Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

RecordedFuture Threat Hunting Url All Actors

Back
Id3f6f0d1a-f2f9-4e01-881a-c55a4a71905b
RulenameRecordedFuture Threat Hunting Url All Actors
DescriptionRecorded Future Threat Hunting Url correlation for all actors.
SeverityMedium
TacticsPersistence
PrivilegeEscalation
DefenseEvasion
TechniquesT1098
T1078
Required data connectorsThreatIntelligenceUploadIndicatorsAPI
KindScheduled
Query frequency15m
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Recorded Future/Analytic Rules/ThreatHunting/RecordedFutureThreatHuntingUrlAllActors.yaml
Version1.1.0
Arm template3f6f0d1a-f2f9-4e01-881a-c55a4a71905b.json
Deploy To Azure
let ioc_lookBack = 1d;
// The source table (_Im_WebSession) is a ASIM parser table, but can be replaced by any infrastructure table containing Url data.
// The following workbook: Recorded Future - Url Correlation will help researching available data and selecting tables and columns
_Im_WebSession
| where isnotempty(Url)
| extend lowerUrl=tolower(Url)
| join kind=inner (
ThreatIntelIndicators
// Only look for IOCs
| where ObservableKey == 'url:value'
| where isnotempty(ObservableValue)
// Only look at Recorded Future Threat Hunt Indicators.
| where Data.description startswith "Recorded Future - Threat Hunt"
// Only work with the latest indicators
| where TimeGenerated >= ago(ioc_lookBack)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
| where IsActive == true and ValidUntil > now()
| extend lowerUrl=tolower(ObservableValue)
) on lowerUrl
// select column from the source table to match with Recorded Future ThreatIntelIndicators $left.Url
| mv-expand RecordedFuturePortalLink=parse_json(tostring(parse_json(Tags)))['recordedfutureportallink']
| project Url=ObservableValue, Description=Data.description, Type, TimeGenerated, RecordedFuturePortalLink
queryFrequency: 15m
description: |
    'Recorded Future Threat Hunting Url correlation for all actors.'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Recorded Future/Analytic Rules/ThreatHunting/RecordedFutureThreatHuntingUrlAllActors.yaml
triggerOperator: gt
queryPeriod: 1d
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: 1h
    reopenClosedIncident: false
    matchingMethod: AllEntities
    enabled: true
kind: Scheduled
entityMappings:
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: Url
relevantTechniques:
- T1098
- T1078
tactics:
- Persistence
- PrivilegeEscalation
- DefenseEvasion
severity: Medium
name: RecordedFuture Threat Hunting Url All Actors
customDetails:
  ActorInformation: RecordedFuturePortalLink
query: |
  let ioc_lookBack = 1d;
  // The source table (_Im_WebSession) is a ASIM parser table, but can be replaced by any infrastructure table containing Url data.
  // The following workbook: Recorded Future - Url Correlation will help researching available data and selecting tables and columns
  _Im_WebSession
  | where isnotempty(Url)
  | extend lowerUrl=tolower(Url)
  | join kind=inner (
  ThreatIntelIndicators
  // Only look for IOCs
  | where ObservableKey == 'url:value'
  | where isnotempty(ObservableValue)
  // Only look at Recorded Future Threat Hunt Indicators.
  | where Data.description startswith "Recorded Future - Threat Hunt"
  // Only work with the latest indicators
  | where TimeGenerated >= ago(ioc_lookBack)
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
  | where IsActive == true and ValidUntil > now()
  | extend lowerUrl=tolower(ObservableValue)
  ) on lowerUrl
  // select column from the source table to match with Recorded Future ThreatIntelIndicators $left.Url
  | mv-expand RecordedFuturePortalLink=parse_json(tostring(parse_json(Tags)))['recordedfutureportallink']
  | project Url=ObservableValue, Description=Data.description, Type, TimeGenerated, RecordedFuturePortalLink  
triggerThreshold: 0
alertDetailsOverride:
  alertDynamicProperties:
  - alertProperty: AlertLink
    value: RecordedFuturePortalLink
  alertDisplayNameFormat: '{{Description}}'
  alertDescriptionFormat: '*{{Description}}**\n\nCorrelation found on {{Url}} from the {{Type}} table.\n'
version: 1.1.0
requiredDataConnectors:
- dataTypes:
  - ThreatIntelIndicators
  connectorId: ThreatIntelligenceUploadIndicatorsAPI
id: 3f6f0d1a-f2f9-4e01-881a-c55a4a71905b
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3f6f0d1a-f2f9-4e01-881a-c55a4a71905b')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3f6f0d1a-f2f9-4e01-881a-c55a4a71905b')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "*{{Description}}**\\n\\nCorrelation found on {{Url}} from the {{Type}} table.\\n",
          "alertDisplayNameFormat": "{{Description}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "AlertLink",
              "value": "RecordedFuturePortalLink"
            }
          ]
        },
        "alertRuleTemplateName": "3f6f0d1a-f2f9-4e01-881a-c55a4a71905b",
        "customDetails": {
          "ActorInformation": "RecordedFuturePortalLink"
        },
        "description": "'Recorded Future Threat Hunting Url correlation for all actors.'\n",
        "displayName": "RecordedFuture Threat Hunting Url All Actors",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "Url",
                "identifier": "Url"
              }
            ]
          }
        ],
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "PT1H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Recorded Future/Analytic Rules/ThreatHunting/RecordedFutureThreatHuntingUrlAllActors.yaml",
        "query": "let ioc_lookBack = 1d;\n// The source table (_Im_WebSession) is a ASIM parser table, but can be replaced by any infrastructure table containing Url data.\n// The following workbook: Recorded Future - Url Correlation will help researching available data and selecting tables and columns\n_Im_WebSession\n| where isnotempty(Url)\n| extend lowerUrl=tolower(Url)\n| join kind=inner (\nThreatIntelIndicators\n// Only look for IOCs\n| where ObservableKey == 'url:value'\n| where isnotempty(ObservableValue)\n// Only look at Recorded Future Threat Hunt Indicators.\n| where Data.description startswith \"Recorded Future - Threat Hunt\"\n// Only work with the latest indicators\n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id\n| where IsActive == true and ValidUntil > now()\n| extend lowerUrl=tolower(ObservableValue)\n) on lowerUrl\n// select column from the source table to match with Recorded Future ThreatIntelIndicators $left.Url\n| mv-expand RecordedFuturePortalLink=parse_json(tostring(parse_json(Tags)))['recordedfutureportallink']\n| project Url=ObservableValue, Description=Data.description, Type, TimeGenerated, RecordedFuturePortalLink\n",
        "queryFrequency": "PT15M",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion",
          "Persistence",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1078",
          "T1098"
        ],
        "templateVersion": "1.1.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}