Network endpoint to host executable correlation
| Id | 01f64465-b1ef-41ea-a7f5-31553a11ad43 |
| Rulename | Network endpoint to host executable correlation |
| Description | Correlates blocked URLs hosting [malicious] executables with host endpoint data to identify potential instances of executables of the same name having been recently run. |
| Severity | Medium |
| Tactics | Execution |
| Techniques | T1204 |
| Required data connectors | SecurityEvents TrendMicro WindowsForwardedEvents WindowsSecurityEvents |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network Threat Protection Essentials/Analytic Rules/NetworkEndpointCorrelation.yaml |
| Version | 1.1.6 |
| Arm template | 01f64465-b1ef-41ea-a7f5-31553a11ad43.json |
let endpointData =
(union isfuzzy=true
(SecurityEvent
| where EventID == 4688
| extend shortFileName = tolower(tostring(split(NewProcessName, '\\')[-1]))
),
(WindowsEvent
| where EventID == 4688
| extend NewProcessName = tostring(EventData.NewProcessName)
| extend shortFileName = tolower(tostring(split(NewProcessName, '\\')[-1]))
| extend TargetUserName = tostring(EventData.TargetUserName)
));
// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints
CommonSecurityLog
| where DeviceVendor =~ "Trend Micro"
| where Activity =~ "Deny List updated"
| where RequestURL endswith ".exe"
| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP
| extend suspectExeName = tolower(tostring(split(RequestURL, '/')[-1]))
| join kind=innerunique (endpointData) on $left.suspectExeName == $right.shortFileName
| extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))
queryPeriod: 1d
query: |
let endpointData =
(union isfuzzy=true
(SecurityEvent
| where EventID == 4688
| extend shortFileName = tolower(tostring(split(NewProcessName, '\\')[-1]))
),
(WindowsEvent
| where EventID == 4688
| extend NewProcessName = tostring(EventData.NewProcessName)
| extend shortFileName = tolower(tostring(split(NewProcessName, '\\')[-1]))
| extend TargetUserName = tostring(EventData.TargetUserName)
));
// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints
CommonSecurityLog
| where DeviceVendor =~ "Trend Micro"
| where Activity =~ "Deny List updated"
| where RequestURL endswith ".exe"
| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP
| extend suspectExeName = tolower(tostring(split(RequestURL, '/')[-1]))
| join kind=innerunique (endpointData) on $left.suspectExeName == $right.shortFileName
| extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))
name: Network endpoint to host executable correlation
entityMappings:
- fieldMappings:
- columnName: TargetUserName
identifier: Name
entityType: Account
- fieldMappings:
- columnName: HostName
identifier: HostName
- columnName: DnsDomain
identifier: DnsDomain
entityType: Host
- fieldMappings:
- columnName: DestinationIP
identifier: Address
entityType: IP
- fieldMappings:
- columnName: RequestURL
identifier: Url
entityType: URL
queryFrequency: 1d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network Threat Protection Essentials/Analytic Rules/NetworkEndpointCorrelation.yaml
requiredDataConnectors:
- connectorId: TrendMicro
dataTypes:
- CommonSecurityLog
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
- connectorId: WindowsSecurityEvents
dataTypes:
- SecurityEvents
- connectorId: WindowsForwardedEvents
dataTypes:
- WindowsEvent
description: |
'Correlates blocked URLs hosting [malicious] executables with host endpoint data to identify potential instances of executables of the same name having been recently run.
kind: Scheduled
version: 1.1.6
status: Available
severity: Medium
relevantTechniques:
- T1204
triggerOperator: gt
triggerThreshold: 0
tactics:
- Execution
id: 01f64465-b1ef-41ea-a7f5-31553a11ad43