Lumen TI IPAddress in OfficeActivity
| Id | 0e96c419-68eb-4235-947e-7e86e136cda0 |
| Rulename | Lumen TI IPAddress in OfficeActivity |
| Description | This query maps Lumen IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in OfficeActivity. |
| Severity | Medium |
| Tactics | CommandAndControl |
| Techniques | T1071 |
| Required data connectors | LumenThreatFeedConnector Office365 ThreatIntelligenceUploadIndicatorsAPI |
| Kind | Scheduled |
| Query frequency | 4h |
| Query period | 14d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lumen Defender Threat Feed/Analytic Rules/Lumen_IPEntity_OfficeActivity.yaml |
| Version | 1.0.0 |
| Arm template | 0e96c419-68eb-4235-947e-7e86e136cda0.json |
let dt_lookBack = 1d; // Data lookback for OfficeActivity
let ioc_lookBack = 14d; // TI lookback
let IP_Indicators = ThreatIntelIndicators
| where TimeGenerated >= ago(ioc_lookBack)
| where IsActive == true and ValidUntil > now()
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
| where SourceSystem == 'Lumen'
| where ObservableKey == 'ipv4-addr:value'
| extend TI_ipEntity = ObservableValue
| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith 'fe80' and TI_ipEntity !startswith '::' and TI_ipEntity !startswith '127.';
IP_Indicators
| join kind=innerunique (
OfficeActivity
| where TimeGenerated >= ago(dt_lookBack)
| extend OA_ipEntity = ClientIP
| extend OfficeActivity_TimeGenerated = TimeGenerated
) on $left.TI_ipEntity == $right.OA_ipEntity
| where OfficeActivity_TimeGenerated < ValidUntil
| summarize arg_max(OfficeActivity_TimeGenerated, *), StartTime = min(OfficeActivity_TimeGenerated), EndTime = max(OfficeActivity_TimeGenerated) by Id, OA_ipEntity
| project timestamp = EndTime, StartTime, EndTime, UserId, ClientIP, Operation, Id, Tags, ValidUntil, Confidence, TI_ipEntity, OA_ipEntity, Type
id: 0e96c419-68eb-4235-947e-7e86e136cda0
queryFrequency: 4h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lumen Defender Threat Feed/Analytic Rules/Lumen_IPEntity_OfficeActivity.yaml
tactics:
- CommandAndControl
name: Lumen TI IPAddress in OfficeActivity
triggerThreshold: 0
relevantTechniques:
- T1071
kind: Scheduled
requiredDataConnectors:
- connectorId: LumenThreatFeedConnector
dataTypes:
- ThreatIntelligenceIndicator
- connectorId: ThreatIntelligenceUploadIndicatorsAPI
dataTypes:
- ThreatIntelligenceIndicator
- connectorId: Office365
dataTypes:
- OfficeActivity
queryPeriod: 14d
triggerOperator: gt
query: |
let dt_lookBack = 1d; // Data lookback for OfficeActivity
let ioc_lookBack = 14d; // TI lookback
let IP_Indicators = ThreatIntelIndicators
| where TimeGenerated >= ago(ioc_lookBack)
| where IsActive == true and ValidUntil > now()
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
| where SourceSystem == 'Lumen'
| where ObservableKey == 'ipv4-addr:value'
| extend TI_ipEntity = ObservableValue
| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith 'fe80' and TI_ipEntity !startswith '::' and TI_ipEntity !startswith '127.';
IP_Indicators
| join kind=innerunique (
OfficeActivity
| where TimeGenerated >= ago(dt_lookBack)
| extend OA_ipEntity = ClientIP
| extend OfficeActivity_TimeGenerated = TimeGenerated
) on $left.TI_ipEntity == $right.OA_ipEntity
| where OfficeActivity_TimeGenerated < ValidUntil
| summarize arg_max(OfficeActivity_TimeGenerated, *), StartTime = min(OfficeActivity_TimeGenerated), EndTime = max(OfficeActivity_TimeGenerated) by Id, OA_ipEntity
| project timestamp = EndTime, StartTime, EndTime, UserId, ClientIP, Operation, Id, Tags, ValidUntil, Confidence, TI_ipEntity, OA_ipEntity, Type
suppressionDuration: 5h
entityMappings:
- fieldMappings:
- identifier: Address
columnName: OA_ipEntity
entityType: IP
version: 1.0.0
description: |
This query maps Lumen IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in OfficeActivity.
severity: Medium
suppressionEnabled: true
displayName: Lumen TI IPAddress in OfficeActivity