Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Network endpoint to host executable correlation

Back
Id01f64465-b1ef-41ea-a7f5-31553a11ad43
RulenameNetwork endpoint to host executable correlation
DescriptionCorrelates blocked URLs hosting [malicious] executables with host endpoint data to identify potential instances of executables of the same name having been recently run.
SeverityMedium
TacticsExecution
TechniquesT1204
Required data connectorsSecurityEvents
TrendMicro
WindowsForwardedEvents
WindowsSecurityEvents
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network Threat Protection Essentials/Analytic Rules/NetworkEndpointCorrelation.yaml
Version1.1.6
Arm template01f64465-b1ef-41ea-a7f5-31553a11ad43.json
Deploy To Azure
let endpointData = 
(union isfuzzy=true
(SecurityEvent
  | where EventID == 4688
  | extend shortFileName = tolower(tostring(split(NewProcessName, '\\')[-1]))
  ),
  (WindowsEvent
  | where EventID == 4688
  | extend  NewProcessName = tostring(EventData.NewProcessName)
  | extend shortFileName = tolower(tostring(split(NewProcessName, '\\')[-1]))
  | extend TargetUserName = tostring(EventData.TargetUserName)
  ));
// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints
CommonSecurityLog
| where DeviceVendor =~ "Trend Micro"
| where Activity =~ "Deny List updated" 
| where RequestURL endswith ".exe"
| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP
| extend suspectExeName = tolower(tostring(split(RequestURL, '/')[-1]))
| join kind=innerunique (endpointData) on $left.suspectExeName == $right.shortFileName 
| extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))
query: |
  let endpointData = 
  (union isfuzzy=true
  (SecurityEvent
    | where EventID == 4688
    | extend shortFileName = tolower(tostring(split(NewProcessName, '\\')[-1]))
    ),
    (WindowsEvent
    | where EventID == 4688
    | extend  NewProcessName = tostring(EventData.NewProcessName)
    | extend shortFileName = tolower(tostring(split(NewProcessName, '\\')[-1]))
    | extend TargetUserName = tostring(EventData.TargetUserName)
    ));
  // Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints
  CommonSecurityLog
  | where DeviceVendor =~ "Trend Micro"
  | where Activity =~ "Deny List updated" 
  | where RequestURL endswith ".exe"
  | project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP
  | extend suspectExeName = tolower(tostring(split(RequestURL, '/')[-1]))
  | join kind=innerunique (endpointData) on $left.suspectExeName == $right.shortFileName 
  | extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))  
description: |
    'Correlates blocked URLs hosting [malicious] executables with host endpoint data to identify potential instances of executables of the same name having been recently run.
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog
  connectorId: TrendMicro
- dataTypes:
  - SecurityEvent
  connectorId: SecurityEvents
- dataTypes:
  - SecurityEvents
  connectorId: WindowsSecurityEvents
- dataTypes:
  - WindowsEvent
  connectorId: WindowsForwardedEvents
name: Network endpoint to host executable correlation
relevantTechniques:
- T1204
queryPeriod: 1d
severity: Medium
triggerOperator: gt
version: 1.1.6
queryFrequency: 1d
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: TargetUserName
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: DnsDomain
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: DestinationIP
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: RequestURL
kind: Scheduled
status: Available
tactics:
- Execution
id: 01f64465-b1ef-41ea-a7f5-31553a11ad43
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network Threat Protection Essentials/Analytic Rules/NetworkEndpointCorrelation.yaml
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/01f64465-b1ef-41ea-a7f5-31553a11ad43')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/01f64465-b1ef-41ea-a7f5-31553a11ad43')]",
      "properties": {
        "alertRuleTemplateName": "01f64465-b1ef-41ea-a7f5-31553a11ad43",
        "customDetails": null,
        "description": "'Correlates blocked URLs hosting [malicious] executables with host endpoint data to identify potential instances of executables of the same name having been recently run.\n",
        "displayName": "Network endpoint to host executable correlation",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "TargetUserName",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DnsDomain",
                "identifier": "DnsDomain"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "DestinationIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "RequestURL",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network Threat Protection Essentials/Analytic Rules/NetworkEndpointCorrelation.yaml",
        "query": "let endpointData = \n(union isfuzzy=true\n(SecurityEvent\n  | where EventID == 4688\n  | extend shortFileName = tolower(tostring(split(NewProcessName, '\\\\')[-1]))\n  ),\n  (WindowsEvent\n  | where EventID == 4688\n  | extend  NewProcessName = tostring(EventData.NewProcessName)\n  | extend shortFileName = tolower(tostring(split(NewProcessName, '\\\\')[-1]))\n  | extend TargetUserName = tostring(EventData.TargetUserName)\n  ));\n// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints\nCommonSecurityLog\n| where DeviceVendor =~ \"Trend Micro\"\n| where Activity =~ \"Deny List updated\" \n| where RequestURL endswith \".exe\"\n| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP\n| extend suspectExeName = tolower(tostring(split(RequestURL, '/')[-1]))\n| join kind=innerunique (endpointData) on $left.suspectExeName == $right.shortFileName \n| extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution"
        ],
        "techniques": [
          "T1204"
        ],
        "templateVersion": "1.1.6",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}