenerated >= LatestIndicatorTime and CommonSecurityLog_TimeGenerated < ExpirationDateTime + | where CommonSecurityLog_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url entityMappings: From ffcb13667b88b5fd63a908c89b78d6caa9ad368b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 20:55:54 +0100 Subject: [PATCH 32/64] Update DomainEntity_DnsEvents.yaml --- .../ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml b/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml index 4f12b422ec9..96ebde08148 100644 --- a/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml +++ b/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml @@ -49,7 +49,8 @@ query: | | where tld in~ (list_tlds) | extend DNS_TimeGenerated = TimeGenerated ) on $left.DomainName==$right.Name - | where DNS_TimeGenerated >= LatestIndicatorTime and DNS_TimeGenerated < ExpirationDateTime + | where DNS_TimeGenerated < ExpirationDateTime + | summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Computer, ClientIP, Name, QueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url entityMappings: From f745b84125eb474ec24327044ec18759bf422dcc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 20:57:04 +0100 Subject: [PATCH 33/64] Update DomainEntity_PaloAlto.yaml --- .../ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml b/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml index c27fa50809b..daf9a516a4e 100644 --- a/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml +++ b/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml @@ -60,7 +60,7 @@ query: | | where tld in~ (list_tlds) | extend CommonSecurityLog_TimeGenerated = TimeGenerated ) on $left.DomainName==$right.Domain - | where CommonSecurityLog_TimeGenerated >= LatestIndicatorTime and CommonSecurityLog_TimeGenerated < ExpirationDateTime + | where CommonSecurityLog_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url entityMappings: From 3907d69005ce4c77315975008b55d148c2c03fbd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 20:58:32 +0100 Subject: [PATCH 34/64] Update DomainEntity_SecurityAlert.yaml --- .../DomainEntity_SecurityAlert.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml b/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml index a6999dbca7d..36a10eb10c8 100644 --- a/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml +++ b/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml @@ -60,7 +60,8 @@ query: | | extend Alert_TimeGenerated = TimeGenerated | extend Alert_Description = Description ) on $left.DomainName==$right.domain - | where Alert_TimeGenerated >= LatestIndicatorTime and Alert_TimeGenerated < ExpirationDateTime + | where Alert_TimeGenerated < ExpirationDateTime + | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url | extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url entityMappings: From 7f4636b42f189ef8c8da23b2428059bc03e15d12 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 21:01:09 +0100 Subject: [PATCH 35/64] Update DomainEntity_Syslog.yaml --- .../ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml b/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml index 8729a345c46..8cd92f994c8 100644 --- a/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml +++ b/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml @@ -50,7 +50,8 @@ query: | | where tld in~ (list_tlds) | extend Syslog_TimeGenerated = TimeGenerated ) on $left.DomainName==$right.domain - | where Syslog_TimeGenerated >= LatestIndicatorTime and Syslog_TimeGenerated < ExpirationDateTime + | where Syslog_TimeGenerated < ExpirationDateTime + | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, domain, HostIP, Url | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url entityMappings: From 740d2ef1aa596161f7afa12d4b8051d6a1c1fa4a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 21:02:04 +0100 Subject: [PATCH 36/64] Update EmailEntity_AzureActivity.yaml --- .../ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml b/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml index 3eada3cbc84..127cff908a2 100644 --- a/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml +++ b/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml @@ -37,7 +37,8 @@ query: | | extend AzureActivity_TimeGenerated = TimeGenerated ) on $left.EmailSenderAddress == $right.Caller - | where AzureActivity_TimeGenerated >= LatestIndicatorTime and AzureActivity_TimeGenerated < ExpirationDateTime + | where AzureActivity_TimeGenerated < ExpirationDateTime + | summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, AzureActivity_TimeGenerated, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, OperationNameValue, ActivityStatusValue, ResourceGroup, SubscriptionId From 0c2b1f16223f48cc1ca55329b87b9d0851ea9c62 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 21:03:11 +0100 Subject: [PATCH 37/64] Update EmailEntity_OfficeActivity.yaml --- .../EmailEntity_OfficeActivity.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml b/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml index 82020a73ebc..0dc1fb0fafb 100644 --- a/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml +++ b/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml @@ -36,7 +36,8 @@ query: | | extend OfficeActivity_TimeGenerated = TimeGenerated ) on $left.EmailSenderAddress == $right.UserId - | where OfficeActivity_TimeGenerated >= LatestIndicatorTime and OfficeActivity_TimeGenerated < ExpirationDateTime + | where OfficeActivity_TimeGenerated < ExpirationDateTime + | summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, OfficeActivity_TimeGenerated, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters | extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url From 4b52f76e237b8e978395660aa2a5c9ff3ab867a9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 21:03:58 +0100 Subject: [PATCH 38/64] Update EmailEntity_PaloAlto.yaml --- .../ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml b/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml index 79d2a38b0d8..7dfb967350a 100644 --- a/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml +++ b/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml @@ -39,7 +39,8 @@ query: | | extend CommonSecurityLog_TimeGenerated = TimeGenerated ) on $left.EmailSenderAddress == $right.DestinationUserID - | where CommonSecurityLog_TimeGenerated >= LatestIndicatorTime and CommonSecurityLog_TimeGenerated < ExpirationDateTime + | where CommonSecurityLog_TimeGenerated < ExpirationDateTime + | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort, DestinationIP, DestinationPort, Protocol, ApplicationProtocol From 86c1611025340cb04b3fd2f3a3fbafa95fbc82fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 21:04:49 +0100 Subject: [PATCH 39/64] Update EmailEntity_SecurityAlert.yaml --- .../ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml b/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml index fedb02ae62d..6bd89db7689 100644 --- a/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml +++ b/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml @@ -43,7 +43,8 @@ query: | | extend Alert_TimeGenerated = TimeGenerated ) on $left.EmailSenderAddress == $right.EntityEmail - | where Alert_TimeGenerated >= LatestIndicatorTime and Alert_TimeGenerated < ExpirationDateTime + | where Alert_TimeGenerated < ExpirationDateTime + | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType, AlertSeverity, Entities, ProviderName, VendorName From 37bfeedbae177d99f4af804d979fc655f1c558cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 21:05:35 +0100 Subject: [PATCH 40/64] Update EmailEntity_SecurityEvent.yaml --- .../ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml b/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml index 70666469f67..2039dc5aa61 100644 --- a/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml +++ b/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml @@ -38,7 +38,8 @@ query: | | extend SecurityEvent_TimeGenerated = TimeGenerated ) on $left.EmailSenderAddress == $right.TargetUserName - | where SecurityEvent_TimeGenerated >= LatestIndicatorTime and SecurityEvent_TimeGenerated < ExpirationDateTime + | where SecurityEvent_TimeGenerated < ExpirationDateTime + | summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SecurityEvent_TimeGenerated, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType, LogonTypeName, LogonProcessName, Status, SubStatus From e136a3bd51ae99d22c4a128bc5ce940ce4604588 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 21:06:42 +0100 Subject: [PATCH 41/64] Update EmailEntity_SigninLogs.yaml --- .../ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml b/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml index 84811a0782f..54eb40700f3 100644 --- a/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml +++ b/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml @@ -46,7 +46,8 @@ query: | | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type ) on $left.EmailSenderAddress == $right.UserPrincipalName - | where SigninLogs_TimeGenerated >= LatestIndicatorTime and SigninLogs_TimeGenerated < ExpirationDateTime + | where SigninLogs_TimeGenerated < ExpirationDateTime + | summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SigninLogs_TimeGenerated, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Type From 9a58e4cd3bf40fcd8b4ed8795e07a62c9503034c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 21:08:02 +0100 Subject: [PATCH 42/64] Update FileHashEntity_CommonSecurityLog.yaml --- .../FileHashEntity_CommonSecurityLog.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml b/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml index 88360895e1d..109860d2c70 100644 --- a/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml +++ b/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml @@ -37,7 +37,8 @@ query: | | extend CommonSecurityLog_TimeGenerated = TimeGenerated ) on $left.FileHashValue == $right.FileHash - | where CommonSecurityLog_TimeGenerated >= LatestIndicatorTime and CommonSecurityLog_TimeGenerated < ExpirationDateTime + | where CommonSecurityLog_TimeGenerated < ExpirationDateTime + | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, RequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity From 38de543783599a4e0c41ba1a433f5b257c2b329b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 21:08:40 +0100 Subject: [PATCH 43/64] Update FileHashEntity_SecurityEvent.yaml --- .../FileHashEntity_SecurityEvent.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml b/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml index fff78aa6f4d..abbb8af4304 100644 --- a/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml +++ b/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml @@ -35,7 +35,8 @@ query: | | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID ) on $left.FileHashValue == $right.FileHash - | where SecurityEvent_TimeGenerated >= LatestIndicatorTime and SecurityEvent_TimeGenerated < ExpirationDateTime + | where SecurityEvent_TimeGenerated < ExpirationDateTime + | summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SecurityEvent_TimeGenerated, Process, FileHash, Computer, Account, Event | extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url From 50c217ff9acf399fa4abae5a73251f77903ffc54 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 21:09:21 +0100 Subject: [PATCH 44/64] Update IPEntity_AWSCloudTrail.yaml --- .../ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml b/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml index 0a82aa91b6a..e719a6d33bd 100644 --- a/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml @@ -40,7 +40,8 @@ query: | | extend AWSCloudTrail_TimeGenerated = TimeGenerated ) on $left.TI_ipEntity == $right.SourceIpAddress - | where AWSCloudTrail_TimeGenerated >= LatestIndicatorTime and AWSCloudTrail_TimeGenerated < ExpirationDateTime + | where AWSCloudTrail_TimeGenerated < ExpirationDateTime + | summarize AWSCloudTrail_TimeGenerated = arg_max(AWSCloudTrail_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AWSCloudTrail_TimeGenerated, TI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress From 9e7dc5f157a9820d9f02974ac4b9328c46f27295 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 21:11:13 +0100 Subject: [PATCH 45/64] Update IPEntity_AppServiceHTTPLogs.yaml --- .../IPEntity_AppServiceHTTPLogs.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml b/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml index d7677d23245..442e4231d9e 100644 --- a/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml @@ -39,6 +39,8 @@ query: | | extend AppService_TimeGenerated = TimeGenerated ) on $left.TI_ipEntity == $right.CIp + | where AppService_TimeGenerated < ExpirationDateTime + | summarize AppService_TimeGenerated = arg_max(AppService_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AppService_TimeGenerated, TI_ipEntity, CsUsername, WebApp = split(_ResourceId, '/')[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = CsHost entityMappings: From caa2f6de487490f0f3944a3e22a107092806bdb7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 21:11:59 +0100 Subject: [PATCH 46/64] Update IPEntity_AzureActivity.yaml --- .../ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml b/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml index 0433488ff32..ec4e8e35045 100644 --- a/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml @@ -40,7 +40,8 @@ query: | | extend AzureActivity_TimeGenerated = TimeGenerated ) on $left.TI_ipEntity == $right.CallerIpAddress - | where AzureActivity_TimeGenerated >= LatestIndicatorTime and AzureActivity_TimeGenerated < ExpirationDateTime + | where AzureActivity_TimeGenerated < ExpirationDateTime + | summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AzureActivity_TimeGenerated, TI_ipEntity, CallerIpAddress, Caller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url From e5d3c82ca422bbcc0b8361fe1bd7209e993c2666 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 21:14:41 +0100 Subject: [PATCH 47/64] Update IPEntity_AzureNetworkAnalytics.yaml --- .../IPEntity_AzureNetworkAnalytics.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml b/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml index 00a7fd57bae..f7b5810f156 100644 --- a/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml @@ -41,7 +41,7 @@ query: | | extend PIP = tostring(PIPs[0]) ) on $left.TI_ipEntity == $right.PIP - | where AzureNetworkAnalytics_CL_TimeGenerated >= LatestIndicatorTime and AzureNetworkAnalytics_CL_TimeGenerated < ExpirationDateTime + | where AzureNetworkAnalytics_CL_TimeGenerated < ExpirationDateTime // Set to alert on Allowed NSG Flows from TI Public IP IOC | where FlowStatus_s == "A" | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AzureNetworkAnalytics_CL_TimeGenerated, From 0600448f6373ec8fff2da95e7e1aa8c0263d26ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 21:15:12 +0100 Subject: [PATCH 48/64] Update IPEntity_AzureNetworkAnalytics.yaml --- .../IPEntity_AzureNetworkAnalytics.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml b/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml index f7b5810f156..22bc153bdfc 100644 --- a/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml @@ -42,6 +42,7 @@ query: | ) on $left.TI_ipEntity == $right.PIP | where AzureNetworkAnalytics_CL_TimeGenerated < ExpirationDateTime + | summarize AzureNetworkAnalytics_CL_TimeGenerated = arg_max(AzureNetworkAnalytics_CL_TimeGenerated, *) by IndicatorId // Set to alert on Allowed NSG Flows from TI Public IP IOC | where FlowStatus_s == "A" | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AzureNetworkAnalytics_CL_TimeGenerated, From e7841ef0999657e415c433fa62d7d4340859ca07 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 21:15:51 +0100 Subject: [PATCH 49/64] Update IPEntity_DnsEvents.yaml --- Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml b/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml index 744bea4740c..1a2717b4b85 100644 --- a/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml @@ -44,7 +44,8 @@ query: | | extend DNS_TimeGenerated = TimeGenerated ) on $left.TI_ipEntity == $right.SingleIP - | where DNS_TimeGenerated >= LatestIndicatorTime and DNS_TimeGenerated < ExpirationDateTime + | where DNS_TimeGenerated < ExpirationDateTime + | summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated, TI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url From 9a4c186ff66279be5d26accd2846f497b9d3e8ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 21:16:36 +0100 Subject: [PATCH 50/64] Update IPEntity_OfficeActivity.yaml --- .../ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml b/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml index 469823d54ad..806c334f98d 100644 --- a/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml @@ -40,7 +40,8 @@ query: | | extend OfficeActivity_TimeGenerated = TimeGenerated ) on $left.TI_ipEntity == $right.ClientIP - | where OfficeActivity_TimeGenerated >= LatestIndicatorTime and OfficeActivity_TimeGenerated < ExpirationDateTime + | where OfficeActivity_TimeGenerated < ExpirationDateTime + | summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, OfficeActivity_TimeGenerated, TI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId, URLCustomEntity = Url From be446f665cb16c25de1a65dd494e7bd4453d12f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 21:17:23 +0100 Subject: [PATCH 51/64] Update IPEntity_VMConnection.yaml --- .../ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml b/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml index b5c6558d57c..c17bba3e235 100644 --- a/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml @@ -41,7 +41,8 @@ query: | | extend VMConnection_TimeGenerated = TimeGenerated ) on $left.TI_ipEntity == $right.RemoteIp - | where VMConnection_TimeGenerated >= LatestIndicatorTime and VMConnection_TimeGenerated < ExpirationDateTime + | where VMConnection_TimeGenerated < ExpirationDateTime + | summarize VMConnection_TimeGenerated = arg_max(VMConnection_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, VMConnection_TimeGenerated, TI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url From f292098f8bf652f5ba6378e2d5b22b4d01eb7ac2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 21:18:31 +0100 Subject: [PATCH 52/64] Update IPEntity_W3CIISLog.yaml --- Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml b/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml index 54799fee3e3..3520c27aa9d 100644 --- a/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml @@ -42,7 +42,8 @@ query: | | extend W3CIISLog_TimeGenerated = TimeGenerated ) on $left.TI_ipEntity == $right.cIP - | where W3CIISLog_TimeGenerated >= LatestIndicatorTime and W3CIISLog_TimeGenerated < ExpirationDateTime + | where W3CIISLog_TimeGenerated < ExpirationDateTime + | summarize W3CIISLog_TimeGenerated = arg_max(W3CIISLog_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, W3CIISLog_TimeGenerated, TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress From 2c5cc22fbaf4cde081fb1162d3a7d4b56cc946af Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 21:19:24 +0100 Subject: [PATCH 53/64] Update IPEntity_WireData.yaml --- Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml b/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml index ad87ea46f05..374d0717b48 100644 --- a/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml @@ -41,7 +41,8 @@ query: | | extend WireData_TimeGenerated = TimeGenerated ) on $left.TI_ipEntity == $right.RemoteIP - | where WireData_TimeGenerated >= LatestIndicatorTime and WireData_TimeGenerated < ExpirationDateTime + | where WireData_TimeGenerated < ExpirationDateTime + | summarize WireData_TimeGenerated = arg_max(WireData_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, WireData_TimeGenerated, TI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url From ce423a940741b6b02908175dd0bee21f4845c67c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 21:19:55 +0100 Subject: [PATCH 54/64] Update IPentity_SigninLogs.yaml --- .../ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml b/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml index 31427b35361..5871e478eb9 100644 --- a/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml @@ -47,7 +47,8 @@ query: | | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type ) on $left.TI_ipEntity == $right.IPAddress - | where SigninLogs_TimeGenerated >= LatestIndicatorTime and SigninLogs_TimeGenerated < ExpirationDateTime + | where SigninLogs_TimeGenerated < ExpirationDateTime + | summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SigninLogs_TimeGenerated, TI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type | extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url From acf7b2f9e910b0dba802085af80dd99820e5f9e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 21:20:23 +0100 Subject: [PATCH 55/64] Update URLEntity_AuditLogs.yaml --- .../ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml b/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml index 3a0cbb62e7d..8d3a106651c 100644 --- a/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml +++ b/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml @@ -39,7 +39,8 @@ query: | | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName) | extend Audit_TimeGenerated = TimeGenerated ) on Url - | where Audit_TimeGenerated >= LatestIndicatorTime and Audit_TimeGenerated < ExpirationDateTime + | where Audit_TimeGenerated < ExpirationDateTime + | summarize Audit_TimeGenerated = arg_max(Audit_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Audit_TimeGenerated, OperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url | extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url From 7921aa31928a05867ac30dcb3c542814a0c239e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 21:21:06 +0100 Subject: [PATCH 56/64] Update URLEntity_OfficeActivity.yaml --- .../ThreatIntelligenceIndicator/URLEntity_OfficeActivity.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Detections/ThreatIntelligenceIndicator/URLEntity_OfficeActivity.yaml b/Detections/ThreatIntelligenceIndicator/URLEntity_OfficeActivity.yaml index e7a04531f20..d83c41fe435 100644 --- a/Detections/ThreatIntelligenceIndicator/URLEntity_OfficeActivity.yaml +++ b/Detections/ThreatIntelligenceIndicator/URLEntity_OfficeActivity.yaml @@ -38,7 +38,8 @@ query: | // Project a single user identity that we can use for entity mapping | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Vlaue))) ) on Url - | where OfficeActivity_TimeGenerated >= LatestIndicatorTime and OfficeActivity_TimeGenerated < ExpirationDateTime + | where OfficeActivity_TimeGenerated < ExpirationDateTime + | summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, UserType, OfficeWorkload, Parameters, OfficeActivity_TimeGenerated, Url, User | extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = User, URLCustomEntity = Url From 8c536f0466a9ec6cbb25eecd95f8675ec07bd8eb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 21:22:57 +0100 Subject: [PATCH 57/64] Update URLEntity_PaloAlto.yaml --- Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml b/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml index 58ccfa3dd0b..698ed86151f 100644 --- a/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml +++ b/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml @@ -45,7 +45,7 @@ query: | | where isnotempty(PA_Url) | extend CommonSecurityLog_TimeGenerated = TimeGenerated ) on $left.Url == $right.PA_Url - | where CommonSecurityLog_TimeGenerated >= LatestIndicatorTime and CommonSecurityLog_TimeGenerated < ExpirationDateTime + | where CommonSecurityLog_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, CommonSecurityLog_TimeGenerated, PA_Url, DeviceName | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url entityMappings: From 10880711335a0ba193ca9e268503081e7d4fccda Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 21:23:34 +0100 Subject: [PATCH 58/64] Update URLEntity_SecurityAlerts.yaml --- .../ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml b/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml index 5a5ffb51190..354b472eb16 100644 --- a/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml +++ b/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml @@ -43,7 +43,8 @@ query: | | extend Compromised_Host = tostring(parse_json(ExtendedProperties).["Compromised Host"]) | extend Alert_TimeGenerated = TimeGenerated ) on Url - | where Alert_TimeGenerated >= LatestIndicatorTime and Alert_TimeGenerated < ExpirationDateTime + | where Alert_TimeGenerated < ExpirationDateTime + | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated, AlertName, AlertSeverity, Description, Url, Compromised_Host | extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url From 2ab8b1009fa3d1d08791e1e5ac4bea0dc331e855 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Fri, 19 Nov 2021 21:24:20 +0100 Subject: [PATCH 59/64] Update URLEntity_Syslog.yaml --- Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml b/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml index 476b1c8ecc9..bf807f966f9 100644 --- a/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml +++ b/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml @@ -37,7 +37,8 @@ query: | | where isnotempty(Url) | extend Syslog_TimeGenerated = TimeGenerated ) on Url - | where Syslog_TimeGenerated >= LatestIndicatorTime and Syslog_TimeGenerated < ExpirationDateTime + | where Syslog_TimeGenerated < ExpirationDateTime + | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, Url, HostIP | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url entityMappings: From 424f9b1382e3856e2b7c05ce04f0194379900fe5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Thu, 25 Nov 2021 19:15:00 +0100 Subject: [PATCH 60/64] Update versions --- .../ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml | 2 +- .../ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml | 2 +- Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml | 2 +- .../ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml b/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml index 976d1be0e88..87b21e20da3 100644 --- a/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml +++ b/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml @@ -79,5 +79,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: URLCustomEntity -version: 1.1.2 +version: 1.1.3 kind: Scheduled diff --git a/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml b/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml index 42c3296936a..7a146a5d74c 100644 --- a/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml +++ b/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml @@ -61,5 +61,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: URLCustomEntity -version: 1.1.2 +version: 1.1.3 kind: Scheduled diff --git a/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml b/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml index 1fa968a452b..6fa5291c77c 100644 --- a/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml @@ -69,5 +69,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: URLCustomEntity -version: 1.1.2 +version: 1.1.3 kind: Scheduled diff --git a/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml b/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml index 69a6307c095..66823b9f35e 100644 --- a/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml +++ b/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml @@ -59,5 +59,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: URLCustomEntity -version: 1.1.2 +version: 1.1.3 kind: Scheduled From 72cd8ad66a7ffa952892837d04505d8cb54647c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Thu, 25 Nov 2021 20:05:05 +0100 Subject: [PATCH 61/64] Space formatting, specifying join, removing ExpirationDateTime --- .../DomainEntity_CommonSecurityLog.yaml | 84 +++++++++--------- .../DomainEntity_DnsEvents.yaml | 65 +++++++------- .../DomainEntity_PaloAlto.yaml | 85 ++++++++++--------- .../DomainEntity_SecurityAlert.yaml | 85 ++++++++++--------- .../DomainEntity_Syslog.yaml | 67 ++++++++------- .../EmailEntity_AzureActivity.yaml | 4 +- .../EmailEntity_OfficeActivity.yaml | 4 +- .../EmailEntity_PaloAlto.yaml | 4 +- .../EmailEntity_SecurityAlert.yaml | 4 +- .../EmailEntity_SecurityEvent.yaml | 4 +- .../EmailEntity_SigninLogs.yaml | 4 +- .../FileHashEntity_CommonSecurityLog.yaml | 12 +-- ...eHashEntity_Covid19_CommonSecurityLog.yaml | 9 +- .../FileHashEntity_SecurityEvent.yaml | 12 +-- .../IPEntity_AWSCloudTrail.yaml | 4 +- .../IPEntity_AppServiceHTTPLogs.yaml | 12 +-- .../IPEntity_AzureActivity.yaml | 4 +- .../IPEntity_AzureFirewall.yaml | 4 +- .../IPEntity_AzureKeyVault.yaml | 9 +- .../IPEntity_AzureNetworkAnalytics.yaml | 4 +- .../IPEntity_AzureSQL.yaml | 17 ++-- .../IPEntity_DnsEvents.yaml | 4 +- .../IPEntity_OfficeActivity.yaml | 4 +- .../IPEntity_VMConnection.yaml | 4 +- .../IPEntity_W3CIISLog.yaml | 4 +- .../IPEntity_WireData.yaml | 4 +- .../IPentity_SigninLogs.yaml | 2 +- .../URLEntity_AuditLogs.yaml | 23 ++--- .../URLEntity_OfficeActivity.yaml | 27 +++--- .../URLEntity_PaloAlto.yaml | 35 ++++---- .../URLEntity_SecurityAlerts.yaml | 29 ++++--- .../URLEntity_Syslog.yaml | 19 +++-- 32 files changed, 331 insertions(+), 321 deletions(-) diff --git a/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml b/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml index 13eec43d8a6..fec736d5c48 100644 --- a/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml +++ b/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml @@ -17,47 +17,49 @@ triggerThreshold: 0 tactics: - Impact query: | - let dt_lookBack = 1h; - let ioc_lookBack = 14d; - //Create a list of TLDs in our threat feed for later validation of extracted domains - let list_tlds = ThreatIntelligenceIndicator - | where TimeGenerated > ago(ioc_lookBack) - | where isnotempty(DomainName) - | extend DomainName = tolower(DomainName) - | extend parts = split(DomainName, '.') - | extend tld = parts[(array_length(parts)-1)] - | summarize count() by tostring(tld) - | summarize make_list(tld); - ThreatIntelligenceIndicator - | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId - | where Active == true - // Picking up only IOC's that contain the entities we want - | where isnotempty(DomainName) - | join ( - CommonSecurityLog - | extend IngestionTime = ingestion_time() - | where IngestionTime > ago(dt_lookBack) - | where DeviceEventClassID =~ 'url' - //Uncomment the line below to only alert on allowed connections - //| where DeviceAction !~ "block-url" - //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions - | extend PA_Url = columnifexists("RequestURL", "None") - | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith "PanOS", extract("([^\"]+)", 1, tolower(AdditionalExtensions)), trim('"', PA_Url)) - | extend PA_Url = iif(PA_Url !startswith "http://" and ApplicationProtocol !~ "ssl", strcat('http://', PA_Url), iif(PA_Url !startswith "https://" and ApplicationProtocol =~ "ssl", strcat('https://', PA_Url), PA_Url)) - | extend Domain = trim(@"""",tostring(parse_url(PA_Url).Host)) - | where isnotempty(Domain) - | extend Domain = tolower(Domain) - | extend parts = split(Domain, '.') - //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on - | extend tld = parts[(array_length(parts)-1)] - //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match - | where tld in~ (list_tlds) - | extend CommonSecurityLog_TimeGenerated = TimeGenerated - ) on $left.DomainName==$right.Domain - | where CommonSecurityLog_TimeGenerated < ExpirationDateTime - | project LatestIndicatorTime, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod - | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url + + let dt_lookBack = 1h; + let ioc_lookBack = 14d; + //Create a list of TLDs in our threat feed for later validation of extracted domains + let list_tlds = ThreatIntelligenceIndicator + | where TimeGenerated > ago(ioc_lookBack) + | where isnotempty(DomainName) + | extend DomainName = tolower(DomainName) + | extend parts = split(DomainName, '.') + | extend tld = parts[(array_length(parts)-1)] + | summarize count() by tostring(tld) + | summarize make_list(tld); + ThreatIntelligenceIndicator + | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true + // Picking up only IOC's that contain the entities we want + | where isnotempty(DomainName) + // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated + | join kind=innerunique ( + CommonSecurityLog + | extend IngestionTime = ingestion_time() + | where IngestionTime > ago(dt_lookBack) + | where DeviceEventClassID =~ 'url' + //Uncomment the line below to only alert on allowed connections + //| where DeviceAction !~ "block-url" + //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions + | extend PA_Url = columnifexists("RequestURL", "None") + | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith "PanOS", extract("([^\"]+)", 1, tolower(AdditionalExtensions)), trim('"', PA_Url)) + | extend PA_Url = iif(PA_Url !startswith "http://" and ApplicationProtocol !~ "ssl", strcat('http://', PA_Url), iif(PA_Url !startswith "https://" and ApplicationProtocol =~ "ssl", strcat('https://', PA_Url), PA_Url)) + | extend Domain = trim(@"""",tostring(parse_url(PA_Url).Host)) + | where isnotempty(Domain) + | extend Domain = tolower(Domain) + | extend parts = split(Domain, '.') + //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on + | extend tld = parts[(array_length(parts)-1)] + //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match + | where tld in~ (list_tlds) + | extend CommonSecurityLog_TimeGenerated = TimeGenerated + ) + on $left.DomainName==$right.Domain + | project LatestIndicatorTime, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod + | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url entityMappings: - entityType: Host fieldMappings: diff --git a/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml b/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml index 96ebde08148..a365007c4f2 100644 --- a/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml +++ b/Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml @@ -21,38 +21,39 @@ tactics: - Impact query: | - let dt_lookBack = 1h; - let ioc_lookBack = 14d; - //Create a list of TLDs in our threat feed for later validation - let list_tlds = ThreatIntelligenceIndicator - | where TimeGenerated > ago(ioc_lookBack) - | where isnotempty(DomainName) - | extend parts = split(DomainName, '.') - | extend tld = parts[(array_length(parts)-1)] - | summarize count() by tostring(tld) - | summarize make_list(tld); - ThreatIntelligenceIndicator - | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId - | where Active == true - // Picking up only IOC's that contain the entities we want - | where isnotempty(DomainName) - | join ( - DnsEvents - | where TimeGenerated > ago(dt_lookBack) - //Extract domain patterns from syslog message - | where isnotempty(Name) - | extend parts = split(Name, '.') - //Split out the TLD - | extend tld = parts[(array_length(parts)-1)] - //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed - | where tld in~ (list_tlds) - | extend DNS_TimeGenerated = TimeGenerated - ) on $left.DomainName==$right.Name - | where DNS_TimeGenerated < ExpirationDateTime - | summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated, *) by IndicatorId - | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Computer, ClientIP, Name, QueryType - | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url + let dt_lookBack = 1h; + let ioc_lookBack = 14d; + //Create a list of TLDs in our threat feed for later validation + let list_tlds = ThreatIntelligenceIndicator + | where TimeGenerated > ago(ioc_lookBack) + | where isnotempty(DomainName) + | extend parts = split(DomainName, '.') + | extend tld = parts[(array_length(parts)-1)] + | summarize count() by tostring(tld) + | summarize make_list(tld); + ThreatIntelligenceIndicator + | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true + // Picking up only IOC's that contain the entities we want + | where isnotempty(DomainName) + // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated + | join kind=innerunique ( + DnsEvents + | where TimeGenerated > ago(dt_lookBack) + //Extract domain patterns from syslog message + | where isnotempty(Name) + | extend parts = split(Name, '.') + //Split out the TLD + | extend tld = parts[(array_length(parts)-1)] + //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed + | where tld in~ (list_tlds) + | extend DNS_TimeGenerated = TimeGenerated + ) + on $left.DomainName==$right.Name + | summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated, *) by IndicatorId + | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Computer, ClientIP, Name, QueryType + | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url entityMappings: - entityType: Host fieldMappings: diff --git a/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml b/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml index daf9a516a4e..a198d4f8b79 100644 --- a/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml +++ b/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml @@ -21,48 +21,49 @@ tactics: - Impact query: | - let dt_lookBack = 1h; - let ioc_lookBack = 14d; - //Create a list of TLDs in our threat feed for later validation of extracted domains - let list_tlds = ThreatIntelligenceIndicator - | where TimeGenerated > ago(ioc_lookBack) - | where isnotempty(DomainName) - | extend DomainName = tolower(DomainName) - | extend parts = split(DomainName, '.') - | extend tld = parts[(array_length(parts)-1)] - | summarize count() by tostring(tld) - | summarize make_list(tld); - ThreatIntelligenceIndicator - | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId - | where Active == true - // Picking up only IOC's that contain the entities we want - | where isnotempty(DomainName) - | join ( - CommonSecurityLog - | extend IngestionTime = ingestion_time() - | where IngestionTime > ago(dt_lookBack) - | where DeviceVendor =~ 'Palo Alto Networks' - | where DeviceEventClassID =~ 'url' - //Uncomment the line below to only alert on allowed connections - //| where DeviceAction !~ "block-url" - //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions - | extend PA_Url = columnifexists("RequestURL", "None") - | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith "PanOS", extract("([^\"]+)", 1, tolower(AdditionalExtensions)), trim('"', PA_Url)) - | extend PA_Url = iif(PA_Url !startswith "http://" and ApplicationProtocol !~ "ssl", strcat('http://', PA_Url), iif(PA_Url !startswith "https://" and ApplicationProtocol =~ "ssl", strcat('https://', PA_Url), PA_Url)) - | extend Domain = trim(@"""",tostring(parse_url(PA_Url).Host)) - | where isnotempty(Domain) - | extend Domain = tolower(Domain) - | extend parts = split(Domain, '.') - //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on - | extend tld = parts[(array_length(parts)-1)] - //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match - | where tld in~ (list_tlds) - | extend CommonSecurityLog_TimeGenerated = TimeGenerated - ) on $left.DomainName==$right.Domain - | where CommonSecurityLog_TimeGenerated < ExpirationDateTime - | project LatestIndicatorTime, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod - | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url + let dt_lookBack = 1h; + let ioc_lookBack = 14d; + //Create a list of TLDs in our threat feed for later validation of extracted domains + let list_tlds = ThreatIntelligenceIndicator + | where TimeGenerated > ago(ioc_lookBack) + | where isnotempty(DomainName) + | extend DomainName = tolower(DomainName) + | extend parts = split(DomainName, '.') + | extend tld = parts[(array_length(parts)-1)] + | summarize count() by tostring(tld) + | summarize make_list(tld); + ThreatIntelligenceIndicator + | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true + // Picking up only IOC's that contain the entities we want + | where isnotempty(DomainName) + // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated + | join kind=innerunique ( + CommonSecurityLog + | extend IngestionTime = ingestion_time() + | where IngestionTime > ago(dt_lookBack) + | where DeviceVendor =~ 'Palo Alto Networks' + | where DeviceEventClassID =~ 'url' + //Uncomment the line below to only alert on allowed connections + //| where DeviceAction !~ "block-url" + //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions + | extend PA_Url = columnifexists("RequestURL", "None") + | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith "PanOS", extract("([^\"]+)", 1, tolower(AdditionalExtensions)), trim('"', PA_Url)) + | extend PA_Url = iif(PA_Url !startswith "http://" and ApplicationProtocol !~ "ssl", strcat('http://', PA_Url), iif(PA_Url !startswith "https://" and ApplicationProtocol =~ "ssl", strcat('https://', PA_Url), PA_Url)) + | extend Domain = trim(@"""",tostring(parse_url(PA_Url).Host)) + | where isnotempty(Domain) + | extend Domain = tolower(Domain) + | extend parts = split(Domain, '.') + //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on + | extend tld = parts[(array_length(parts)-1)] + //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match + | where tld in~ (list_tlds) + | extend CommonSecurityLog_TimeGenerated = TimeGenerated + ) + on $left.DomainName==$right.Domain + | project LatestIndicatorTime, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod + | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url entityMappings: - entityType: Host fieldMappings: diff --git a/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml b/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml index 87b21e20da3..cdbd3a83ee8 100644 --- a/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml +++ b/Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml @@ -24,48 +24,49 @@ tactics: - Impact query: | - let dt_lookBack = 1h; - let ioc_lookBack = 14d; - //Create a list of TLDs in our threat feed for later validation - let list_tlds = ThreatIntelligenceIndicator - | where TimeGenerated > ago(ioc_lookBack) - | where isnotempty(DomainName) - | extend parts = split(DomainName, '.') - | extend tld = parts[(array_length(parts)-1)] - | summarize count() by tostring(tld) - | summarize make_list(tld); - ThreatIntelligenceIndicator - | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId - | where Active == true - // Picking up only IOC's that contain the entities we want - | where isnotempty(DomainName) - | join ( - SecurityAlert - | where TimeGenerated > ago(dt_lookBack) - | extend MSTI = case(AlertName has "TI map" and VendorName == "Microsoft" and ProductName == 'Azure Sentinel', true, false) - | where MSTI == false - //Extract domain patterns from message - | extend domain = extract("(([a-z0-9]+(-[a-z0-9]+)*\\.)+[a-z]{2,})", 1, tolower(Entities)) - | where isnotempty(domain) - | extend parts = split(domain, '.') - //Split out the TLD - | extend tld = parts[(array_length(parts)-1)] - //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed - | where tld in~ (list_tlds) - // Converting Entities into dynamic data type and use mv-expand to unpack the array - | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray - // Parsing relevant entity column extract hostname and IP address - | extend EntityType = tostring(parse_json(EntitiesDynamicArray).Type), EntityAddress = tostring(EntitiesDynamicArray.Address), EntityHostName = tostring(EntitiesDynamicArray.HostName) - | extend HostName = iif(EntityType == 'host', EntityHostName, '') - | extend IP_addr = iif(EntityType == 'ip', EntityAddress, '') - | extend Alert_TimeGenerated = TimeGenerated - | extend Alert_Description = Description - ) on $left.DomainName==$right.domain - | where Alert_TimeGenerated < ExpirationDateTime - | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId - | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url - | extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url + let dt_lookBack = 1h; + let ioc_lookBack = 14d; + //Create a list of TLDs in our threat feed for later validation + let list_tlds = ThreatIntelligenceIndicator + | where TimeGenerated > ago(ioc_lookBack) + | where isnotempty(DomainName) + | extend parts = split(DomainName, '.') + | extend tld = parts[(array_length(parts)-1)] + | summarize count() by tostring(tld) + | summarize make_list(tld); + ThreatIntelligenceIndicator + | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true + // Picking up only IOC's that contain the entities we want + | where isnotempty(DomainName) + // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated + | join kind=innerunique ( + SecurityAlert + | where TimeGenerated > ago(dt_lookBack) + | extend MSTI = case(AlertName has "TI map" and VendorName == "Microsoft" and ProductName == 'Azure Sentinel', true, false) + | where MSTI == false + //Extract domain patterns from message + | extend domain = extract("(([a-z0-9]+(-[a-z0-9]+)*\\.)+[a-z]{2,})", 1, tolower(Entities)) + | where isnotempty(domain) + | extend parts = split(domain, '.') + //Split out the TLD + | extend tld = parts[(array_length(parts)-1)] + //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed + | where tld in~ (list_tlds) + // Converting Entities into dynamic data type and use mv-expand to unpack the array + | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray + // Parsing relevant entity column extract hostname and IP address + | extend EntityType = tostring(parse_json(EntitiesDynamicArray).Type), EntityAddress = tostring(EntitiesDynamicArray.Address), EntityHostName = tostring(EntitiesDynamicArray.HostName) + | extend HostName = iif(EntityType == 'host', EntityHostName, '') + | extend IP_addr = iif(EntityType == 'ip', EntityAddress, '') + | extend Alert_TimeGenerated = TimeGenerated + | extend Alert_Description = Description + ) + on $left.DomainName==$right.domain + | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId + | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url + | extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url entityMappings: - entityType: Host fieldMappings: diff --git a/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml b/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml index 8cd92f994c8..4a93f8749f7 100644 --- a/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml +++ b/Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml @@ -21,39 +21,40 @@ tactics: - Impact query: | - let dt_lookBack = 1h; - let ioc_lookBack = 14d; - //Create a list of TLDs in our threat feed for later validation - let list_tlds = ThreatIntelligenceIndicator - | where TimeGenerated > ago(ioc_lookBack) - | where isnotempty(DomainName) - | extend parts = split(DomainName, '.') - | extend tld = parts[(array_length(parts)-1)] - | summarize count() by tostring(tld) - | summarize make_list(tld); - ThreatIntelligenceIndicator - | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId - | where Active == true - // Picking up only IOC's that contain the entities we want - | where isnotempty(DomainName) - | join ( - Syslog - | where TimeGenerated > ago(dt_lookBack) - //Extract domain patterns from syslog message - | extend domain = extract("(([a-z0-9]+(-[a-z0-9]+)*\\.)+[a-z]{2,})",1, tolower(SyslogMessage)) - | where isnotempty(domain) - | extend parts = split(domain, '.') - //Split out the TLD - | extend tld = parts[(array_length(parts)-1)] - //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed - | where tld in~ (list_tlds) - | extend Syslog_TimeGenerated = TimeGenerated - ) on $left.DomainName==$right.domain - | where Syslog_TimeGenerated < ExpirationDateTime - | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated, *) by IndicatorId - | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, domain, HostIP, Url - | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url + let dt_lookBack = 1h; + let ioc_lookBack = 14d; + //Create a list of TLDs in our threat feed for later validation + let list_tlds = ThreatIntelligenceIndicator + | where TimeGenerated > ago(ioc_lookBack) + | where isnotempty(DomainName) + | extend parts = split(DomainName, '.') + | extend tld = parts[(array_length(parts)-1)] + | summarize count() by tostring(tld) + | summarize make_list(tld); + ThreatIntelligenceIndicator + | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true + // Picking up only IOC's that contain the entities we want + | where isnotempty(DomainName) + // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated + | join kind=innerunique ( + Syslog + | where TimeGenerated > ago(dt_lookBack) + //Extract domain patterns from syslog message + | extend domain = extract("(([a-z0-9]+(-[a-z0-9]+)*\\.)+[a-z]{2,})",1, tolower(SyslogMessage)) + | where isnotempty(domain) + | extend parts = split(domain, '.') + //Split out the TLD + | extend tld = parts[(array_length(parts)-1)] + //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed + | where tld in~ (list_tlds) + | extend Syslog_TimeGenerated = TimeGenerated + ) + on $left.DomainName==$right.domain + | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated, *) by IndicatorId + | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, domain, HostIP, Url + | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url entityMappings: - entityType: Host fieldMappings: diff --git a/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml b/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml index 127cff908a2..3555c00d2c4 100644 --- a/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml +++ b/Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml @@ -30,14 +30,14 @@ query: | | where Active == true //Filtering the table for Email related IOCs | where isnotempty(EmailSenderAddress) - | join ( + // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated + | join kind=innerunique ( AzureActivity | where TimeGenerated >= ago(dt_lookBack) and isnotempty(Caller) | extend Caller = tolower(Caller) | where Caller matches regex emailregex | extend AzureActivity_TimeGenerated = TimeGenerated ) on $left.EmailSenderAddress == $right.Caller - | where AzureActivity_TimeGenerated < ExpirationDateTime | summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, AzureActivity_TimeGenerated, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, diff --git a/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml b/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml index 0dc1fb0fafb..8373931fff6 100644 --- a/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml +++ b/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml @@ -30,13 +30,13 @@ query: | | where Active == true //Filtering the table for Email related IOCs | where isnotempty(EmailSenderAddress) - | join ( + // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated + | join kind=innerunique ( OfficeActivity | where TimeGenerated >= ago(dt_lookBack) and isnotempty(UserId) | where UserId matches regex emailregex | extend OfficeActivity_TimeGenerated = TimeGenerated ) on $left.EmailSenderAddress == $right.UserId - | where OfficeActivity_TimeGenerated < ExpirationDateTime | summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, OfficeActivity_TimeGenerated, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters diff --git a/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml b/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml index 7dfb967350a..c97586879a4 100644 --- a/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml +++ b/Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml @@ -30,7 +30,8 @@ query: | | where Active == true //Filtering the table for Email related IOCs | where isnotempty(EmailSenderAddress) - | join ( + // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated + | join kind=innerunique ( CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) and isnotempty(DestinationUserID) // Filtering PAN Logs for specific event type to match relevant email entities | where DeviceVendor == "Palo Alto Networks" and DeviceEventClassID == "wildfire" and ApplicationProtocol in ("smtp","pop3") @@ -39,7 +40,6 @@ query: | | extend CommonSecurityLog_TimeGenerated = TimeGenerated ) on $left.EmailSenderAddress == $right.DestinationUserID - | where CommonSecurityLog_TimeGenerated < ExpirationDateTime | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, diff --git a/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml b/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml index 7a146a5d74c..f9f9be31619 100644 --- a/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml +++ b/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml @@ -30,7 +30,8 @@ query: | | where Active == true //Filtering the table for Email related IOCs | where isnotempty(EmailSenderAddress) - | join ( + // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated + | join kind=innerunique ( SecurityAlert | where TimeGenerated >= ago(dt_lookBack) | extend MSTI = case(AlertName has "TI map" and VendorName == "Microsoft" and ProductName == 'Azure Sentinel', true, false) @@ -46,7 +47,6 @@ query: | | extend Alert_TimeGenerated = TimeGenerated ) on $left.EmailSenderAddress == $right.EntityEmail - | where Alert_TimeGenerated < ExpirationDateTime | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType, diff --git a/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml b/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml index 2039dc5aa61..9ef9323f1b2 100644 --- a/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml +++ b/Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml @@ -30,7 +30,8 @@ query: | | where Active == true //Filtering the table for Email related IOCs | where isnotempty(EmailSenderAddress) - | join ( + // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated + | join kind=innerunique ( SecurityEvent | where TimeGenerated >= ago(dt_lookBack) and isnotempty(TargetUserName) //Normalizing the column to lower case for exact match with EmailSenderAddress column | extend TargetUserName = tolower(TargetUserName) @@ -38,7 +39,6 @@ query: | | extend SecurityEvent_TimeGenerated = TimeGenerated ) on $left.EmailSenderAddress == $right.TargetUserName - | where SecurityEvent_TimeGenerated < ExpirationDateTime | summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SecurityEvent_TimeGenerated, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType, diff --git a/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml b/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml index 54eb40700f3..4af79c91c2f 100644 --- a/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml +++ b/Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml @@ -34,7 +34,8 @@ query: | | where Active == true //Filtering the table for Email related IOCs | where isnotempty(EmailSenderAddress) - | join ( + // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated + | join kind=innerunique ( table(tableName) | where TimeGenerated >= ago(dt_lookBack) and isnotempty(UserPrincipalName) //Normalizing the column to lower case for exact match with EmailSenderAddress column | extend UserPrincipalName = tolower(UserPrincipalName) @@ -46,7 +47,6 @@ query: | | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type ) on $left.EmailSenderAddress == $right.UserPrincipalName - | where SigninLogs_TimeGenerated < ExpirationDateTime | summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SigninLogs_TimeGenerated, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName, diff --git a/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml b/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml index 109860d2c70..17b0f96b08a 100644 --- a/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml +++ b/Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml @@ -30,14 +30,14 @@ query: | | where isnotempty(FileHashValue); // Handle matches against both lower case and uppercase versions of the hash: ( fileHashIndicators | extend FileHashValue = tolower(FileHashValue) - |union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue))) - | join ( - CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) - | where isnotempty(FileHash) - | extend CommonSecurityLog_TimeGenerated = TimeGenerated + | union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue))) + // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated + | join kind=innerunique ( + CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) + | where isnotempty(FileHash) + | extend CommonSecurityLog_TimeGenerated = TimeGenerated ) on $left.FileHashValue == $right.FileHash - | where CommonSecurityLog_TimeGenerated < ExpirationDateTime | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, diff --git a/Detections/ThreatIntelligenceIndicator/FileHashEntity_Covid19_CommonSecurityLog.yaml b/Detections/ThreatIntelligenceIndicator/FileHashEntity_Covid19_CommonSecurityLog.yaml index f5d504a1345..445c1dbf315 100644 --- a/Detections/ThreatIntelligenceIndicator/FileHashEntity_Covid19_CommonSecurityLog.yaml +++ b/Detections/ThreatIntelligenceIndicator/FileHashEntity_Covid19_CommonSecurityLog.yaml @@ -23,10 +23,11 @@ query: | // Handle matches against both lower case and uppercase versions of the hash: ( fileHashIndicators | extend FileHashValue = tolower(FileHashValue) | union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue))) - | join ( - CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) - | where isnotempty(FileHash) - | extend CommonSecurityLog_TimeGenerated = TimeGenerated + // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated + | join kind=innerunique ( + CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) + | where isnotempty(FileHash) + | extend CommonSecurityLog_TimeGenerated = TimeGenerated ) on $left.FileHashValue == $right.FileHash | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by FileHashValue diff --git a/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml b/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml index abbb8af4304..66286ae20c0 100644 --- a/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml +++ b/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml @@ -28,14 +28,14 @@ query: | | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId | where Active == true | where isnotempty(FileHashValue) - | join ( - SecurityEvent | where TimeGenerated >= ago(dt_lookBack) - | where EventID in ("8003","8002","8005") - | where isnotempty(FileHash) - | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID + // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated + | join kind=innerunique ( + SecurityEvent | where TimeGenerated >= ago(dt_lookBack) + | where EventID in ("8003","8002","8005") + | where isnotempty(FileHash) + | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID ) on $left.FileHashValue == $right.FileHash - | where SecurityEvent_TimeGenerated < ExpirationDateTime | summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SecurityEvent_TimeGenerated, Process, FileHash, Computer, Account, Event diff --git a/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml b/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml index e719a6d33bd..7cc245578e5 100644 --- a/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml @@ -34,13 +34,13 @@ query: | | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity) - | join ( + // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated + | join kind=innerunique ( AWSCloudTrail | where TimeGenerated >= ago(dt_lookBack) // renaming time column so it is clear the log this came from | extend AWSCloudTrail_TimeGenerated = TimeGenerated ) on $left.TI_ipEntity == $right.SourceIpAddress - | where AWSCloudTrail_TimeGenerated < ExpirationDateTime | summarize AWSCloudTrail_TimeGenerated = arg_max(AWSCloudTrail_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AWSCloudTrail_TimeGenerated, TI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress, diff --git a/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml b/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml index 442e4231d9e..46f956f4523 100644 --- a/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml @@ -31,15 +31,15 @@ query: | | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity) - | join ( + // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated + | join kind=innerunique ( AppServiceHTTPLogs | where TimeGenerated >= ago(dt_lookBack) - | where isnotempty(CIp) - | extend WebApp = split(_ResourceId, '/')[8] - // renaming time column so it is clear the log this came from - | extend AppService_TimeGenerated = TimeGenerated + | where isnotempty(CIp) + | extend WebApp = split(_ResourceId, '/')[8] + // renaming time column so it is clear the log this came from + | extend AppService_TimeGenerated = TimeGenerated ) on $left.TI_ipEntity == $right.CIp - | where AppService_TimeGenerated < ExpirationDateTime | summarize AppService_TimeGenerated = arg_max(AppService_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AppService_TimeGenerated, TI_ipEntity, CsUsername, WebApp = split(_ResourceId, '/')[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = CsHost diff --git a/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml b/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml index ec4e8e35045..2172a0f4818 100644 --- a/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml @@ -34,13 +34,13 @@ query: | | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity) - | join ( + // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated + | join kind=innerunique ( AzureActivity | where TimeGenerated >= ago(dt_lookBack) // renaming time column so it is clear the log this came from | extend AzureActivity_TimeGenerated = TimeGenerated ) on $left.TI_ipEntity == $right.CallerIpAddress - | where AzureActivity_TimeGenerated < ExpirationDateTime | summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AzureActivity_TimeGenerated, TI_ipEntity, CallerIpAddress, Caller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress diff --git a/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml b/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml index f4a850756cc..77276e72cd5 100644 --- a/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml @@ -34,7 +34,8 @@ query: | | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity) - | join ( + // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated + | join kind=innerunique ( AzureDiagnostics | where TimeGenerated >= ago(dt_lookBack) | where OperationName in ("AzureFirewallApplicationRuleLog","AzureFirewallNetworkRuleLog") @@ -45,7 +46,6 @@ query: | | project-rename AzureFirewall_TimeGenerated = TimeGenerated ) on $left.TI_ipEntity == $right.DestinationAddress - | where AzureFirewall_TimeGenerated < ExpirationDateTime | summarize AzureFirewall_TimeGenerated = arg_max(AzureFirewall_TimeGenerated, *) by IndicatorId, SourceAddress | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated, TI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress diff --git a/Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml b/Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml index cac67b08732..89fde96580b 100644 --- a/Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml @@ -31,13 +31,12 @@ query: | | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity) // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated | join kind=innerunique ( - AzureDiagnostics - | where ResourceType =~ "VAULTS" - | where TimeGenerated >= ago(dt_lookBack) - | extend KeyVaultEvents_TimeGenerated = TimeGenerated, ClientIP = CallerIPAddress + AzureDiagnostics + | where ResourceType =~ "VAULTS" + | where TimeGenerated >= ago(dt_lookBack) + | extend KeyVaultEvents_TimeGenerated = TimeGenerated, ClientIP = CallerIPAddress ) on $left.TI_ipEntity == $right.ClientIP - | where KeyVaultEvents_TimeGenerated < ExpirationDateTime | summarize KeyVaultEvents_TimeGenerated = arg_max(KeyVaultEvents_TimeGenerated, *) by IndicatorId, ClientIP | project KeyVaultEvents_TimeGenerated , Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g diff --git a/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml b/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml index 22bc153bdfc..2c3d07450c9 100644 --- a/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPEntity_AzureNetworkAnalytics.yaml @@ -31,7 +31,8 @@ query: | | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity) - | join ( + // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated + | join kind=innerunique ( AzureNetworkAnalytics_CL | where TimeGenerated >= ago(dt_lookBack) // renaming time column so it is clear the log this came from @@ -41,7 +42,6 @@ query: | | extend PIP = tostring(PIPs[0]) ) on $left.TI_ipEntity == $right.PIP - | where AzureNetworkAnalytics_CL_TimeGenerated < ExpirationDateTime | summarize AzureNetworkAnalytics_CL_TimeGenerated = arg_max(AzureNetworkAnalytics_CL_TimeGenerated, *) by IndicatorId // Set to alert on Allowed NSG Flows from TI Public IP IOC | where FlowStatus_s == "A" diff --git a/Detections/ThreatIntelligenceIndicator/IPEntity_AzureSQL.yaml b/Detections/ThreatIntelligenceIndicator/IPEntity_AzureSQL.yaml index 999209c70eb..1442b8bee20 100644 --- a/Detections/ThreatIntelligenceIndicator/IPEntity_AzureSQL.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPEntity_AzureSQL.yaml @@ -28,17 +28,16 @@ query: | | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity) // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated | join kind=innerunique ( - AzureDiagnostics - | where TimeGenerated >= ago(dt_lookBack) - | where ResourceProvider == 'MICROSOFT.SQL' - | where Category == 'SQLSecurityAuditEvents' - | extend SQLSecurityAuditEvents_TimeGenerated = TimeGenerated - // projecting fields with column if exists as this is in AzureDiag and if the event is not in the table, then queries will fail due to event specific schemas - | extend ClientIP = column_ifexists("client_ip_s", "Not Available"), Action = column_ifexists("action_name_s", "Not Available"), - Application = column_ifexists("application_name_s", "Not Available"), HostName = column_ifexists("host_name_s", "Not Available") + AzureDiagnostics + | where TimeGenerated >= ago(dt_lookBack) + | where ResourceProvider == 'MICROSOFT.SQL' + | where Category == 'SQLSecurityAuditEvents' + | extend SQLSecurityAuditEvents_TimeGenerated = TimeGenerated + // projecting fields with column if exists as this is in AzureDiag and if the event is not in the table, then queries will fail due to event specific schemas + | extend ClientIP = column_ifexists("client_ip_s", "Not Available"), Action = column_ifexists("action_name_s", "Not Available"), + Application = column_ifexists("application_name_s", "Not Available"), HostName = column_ifexists("host_name_s", "Not Available") ) on $left.TI_ipEntity == $right.ClientIP - | where SQLSecurityAuditEvents_TimeGenerated < ExpirationDateTime | summarize SQLSecurityAuditEvents_TimeGenerated = arg_max(SQLSecurityAuditEvents_TimeGenerated, *) by IndicatorId, ClientIP | project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress diff --git a/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml b/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml index 1a2717b4b85..4d34b45098e 100644 --- a/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml @@ -34,7 +34,8 @@ query: | | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity) - | join ( + // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated + | join kind=innerunique ( DnsEvents | where TimeGenerated >= ago(dt_lookBack) | where SubType =~ "LookupQuery" and isnotempty(IPAddresses) | extend SingleIP = split(IPAddresses, ",") @@ -44,7 +45,6 @@ query: | | extend DNS_TimeGenerated = TimeGenerated ) on $left.TI_ipEntity == $right.SingleIP - | where DNS_TimeGenerated < ExpirationDateTime | summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated, TI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress diff --git a/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml b/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml index 806c334f98d..bc4fa1c8435 100644 --- a/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml @@ -34,13 +34,13 @@ query: | | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity) - | join ( + // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated + | join kind=innerunique ( OfficeActivity | where TimeGenerated >= ago(dt_lookBack) // renaming time column so it is clear the log this came from | extend OfficeActivity_TimeGenerated = TimeGenerated ) on $left.TI_ipEntity == $right.ClientIP - | where OfficeActivity_TimeGenerated < ExpirationDateTime | summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, OfficeActivity_TimeGenerated, TI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress diff --git a/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml b/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml index c17bba3e235..c8050fbffb9 100644 --- a/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml @@ -34,14 +34,14 @@ query: | | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity) - | join ( + // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated + | join kind=innerunique ( VMConnection | where TimeGenerated >= ago(dt_lookBack) // renaming time column so it is clear the log this came from | extend VMConnection_TimeGenerated = TimeGenerated ) on $left.TI_ipEntity == $right.RemoteIp - | where VMConnection_TimeGenerated < ExpirationDateTime | summarize VMConnection_TimeGenerated = arg_max(VMConnection_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, VMConnection_TimeGenerated, TI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress diff --git a/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml b/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml index 3520c27aa9d..fc5133f4ca2 100644 --- a/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml @@ -34,7 +34,8 @@ query: | | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity) - | join ( + // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated + | join kind=innerunique ( W3CIISLog | where TimeGenerated >= ago(dt_lookBack) | where isnotempty(cIP) @@ -42,7 +43,6 @@ query: | | extend W3CIISLog_TimeGenerated = TimeGenerated ) on $left.TI_ipEntity == $right.cIP - | where W3CIISLog_TimeGenerated < ExpirationDateTime | summarize W3CIISLog_TimeGenerated = arg_max(W3CIISLog_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, W3CIISLog_TimeGenerated, TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status, diff --git a/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml b/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml index 374d0717b48..551dd956c35 100644 --- a/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml @@ -34,14 +34,14 @@ query: | | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity) - | join ( + // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated + | join kind=innerunique ( WireData | where TimeGenerated >= ago(dt_lookBack) | where isnotempty(RemoteIP) // renaming time column so it is clear the log this came from | extend WireData_TimeGenerated = TimeGenerated ) on $left.TI_ipEntity == $right.RemoteIP - | where WireData_TimeGenerated < ExpirationDateTime | summarize WireData_TimeGenerated = arg_max(WireData_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, WireData_TimeGenerated, TI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress diff --git a/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml b/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml index 6fa5291c77c..6f7ebd9f17a 100644 --- a/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml @@ -38,6 +38,7 @@ query: | | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity) + // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated | join kind=innerunique ( table(tableName) | where TimeGenerated >= ago(dt_lookBack) | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails) @@ -47,7 +48,6 @@ query: | | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type ) on $left.TI_ipEntity == $right.IPAddress - | where SigninLogs_TimeGenerated < ExpirationDateTime | summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, IPAddress | project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, StatusReason, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type diff --git a/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml b/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml index 8d3a106651c..030e8fcbd19 100644 --- a/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml +++ b/Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml @@ -29,17 +29,18 @@ query: | | where Active == true // Picking up only IOC's that contain the entities we want | where isnotempty(Url) - | join ( - AuditLogs - | where TimeGenerated >= ago(dt_lookBack) - // Extract the URL that is contained within the JSON data - | extend Url = extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);", 1,tostring(TargetResources)) - | where isnotempty(Url) - | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) - | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName) - | extend Audit_TimeGenerated = TimeGenerated - ) on Url - | where Audit_TimeGenerated < ExpirationDateTime + // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated + | join kind=innerunique ( + AuditLogs + | where TimeGenerated >= ago(dt_lookBack) + // Extract the URL that is contained within the JSON data + | extend Url = extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);", 1,tostring(TargetResources)) + | where isnotempty(Url) + | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) + | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName) + | extend Audit_TimeGenerated = TimeGenerated + ) + on Url | summarize Audit_TimeGenerated = arg_max(Audit_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Audit_TimeGenerated, OperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url diff --git a/Detections/ThreatIntelligenceIndicator/URLEntity_OfficeActivity.yaml b/Detections/ThreatIntelligenceIndicator/URLEntity_OfficeActivity.yaml index d83c41fe435..b84510fe764 100644 --- a/Detections/ThreatIntelligenceIndicator/URLEntity_OfficeActivity.yaml +++ b/Detections/ThreatIntelligenceIndicator/URLEntity_OfficeActivity.yaml @@ -26,19 +26,20 @@ query: | | where Active == true // Picking up only IOC's that contain the entities we want | where isnotempty(Url) - | join ( - OfficeActivity - | where TimeGenerated >= ago(dt_lookBack) - //Extract the Url from a number of potential fields - | extend Url = iif(OfficeWorkload == "AzureActiveDirectory",extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue)) - | where isnotempty(Url) - // Ensure we get a clean URL - | extend Url = tostring(split(Url, ';')[0]) - | extend OfficeActivity_TimeGenerated = TimeGenerated - // Project a single user identity that we can use for entity mapping - | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Vlaue))) - ) on Url - | where OfficeActivity_TimeGenerated < ExpirationDateTime + // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated + | join kind=innerunique ( + OfficeActivity + | where TimeGenerated >= ago(dt_lookBack) + //Extract the Url from a number of potential fields + | extend Url = iif(OfficeWorkload == "AzureActiveDirectory",extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue)) + | where isnotempty(Url) + // Ensure we get a clean URL + | extend Url = tostring(split(Url, ';')[0]) + | extend OfficeActivity_TimeGenerated = TimeGenerated + // Project a single user identity that we can use for entity mapping + | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Vlaue))) + ) + on Url | summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, UserType, OfficeWorkload, Parameters, OfficeActivity_TimeGenerated, Url, User diff --git a/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml b/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml index 698ed86151f..bb588e25a7f 100644 --- a/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml +++ b/Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml @@ -29,23 +29,24 @@ query: | | where Active == true // Picking up only IOC's that contain the entities we want | where isnotempty(Url) - | join ( - CommonSecurityLog - | extend IngestionTime = ingestion_time() - | where IngestionTime > ago(dt_lookBack) - // Select on Palo Alto logs - | where DeviceVendor =~ "Palo Alto Networks" - | where DeviceEventClassID =~ 'url' - //Uncomment the line below to only alert on allowed connections - //| where DeviceAction !~ "block-url" - //Select logs where URL data is populated - | extend PA_Url = columnifexists("RequestURL", "None") - | extend PA_Url = iif(isempty(PA_Url), extract("([^\"]+)", 1, tolower(AdditionalExtensions)), trim('"', PA_Url)) - | extend PA_Url = iif(PA_Url !startswith "http://" and ApplicationProtocol !~ "ssl", strcat('http://', PA_Url), iif(PA_Url !startswith "https://" and ApplicationProtocol =~ "ssl", strcat('https://', PA_Url), PA_Url)) - | where isnotempty(PA_Url) - | extend CommonSecurityLog_TimeGenerated = TimeGenerated - ) on $left.Url == $right.PA_Url - | where CommonSecurityLog_TimeGenerated < ExpirationDateTime + // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated + | join kind=innerunique ( + CommonSecurityLog + | extend IngestionTime = ingestion_time() + | where IngestionTime > ago(dt_lookBack) + // Select on Palo Alto logs + | where DeviceVendor =~ "Palo Alto Networks" + | where DeviceEventClassID =~ 'url' + //Uncomment the line below to only alert on allowed connections + //| where DeviceAction !~ "block-url" + //Select logs where URL data is populated + | extend PA_Url = columnifexists("RequestURL", "None") + | extend PA_Url = iif(isempty(PA_Url), extract("([^\"]+)", 1, tolower(AdditionalExtensions)), trim('"', PA_Url)) + | extend PA_Url = iif(PA_Url !startswith "http://" and ApplicationProtocol !~ "ssl", strcat('http://', PA_Url), iif(PA_Url !startswith "https://" and ApplicationProtocol =~ "ssl", strcat('https://', PA_Url), PA_Url)) + | where isnotempty(PA_Url) + | extend CommonSecurityLog_TimeGenerated = TimeGenerated + ) + on $left.Url == $right.PA_Url | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, CommonSecurityLog_TimeGenerated, PA_Url, DeviceName | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url entityMappings: diff --git a/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml b/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml index 66823b9f35e..1b5379f3fd1 100644 --- a/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml +++ b/Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml @@ -32,20 +32,21 @@ query: | | where Active == true // Picking up only IOC's that contain the entities we want | where isnotempty(Url) - | join ( - SecurityAlert - | where TimeGenerated >= ago(dt_lookBack) - | extend MSTI = case(AlertName has "TI map" and VendorName == "Microsoft" and ProductName == 'Azure Sentinel', true, false) - | where MSTI == false - // Extract URL from JSON data - | extend Url = extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)", 1,Entities) - // We only want alerts that actually contain URL data - | where isnotempty(Url) - // Extract hostname from JSON data for entity mapping - | extend Compromised_Host = tostring(parse_json(ExtendedProperties).["Compromised Host"]) - | extend Alert_TimeGenerated = TimeGenerated - ) on Url - | where Alert_TimeGenerated < ExpirationDateTime + // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated + | join kind=innerunique ( + SecurityAlert + | where TimeGenerated >= ago(dt_lookBack) + | extend MSTI = case(AlertName has "TI map" and VendorName == "Microsoft" and ProductName == 'Azure Sentinel', true, false) + | where MSTI == false + // Extract URL from JSON data + | extend Url = extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)", 1,Entities) + // We only want alerts that actually contain URL data + | where isnotempty(Url) + // Extract hostname from JSON data for entity mapping + | extend Compromised_Host = tostring(parse_json(ExtendedProperties).["Compromised Host"]) + | extend Alert_TimeGenerated = TimeGenerated + ) + on Url | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated, AlertName, AlertSeverity, Description, Url, Compromised_Host diff --git a/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml b/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml index bf807f966f9..833e4a6d271 100644 --- a/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml +++ b/Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml @@ -29,15 +29,16 @@ query: | | where Active == true // Picking up only IOC's that contain the entities we want | where isnotempty(Url) - | join ( - Syslog - | where TimeGenerated >= ago(dt_lookBack) - // Extract URL from the Syslog message but only take messages that include URLs - | extend Url = extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)", 1,SyslogMessage) - | where isnotempty(Url) - | extend Syslog_TimeGenerated = TimeGenerated - ) on Url - | where Syslog_TimeGenerated < ExpirationDateTime + // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated + | join kind=innerunique ( + Syslog + | where TimeGenerated >= ago(dt_lookBack) + // Extract URL from the Syslog message but only take messages that include URLs + | extend Url = extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)", 1,SyslogMessage) + | where isnotempty(Url) + | extend Syslog_TimeGenerated = TimeGenerated + ) + on Url | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, Url, HostIP | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url From 02c7c746bdea59be940e23fd772bc889fbacb794 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Thu, 25 Nov 2021 20:13:01 +0100 Subject: [PATCH 62/64] Update versions and equalize COVID19 detection --- .../FileHashEntity_Covid19_CommonSecurityLog.yaml | 4 ++-- .../ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml | 2 +- .../ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml | 2 +- Detections/ThreatIntelligenceIndicator/IPEntity_AzureSQL.yaml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Detections/ThreatIntelligenceIndicator/FileHashEntity_Covid19_CommonSecurityLog.yaml b/Detections/ThreatIntelligenceIndicator/FileHashEntity_Covid19_CommonSecurityLog.yaml index 445c1dbf315..9cfb35b93dd 100644 --- a/Detections/ThreatIntelligenceIndicator/FileHashEntity_Covid19_CommonSecurityLog.yaml +++ b/Detections/ThreatIntelligenceIndicator/FileHashEntity_Covid19_CommonSecurityLog.yaml @@ -30,7 +30,7 @@ query: | | extend CommonSecurityLog_TimeGenerated = TimeGenerated ) on $left.FileHashValue == $right.FileHash - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by FileHashValue + | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by FileHashValue | project LatestIndicatorTime, FileHashValue, FileHashType, Description, ThreatType, CommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, RequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity @@ -48,5 +48,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.0 +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml b/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml index 77276e72cd5..39ad268fcc1 100644 --- a/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml @@ -59,5 +59,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: URLCustomEntity -version: 1.0.0 +version: 1.0.1 kind: Scheduled diff --git a/Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml b/Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml index 89fde96580b..ba3911985db 100644 --- a/Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml @@ -50,5 +50,5 @@ entityMappings: fieldMappings: - identifier: ResourceId columnName: ResourceId -version: 1.0.0 +version: 1.0.1 kind: Scheduled diff --git a/Detections/ThreatIntelligenceIndicator/IPEntity_AzureSQL.yaml b/Detections/ThreatIntelligenceIndicator/IPEntity_AzureSQL.yaml index 1442b8bee20..240026477e5 100644 --- a/Detections/ThreatIntelligenceIndicator/IPEntity_AzureSQL.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPEntity_AzureSQL.yaml @@ -47,5 +47,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: ClientIP -version: 1.0.0 +version: 1.0.1 kind: Scheduled From d635700bca29e5d2fd778cc72bc4cdebe55867a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Thu, 25 Nov 2021 20:15:28 +0100 Subject: [PATCH 63/64] Made error formatting --- .../DomainEntity_CommonSecurityLog.yaml | 14 +++++++------- .../DomainEntity_PaloAlto.yaml | 14 +++++++------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml b/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml index fec736d5c48..10e97931677 100644 --- a/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml +++ b/Detections/ThreatIntelligenceIndicator/DomainEntity_CommonSecurityLog.yaml @@ -22,13 +22,13 @@ query: | let ioc_lookBack = 14d; //Create a list of TLDs in our threat feed for later validation of extracted domains let list_tlds = ThreatIntelligenceIndicator - | where TimeGenerated > ago(ioc_lookBack) - | where isnotempty(DomainName) - | extend DomainName = tolower(DomainName) - | extend parts = split(DomainName, '.') - | extend tld = parts[(array_length(parts)-1)] - | summarize count() by tostring(tld) - | summarize make_list(tld); + | where TimeGenerated > ago(ioc_lookBack) + | where isnotempty(DomainName) + | extend DomainName = tolower(DomainName) + | extend parts = split(DomainName, '.') + | extend tld = parts[(array_length(parts)-1)] + | summarize count() by tostring(tld) + | summarize make_list(tld); ThreatIntelligenceIndicator | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId diff --git a/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml b/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml index a198d4f8b79..25452aefda8 100644 --- a/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml +++ b/Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml @@ -25,13 +25,13 @@ query: | let ioc_lookBack = 14d; //Create a list of TLDs in our threat feed for later validation of extracted domains let list_tlds = ThreatIntelligenceIndicator - | where TimeGenerated > ago(ioc_lookBack) - | where isnotempty(DomainName) - | extend DomainName = tolower(DomainName) - | extend parts = split(DomainName, '.') - | extend tld = parts[(array_length(parts)-1)] - | summarize count() by tostring(tld) - | summarize make_list(tld); + | where TimeGenerated > ago(ioc_lookBack) + | where isnotempty(DomainName) + | extend DomainName = tolower(DomainName) + | extend parts = split(DomainName, '.') + | extend tld = parts[(array_length(parts)-1)] + | summarize count() by tostring(tld) + | summarize make_list(tld); ThreatIntelligenceIndicator | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId From 998ec292c8cb4a27eb7093f641f5cd43ec2d338b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Thu, 25 Nov 2021 20:34:32 +0100 Subject: [PATCH 64/64] Correct error --- .../FileHashEntity_Covid19_CommonSecurityLog.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Detections/ThreatIntelligenceIndicator/FileHashEntity_Covid19_CommonSecurityLog.yaml b/Detections/ThreatIntelligenceIndicator/FileHashEntity_Covid19_CommonSecurityLog.yaml index 9cfb35b93dd..ccd35b27110 100644 --- a/Detections/ThreatIntelligenceIndicator/FileHashEntity_Covid19_CommonSecurityLog.yaml +++ b/Detections/ThreatIntelligenceIndicator/FileHashEntity_Covid19_CommonSecurityLog.yaml @@ -30,7 +30,7 @@ query: | | extend CommonSecurityLog_TimeGenerated = TimeGenerated ) on $left.FileHashValue == $right.FileHash - | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by FileHashValue + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by FileHashValue | project LatestIndicatorTime, FileHashValue, FileHashType, Description, ThreatType, CommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, RequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity