Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Network endpoint to host executable correlation

Back
Id01f64465-b1ef-41ea-a7f5-31553a11ad43
RulenameNetwork endpoint to host executable correlation
DescriptionCorrelates blocked URLs hosting [malicious] executables with host endpoint data to identify potential instances of executables of the same name having been recently run.
SeverityMedium
TacticsExecution
TechniquesT1204
Required data connectorsSecurityEvents
TrendMicro
WindowsForwardedEvents
WindowsSecurityEvents
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network Threat Protection Essentials/Analytic Rules/NetworkEndpointCorrelation.yaml
Version1.1.6
Arm template01f64465-b1ef-41ea-a7f5-31553a11ad43.json
Deploy To Azure
let endpointData = 
(union isfuzzy=true
(SecurityEvent
  | where EventID == 4688
  | extend shortFileName = tolower(tostring(split(NewProcessName, '\\')[-1]))
  ),
  (WindowsEvent
  | where EventID == 4688
  | extend  NewProcessName = tostring(EventData.NewProcessName)
  | extend shortFileName = tolower(tostring(split(NewProcessName, '\\')[-1]))
  | extend TargetUserName = tostring(EventData.TargetUserName)
  ));
// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints
CommonSecurityLog
| where DeviceVendor =~ "Trend Micro"
| where Activity =~ "Deny List updated" 
| where RequestURL endswith ".exe"
| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP
| extend suspectExeName = tolower(tostring(split(RequestURL, '/')[-1]))
| join kind=innerunique (endpointData) on $left.suspectExeName == $right.shortFileName 
| extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network Threat Protection Essentials/Analytic Rules/NetworkEndpointCorrelation.yaml
query: |
  let endpointData = 
  (union isfuzzy=true
  (SecurityEvent
    | where EventID == 4688
    | extend shortFileName = tolower(tostring(split(NewProcessName, '\\')[-1]))
    ),
    (WindowsEvent
    | where EventID == 4688
    | extend  NewProcessName = tostring(EventData.NewProcessName)
    | extend shortFileName = tolower(tostring(split(NewProcessName, '\\')[-1]))
    | extend TargetUserName = tostring(EventData.TargetUserName)
    ));
  // Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints
  CommonSecurityLog
  | where DeviceVendor =~ "Trend Micro"
  | where Activity =~ "Deny List updated" 
  | where RequestURL endswith ".exe"
  | project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP
  | extend suspectExeName = tolower(tostring(split(RequestURL, '/')[-1]))
  | join kind=innerunique (endpointData) on $left.suspectExeName == $right.shortFileName 
  | extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))  
description: |
    'Correlates blocked URLs hosting [malicious] executables with host endpoint data to identify potential instances of executables of the same name having been recently run.
severity: Medium
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog
  connectorId: TrendMicro
- dataTypes:
  - SecurityEvent
  connectorId: SecurityEvents
- dataTypes:
  - SecurityEvents
  connectorId: WindowsSecurityEvents
- dataTypes:
  - WindowsEvent
  connectorId: WindowsForwardedEvents
name: Network endpoint to host executable correlation
triggerThreshold: 0
tactics:
- Execution
version: 1.1.6
relevantTechniques:
- T1204
triggerOperator: gt
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: TargetUserName
    identifier: Name
- entityType: Host
  fieldMappings:
  - columnName: HostName
    identifier: HostName
  - columnName: DnsDomain
    identifier: DnsDomain
- entityType: IP
  fieldMappings:
  - columnName: DestinationIP
    identifier: Address
- entityType: URL
  fieldMappings:
  - columnName: RequestURL
    identifier: Url
id: 01f64465-b1ef-41ea-a7f5-31553a11ad43
status: Available
kind: Scheduled
queryFrequency: 1d
queryPeriod: 1d
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/01f64465-b1ef-41ea-a7f5-31553a11ad43')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/01f64465-b1ef-41ea-a7f5-31553a11ad43')]",
      "properties": {
        "alertRuleTemplateName": "01f64465-b1ef-41ea-a7f5-31553a11ad43",
        "customDetails": null,
        "description": "'Correlates blocked URLs hosting [malicious] executables with host endpoint data to identify potential instances of executables of the same name having been recently run.\n",
        "displayName": "Network endpoint to host executable correlation",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "TargetUserName",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DnsDomain",
                "identifier": "DnsDomain"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "DestinationIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "RequestURL",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network Threat Protection Essentials/Analytic Rules/NetworkEndpointCorrelation.yaml",
        "query": "let endpointData = \n(union isfuzzy=true\n(SecurityEvent\n  | where EventID == 4688\n  | extend shortFileName = tolower(tostring(split(NewProcessName, '\\\\')[-1]))\n  ),\n  (WindowsEvent\n  | where EventID == 4688\n  | extend  NewProcessName = tostring(EventData.NewProcessName)\n  | extend shortFileName = tolower(tostring(split(NewProcessName, '\\\\')[-1]))\n  | extend TargetUserName = tostring(EventData.TargetUserName)\n  ));\n// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints\nCommonSecurityLog\n| where DeviceVendor =~ \"Trend Micro\"\n| where Activity =~ \"Deny List updated\" \n| where RequestURL endswith \".exe\"\n| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP\n| extend suspectExeName = tolower(tostring(split(RequestURL, '/')[-1]))\n| join kind=innerunique (endpointData) on $left.suspectExeName == $right.shortFileName \n| extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution"
        ],
        "techniques": [
          "T1204"
        ],
        "templateVersion": "1.1.6",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}