Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Lumen TI IPAddress in SigninLogs

Lumen TI IPAddress in SigninLogs

Back
Id1425aea5-a9e5-4288-886e-934b90664a91
RulenameLumen TI IPAddress in SigninLogs
DescriptionThis query maps Lumen IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SigninLogs.
SeverityMedium
TacticsCommandAndControl
TechniquesT1071
Required data connectorsAzureActiveDirectory
LumenThreatFeedConnector
ThreatIntelligenceUploadIndicatorsAPI
KindScheduled
Query frequency4h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lumen Defender Threat Feed/Analytic Rules/Lumen_IPEntity_SigninLogs.yaml
Version1.0.0
Arm template1425aea5-a9e5-4288-886e-934b90664a91.json
Deploy To Azure
let dt_lookBack = 1d;  // Data lookback for SigninLogs
let ioc_lookBack = 14d; // TI lookback
let IP_Indicators = ThreatIntelIndicators
  | where TimeGenerated >= ago(ioc_lookBack)
  | where IsActive == true and ValidUntil > now()
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
  | where SourceSystem == 'Lumen'
  | where ObservableKey == 'ipv4-addr:value'
  | extend TI_ipEntity = ObservableValue
  | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith 'fe80' and TI_ipEntity !startswith '::' and TI_ipEntity !startswith '127.';
IP_Indicators
| join kind=innerunique (
    SigninLogs
    | where TimeGenerated >= ago(dt_lookBack)
    | extend SL_ipEntity = IPAddress
    | extend SigninLogs_TimeGenerated = TimeGenerated
  ) on $left.TI_ipEntity == $right.SL_ipEntity
| where SigninLogs_TimeGenerated < ValidUntil
| summarize arg_max(SigninLogs_TimeGenerated, *), StartTime = min(SigninLogs_TimeGenerated), EndTime = max(SigninLogs_TimeGenerated) by Id, SL_ipEntity
| project timestamp = EndTime, StartTime, EndTime, UserPrincipalName, IPAddress, ResultType, AppDisplayName, Id, Tags, ValidUntil, Confidence, TI_ipEntity, SL_ipEntity, Type

requiredDataConnectors:
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: LumenThreatFeedConnector
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligenceUploadIndicatorsAPI
- dataTypes:
  - SigninLogs
  connectorId: AzureActiveDirectory
relevantTechniques:
- T1071
triggerOperator: gt
version: 1.0.0
queryFrequency: 4h
severity: Medium
suppressionEnabled: true
triggerThreshold: 0
suppressionDuration: 5h
entityMappings:
- fieldMappings:
  - columnName: SL_ipEntity
    identifier: Address
  entityType: IP
name: Lumen TI IPAddress in SigninLogs
query: |
  let dt_lookBack = 1d;  // Data lookback for SigninLogs
  let ioc_lookBack = 14d; // TI lookback
  let IP_Indicators = ThreatIntelIndicators
    | where TimeGenerated >= ago(ioc_lookBack)
    | where IsActive == true and ValidUntil > now()
    | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
    | where SourceSystem == 'Lumen'
    | where ObservableKey == 'ipv4-addr:value'
    | extend TI_ipEntity = ObservableValue
    | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith 'fe80' and TI_ipEntity !startswith '::' and TI_ipEntity !startswith '127.';
  IP_Indicators
  | join kind=innerunique (
      SigninLogs
      | where TimeGenerated >= ago(dt_lookBack)
      | extend SL_ipEntity = IPAddress
      | extend SigninLogs_TimeGenerated = TimeGenerated
    ) on $left.TI_ipEntity == $right.SL_ipEntity
  | where SigninLogs_TimeGenerated < ValidUntil
  | summarize arg_max(SigninLogs_TimeGenerated, *), StartTime = min(SigninLogs_TimeGenerated), EndTime = max(SigninLogs_TimeGenerated) by Id, SL_ipEntity
  | project timestamp = EndTime, StartTime, EndTime, UserPrincipalName, IPAddress, ResultType, AppDisplayName, Id, Tags, ValidUntil, Confidence, TI_ipEntity, SL_ipEntity, Type  
tactics:
- CommandAndControl
queryPeriod: 14d
description: |
    This query maps Lumen IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SigninLogs.
kind: Scheduled
id: 1425aea5-a9e5-4288-886e-934b90664a91
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lumen Defender Threat Feed/Analytic Rules/Lumen_IPEntity_SigninLogs.yaml
displayName: Lumen TI IPAddress in SigninLogs