Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Network endpoint to host executable correlation

Back
Id01f64465-b1ef-41ea-a7f5-31553a11ad43
RulenameNetwork endpoint to host executable correlation
DescriptionCorrelates blocked URLs hosting [malicious] executables with host endpoint data

to identify potential instances of executables of the same name having been recently run.
SeverityMedium
TacticsExecution
TechniquesT1204
Required data connectorsSecurityEvents
TrendMicro
WindowsForwardedEvents
WindowsSecurityEvents
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network Threat Protection Essentials/Analytic Rules/NetworkEndpointCorrelation.yaml
Version1.1.3
Arm template01f64465-b1ef-41ea-a7f5-31553a11ad43.json
Deploy To Azure
let endpointData = 
(union isfuzzy=true
(SecurityEvent
  | where EventID == 4688
  | extend shortFileName = tostring(split(NewProcessName, '\\')[-1])
  ),
  (WindowsEvent
  | where EventID == 4688
  | extend  NewProcessName = tostring(EventData.NewProcessName)
  | extend shortFileName = tostring(split(NewProcessName, '\\')[-1])
  | extend TargetUserName = tostring(EventData.TargetUserName)
  ));
// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints
CommonSecurityLog
| where DeviceVendor =~ "Trend Micro"
| where Activity =~ "Deny List updated" 
| where RequestURL endswith ".exe"
| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP
| extend suspectExeName = tolower(tostring(split(RequestURL, '/')[-1]))
| join (endpointData) on $left.suspectExeName == $right.shortFileName 
| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL
queryFrequency: 1d
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
- entityType: Host
  fieldMappings:
  - columnName: HostCustomEntity
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
- entityType: URL
  fieldMappings:
  - columnName: URLCustomEntity
    identifier: Url
severity: Medium
triggerThreshold: 0
relevantTechniques:
- T1204
query: |
  let endpointData = 
  (union isfuzzy=true
  (SecurityEvent
    | where EventID == 4688
    | extend shortFileName = tostring(split(NewProcessName, '\\')[-1])
    ),
    (WindowsEvent
    | where EventID == 4688
    | extend  NewProcessName = tostring(EventData.NewProcessName)
    | extend shortFileName = tostring(split(NewProcessName, '\\')[-1])
    | extend TargetUserName = tostring(EventData.TargetUserName)
    ));
  // Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints
  CommonSecurityLog
  | where DeviceVendor =~ "Trend Micro"
  | where Activity =~ "Deny List updated" 
  | where RequestURL endswith ".exe"
  | project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP
  | extend suspectExeName = tolower(tostring(split(RequestURL, '/')[-1]))
  | join (endpointData) on $left.suspectExeName == $right.shortFileName 
  | extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL  
id: 01f64465-b1ef-41ea-a7f5-31553a11ad43
triggerOperator: gt
version: 1.1.3
requiredDataConnectors:
- connectorId: TrendMicro
  dataTypes:
  - CommonSecurityLog
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: WindowsSecurityEvents
  dataTypes:
  - SecurityEvents
- connectorId: WindowsForwardedEvents
  dataTypes:
  - WindowsEvent
metadata:
  author:
    name: timbMSFT
  source:
    kind: Community
  categories:
    domains:
    - Security - Threat Protection
    - Networking
  support:
    tier: Community
description: |
  'Correlates blocked URLs hosting [malicious] executables with host endpoint data
  to identify potential instances of executables of the same name having been recently run.'  
queryPeriod: 1d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network Threat Protection Essentials/Analytic Rules/NetworkEndpointCorrelation.yaml
status: Available
name: Network endpoint to host executable correlation
tactics:
- Execution
kind: Scheduled
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/01f64465-b1ef-41ea-a7f5-31553a11ad43')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/01f64465-b1ef-41ea-a7f5-31553a11ad43')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Network endpoint to host executable correlation",
        "description": "'Correlates blocked URLs hosting [malicious] executables with host endpoint data\nto identify potential instances of executables of the same name having been recently run.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let endpointData = \n(union isfuzzy=true\n(SecurityEvent\n  | where EventID == 4688\n  | extend shortFileName = tostring(split(NewProcessName, '\\\\')[-1])\n  ),\n  (WindowsEvent\n  | where EventID == 4688\n  | extend  NewProcessName = tostring(EventData.NewProcessName)\n  | extend shortFileName = tostring(split(NewProcessName, '\\\\')[-1])\n  | extend TargetUserName = tostring(EventData.TargetUserName)\n  ));\n// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints\nCommonSecurityLog\n| where DeviceVendor =~ \"Trend Micro\"\n| where Activity =~ \"Deny List updated\" \n| where RequestURL endswith \".exe\"\n| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP\n| extend suspectExeName = tolower(tostring(split(RequestURL, '/')[-1]))\n| join (endpointData) on $left.suspectExeName == $right.shortFileName \n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution"
        ],
        "techniques": [
          "T1204"
        ],
        "alertRuleTemplateName": "01f64465-b1ef-41ea-a7f5-31553a11ad43",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "AccountCustomEntity"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "HostCustomEntity"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IPCustomEntity"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "identifier": "Url",
                "columnName": "URLCustomEntity"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network Threat Protection Essentials/Analytic Rules/NetworkEndpointCorrelation.yaml",
        "status": "Available",
        "templateVersion": "1.1.3"
      }
    }
  ]
}