Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Lumen TI IPAddress in OfficeActivity

Lumen TI IPAddress in OfficeActivity

Back
Id0e96c419-68eb-4235-947e-7e86e136cda0
RulenameLumen TI IPAddress in OfficeActivity
DescriptionThis query maps Lumen IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in OfficeActivity.
SeverityMedium
TacticsCommandAndControl
TechniquesT1071
Required data connectorsLumenThreatFeedConnector
Office365
ThreatIntelligenceUploadIndicatorsAPI
KindScheduled
Query frequency4h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lumen Defender Threat Feed/Analytic Rules/Lumen_IPEntity_OfficeActivity.yaml
Version1.0.0
Arm template0e96c419-68eb-4235-947e-7e86e136cda0.json
Deploy To Azure
let dt_lookBack = 1d;  // Data lookback for OfficeActivity
let ioc_lookBack = 14d; // TI lookback
let IP_Indicators = ThreatIntelIndicators
  | where TimeGenerated >= ago(ioc_lookBack)
  | where IsActive == true and ValidUntil > now()
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
  | where SourceSystem == 'Lumen'
  | where ObservableKey == 'ipv4-addr:value'
  | extend TI_ipEntity = ObservableValue
  | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith 'fe80' and TI_ipEntity !startswith '::' and TI_ipEntity !startswith '127.';
IP_Indicators
| join kind=innerunique (
    OfficeActivity
    | where TimeGenerated >= ago(dt_lookBack)
    | extend OA_ipEntity = ClientIP
    | extend OfficeActivity_TimeGenerated = TimeGenerated
  ) on $left.TI_ipEntity == $right.OA_ipEntity
| where OfficeActivity_TimeGenerated < ValidUntil
| summarize arg_max(OfficeActivity_TimeGenerated, *), StartTime = min(OfficeActivity_TimeGenerated), EndTime = max(OfficeActivity_TimeGenerated) by Id, OA_ipEntity
| project timestamp = EndTime, StartTime, EndTime, UserId, ClientIP, Operation, Id, Tags, ValidUntil, Confidence, TI_ipEntity, OA_ipEntity, Type

kind: Scheduled
suppressionDuration: 5h
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: OA_ipEntity
    identifier: Address
description: |
    This query maps Lumen IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in OfficeActivity.
severity: Medium
queryFrequency: 4h
triggerThreshold: 0
relevantTechniques:
- T1071
suppressionEnabled: true
displayName: Lumen TI IPAddress in OfficeActivity
tactics:
- CommandAndControl
name: Lumen TI IPAddress in OfficeActivity
id: 0e96c419-68eb-4235-947e-7e86e136cda0
query: |
  let dt_lookBack = 1d;  // Data lookback for OfficeActivity
  let ioc_lookBack = 14d; // TI lookback
  let IP_Indicators = ThreatIntelIndicators
    | where TimeGenerated >= ago(ioc_lookBack)
    | where IsActive == true and ValidUntil > now()
    | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
    | where SourceSystem == 'Lumen'
    | where ObservableKey == 'ipv4-addr:value'
    | extend TI_ipEntity = ObservableValue
    | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith 'fe80' and TI_ipEntity !startswith '::' and TI_ipEntity !startswith '127.';
  IP_Indicators
  | join kind=innerunique (
      OfficeActivity
      | where TimeGenerated >= ago(dt_lookBack)
      | extend OA_ipEntity = ClientIP
      | extend OfficeActivity_TimeGenerated = TimeGenerated
    ) on $left.TI_ipEntity == $right.OA_ipEntity
  | where OfficeActivity_TimeGenerated < ValidUntil
  | summarize arg_max(OfficeActivity_TimeGenerated, *), StartTime = min(OfficeActivity_TimeGenerated), EndTime = max(OfficeActivity_TimeGenerated) by Id, OA_ipEntity
  | project timestamp = EndTime, StartTime, EndTime, UserId, ClientIP, Operation, Id, Tags, ValidUntil, Confidence, TI_ipEntity, OA_ipEntity, Type  
requiredDataConnectors:
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: LumenThreatFeedConnector
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligenceUploadIndicatorsAPI
- dataTypes:
  - OfficeActivity
  connectorId: Office365
version: 1.0.0
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lumen Defender Threat Feed/Analytic Rules/Lumen_IPEntity_OfficeActivity.yaml
queryPeriod: 14d

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0e96c419-68eb-4235-947e-7e86e136cda0')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0e96c419-68eb-4235-947e-7e86e136cda0')]",
      "properties": {
        "alertRuleTemplateName": "0e96c419-68eb-4235-947e-7e86e136cda0",
        "customDetails": null,
        "description": "This query maps Lumen IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in OfficeActivity.\n",
        "displayName": "Lumen TI IPAddress in OfficeActivity",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "OA_ipEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lumen Defender Threat Feed/Analytic Rules/Lumen_IPEntity_OfficeActivity.yaml",
        "query": "let dt_lookBack = 1d;  // Data lookback for OfficeActivity\nlet ioc_lookBack = 14d; // TI lookback\nlet IP_Indicators = ThreatIntelIndicators\n  | where TimeGenerated >= ago(ioc_lookBack)\n  | where IsActive == true and ValidUntil > now()\n  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id\n  | where SourceSystem == 'Lumen'\n  | where ObservableKey == 'ipv4-addr:value'\n  | extend TI_ipEntity = ObservableValue\n  | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith 'fe80' and TI_ipEntity !startswith '::' and TI_ipEntity !startswith '127.';\nIP_Indicators\n| join kind=innerunique (\n    OfficeActivity\n    | where TimeGenerated >= ago(dt_lookBack)\n    | extend OA_ipEntity = ClientIP\n    | extend OfficeActivity_TimeGenerated = TimeGenerated\n  ) on $left.TI_ipEntity == $right.OA_ipEntity\n| where OfficeActivity_TimeGenerated < ValidUntil\n| summarize arg_max(OfficeActivity_TimeGenerated, *), StartTime = min(OfficeActivity_TimeGenerated), EndTime = max(OfficeActivity_TimeGenerated) by Id, OA_ipEntity\n| project timestamp = EndTime, StartTime, EndTime, UserId, ClientIP, Operation, Id, Tags, ValidUntil, Confidence, TI_ipEntity, OA_ipEntity, Type\n",
        "queryFrequency": "PT4H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": true,
        "tactics": [
          "CommandAndControl"
        ],
        "techniques": [
          "T1071"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}