Lumen TI IPAddress in SecurityEvents

let dt_lookBack = 1d;  // Data lookback for SecurityEvent
let ioc_lookBack = 14d; // TI lookback
let IP_Indicators = ThreatIntelIndicators
  | where TimeGenerated >= ago(ioc_lookBack)
  | where IsActive == true and ValidUntil > now()
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
  | where SourceSystem == 'Lumen'
  | where ObservableKey == 'ipv4-addr:value'
  | extend TI_ipEntity = ObservableValue
  | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith 'fe80' and TI_ipEntity !startswith '::' and TI_ipEntity !startswith '127.';
IP_Indicators
| join kind=innerunique (
    SecurityEvent
    | where TimeGenerated >= ago(dt_lookBack)
    | extend SE_ipEntity = IpAddress
    | extend SecurityEvent_TimeGenerated = TimeGenerated
  ) on $left.TI_ipEntity == $right.SE_ipEntity
| where SecurityEvent_TimeGenerated < ValidUntil
| summarize arg_max(SecurityEvent_TimeGenerated, *), StartTime = min(SecurityEvent_TimeGenerated), EndTime = max(SecurityEvent_TimeGenerated) by Id, SE_ipEntity
| project timestamp = EndTime, StartTime, EndTime, Computer, IpAddress, EventID, Activity, Id, Tags, ValidUntil, Confidence, TI_ipEntity, SE_ipEntity, Type

id: 140a2cb5-4b4a-485c-aab3-2415c24d37e6
queryFrequency: 4h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lumen Defender Threat Feed/Analytic Rules/Lumen_IPEntity_SecurityEvent.yaml
tactics:
- CommandAndControl
name: Lumen TI IPAddress in SecurityEvents
triggerThreshold: 0
relevantTechniques:
- T1071
kind: Scheduled
requiredDataConnectors:
- connectorId: LumenThreatFeedConnector
  dataTypes:
  - ThreatIntelligenceIndicator
- connectorId: ThreatIntelligenceUploadIndicatorsAPI
  dataTypes:
  - ThreatIntelligenceIndicator
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: WindowsSecurityEvents
  dataTypes:
  - SecurityEvent
queryPeriod: 14d
triggerOperator: gt
query: |
  let dt_lookBack = 1d;  // Data lookback for SecurityEvent
  let ioc_lookBack = 14d; // TI lookback
  let IP_Indicators = ThreatIntelIndicators
    | where TimeGenerated >= ago(ioc_lookBack)
    | where IsActive == true and ValidUntil > now()
    | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
    | where SourceSystem == 'Lumen'
    | where ObservableKey == 'ipv4-addr:value'
    | extend TI_ipEntity = ObservableValue
    | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith 'fe80' and TI_ipEntity !startswith '::' and TI_ipEntity !startswith '127.';
  IP_Indicators
  | join kind=innerunique (
      SecurityEvent
      | where TimeGenerated >= ago(dt_lookBack)
      | extend SE_ipEntity = IpAddress
      | extend SecurityEvent_TimeGenerated = TimeGenerated
    ) on $left.TI_ipEntity == $right.SE_ipEntity
  | where SecurityEvent_TimeGenerated < ValidUntil
  | summarize arg_max(SecurityEvent_TimeGenerated, *), StartTime = min(SecurityEvent_TimeGenerated), EndTime = max(SecurityEvent_TimeGenerated) by Id, SE_ipEntity
  | project timestamp = EndTime, StartTime, EndTime, Computer, IpAddress, EventID, Activity, Id, Tags, ValidUntil, Confidence, TI_ipEntity, SE_ipEntity, Type  
suppressionDuration: 5h
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: SE_ipEntity
  entityType: IP
version: 1.0.0
description: |
    This query maps Lumen IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SecurityEvents.
severity: Medium
suppressionEnabled: true
displayName: Lumen TI IPAddress in SecurityEvents