Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

TI map Email entity to Cloud App Events

Back
Id0385e99c-ae45-45f4-aecf-00104485cd6b
RulenameTI map Email entity to Cloud App Events
DescriptionIdentifies compromises and attacks and detect malicious activities in one’s email entity from TI
SeverityMedium
TacticsInitialAccess
TechniquesT1566
Required data connectorsMicrosoftDefenderThreatIntelligence
MicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_CloudAppEvents_Updated.yaml
Version1.0.5
Arm template0385e99c-ae45-45f4-aecf-00104485cd6b.json
Deploy To Azure
let dt_lookBack = 10d;
let ioc_lookBack = 30d;
let emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$';
ThreatIntelIndicators
  | where TimeGenerated >= ago(ioc_lookBack)
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id, ObservableValue
  | where IsActive and (ValidUntil > now() or isempty(ValidUntil))
//extract key part of kv pair
  | extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0)))
  | where IndicatorType == "email-addr"
  | extend EmailSenderAddress = ObservableValue
  | extend EmailSourceDomain = substring(EmailSenderAddress, indexof(EmailSenderAddress, "@") + 1, strlen(EmailSenderAddress) - indexof(EmailSenderAddress, "@") - 1)
  | project-reorder *, EmailSenderAddress, EmailSourceDomain, Type
  | extend IndicatorId = tostring(split(Id, "--")[2])
  | join kind=innerunique (CloudAppEvents
| extend User_Id = tostring(RawEventData.UserId)
| where isnotempty(User_Id)
| where TimeGenerated >= ago(dt_lookBack) and isnotempty(Application)
| extend CloudAppEvents_TimeGenerated = TimeGenerated 
| where User_Id matches regex emailregex) on $left.EmailSenderAddress == $right.User_Id
| where CloudAppEvents_TimeGenerated < ValidUntil
| summarize CloudAppEvents_TimeGenerated = argmax(CloudAppEvents_TimeGenerated, *) by IndicatorId, User_Id
| extend Name = tostring(split(User_Id, '@', 0)[0]), UPNSuffix = tostring(split(User_Id, '@', 1)[0])
| extend timestamp = CloudAppEvents_TimeGenerated
triggerThreshold: 0
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - CloudAppEvents
- connectorId: MicrosoftDefenderThreatIntelligence
  dataTypes:
  - ThreatIntelligenceIndicator
severity: Medium
queryFrequency: 1h
id: 0385e99c-ae45-45f4-aecf-00104485cd6b
relevantTechniques:
- T1566
queryPeriod: 14d
name: TI map Email entity to Cloud App Events
kind: Scheduled
tactics:
- InitialAccess
triggerOperator: gt
version: 1.0.5
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: Name
    identifier: DisplayName
  - columnName: User_Id
    identifier: FullName
  - columnName: UPNSuffix
    identifier: UPNSuffix
description: |
    'Identifies compromises and attacks and detect malicious activities in one's email entity from TI'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_CloudAppEvents_Updated.yaml
query: |
  let dt_lookBack = 10d;
  let ioc_lookBack = 30d;
  let emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$';
  ThreatIntelIndicators
    | where TimeGenerated >= ago(ioc_lookBack)
    | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id, ObservableValue
    | where IsActive and (ValidUntil > now() or isempty(ValidUntil))
  //extract key part of kv pair
    | extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0)))
    | where IndicatorType == "email-addr"
    | extend EmailSenderAddress = ObservableValue
    | extend EmailSourceDomain = substring(EmailSenderAddress, indexof(EmailSenderAddress, "@") + 1, strlen(EmailSenderAddress) - indexof(EmailSenderAddress, "@") - 1)
    | project-reorder *, EmailSenderAddress, EmailSourceDomain, Type
    | extend IndicatorId = tostring(split(Id, "--")[2])
    | join kind=innerunique (CloudAppEvents
  | extend User_Id = tostring(RawEventData.UserId)
  | where isnotempty(User_Id)
  | where TimeGenerated >= ago(dt_lookBack) and isnotempty(Application)
  | extend CloudAppEvents_TimeGenerated = TimeGenerated 
  | where User_Id matches regex emailregex) on $left.EmailSenderAddress == $right.User_Id
  | where CloudAppEvents_TimeGenerated < ValidUntil
  | summarize CloudAppEvents_TimeGenerated = argmax(CloudAppEvents_TimeGenerated, *) by IndicatorId, User_Id
  | extend Name = tostring(split(User_Id, '@', 0)[0]), UPNSuffix = tostring(split(User_Id, '@', 1)[0])
  | extend timestamp = CloudAppEvents_TimeGenerated  
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0385e99c-ae45-45f4-aecf-00104485cd6b')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0385e99c-ae45-45f4-aecf-00104485cd6b')]",
      "properties": {
        "alertRuleTemplateName": "0385e99c-ae45-45f4-aecf-00104485cd6b",
        "customDetails": null,
        "description": "'Identifies compromises and attacks and detect malicious activities in one's email entity from TI'\n",
        "displayName": "TI map Email entity to Cloud App Events",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Name",
                "identifier": "DisplayName"
              },
              {
                "columnName": "User_Id",
                "identifier": "FullName"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence (NEW)/Analytic Rules/EmailEntity_CloudAppEvents_Updated.yaml",
        "query": "let dt_lookBack = 10d;\nlet ioc_lookBack = 30d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelIndicators\n  | where TimeGenerated >= ago(ioc_lookBack)\n  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id, ObservableValue\n  | where IsActive and (ValidUntil > now() or isempty(ValidUntil))\n//extract key part of kv pair\n  | extend IndicatorType = replace(@\"\\[|\\]|\\\"\"\", \"\", tostring(split(ObservableKey, \":\", 0)))\n  | where IndicatorType == \"email-addr\"\n  | extend EmailSenderAddress = ObservableValue\n  | extend EmailSourceDomain = substring(EmailSenderAddress, indexof(EmailSenderAddress, \"@\") + 1, strlen(EmailSenderAddress) - indexof(EmailSenderAddress, \"@\") - 1)\n  | project-reorder *, EmailSenderAddress, EmailSourceDomain, Type\n  | extend IndicatorId = tostring(split(Id, \"--\")[2])\n  | join kind=innerunique (CloudAppEvents\n| extend User_Id = tostring(RawEventData.UserId)\n| where isnotempty(User_Id)\n| where TimeGenerated >= ago(dt_lookBack) and isnotempty(Application)\n| extend CloudAppEvents_TimeGenerated = TimeGenerated \n| where User_Id matches regex emailregex) on $left.EmailSenderAddress == $right.User_Id\n| where CloudAppEvents_TimeGenerated < ValidUntil\n| summarize CloudAppEvents_TimeGenerated = argmax(CloudAppEvents_TimeGenerated, *) by IndicatorId, User_Id\n| extend Name = tostring(split(User_Id, '@', 0)[0]), UPNSuffix = tostring(split(User_Id, '@', 1)[0])\n| extend timestamp = CloudAppEvents_TimeGenerated\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1566"
        ],
        "templateVersion": "1.0.5",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}