Lumen TI IPAddress in SigninLogs
| Id | 1425aea5-a9e5-4288-886e-934b90664a91 |
| Rulename | Lumen TI IPAddress in SigninLogs |
| Description | This query maps Lumen IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SigninLogs. |
| Severity | Medium |
| Tactics | CommandAndControl |
| Techniques | T1071 |
| Required data connectors | AzureActiveDirectory LumenThreatFeedConnector ThreatIntelligenceUploadIndicatorsAPI |
| Kind | Scheduled |
| Query frequency | 4h |
| Query period | 14d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lumen Defender Threat Feed/Analytic Rules/Lumen_IPEntity_SigninLogs.yaml |
| Version | 1.0.0 |
| Arm template | 1425aea5-a9e5-4288-886e-934b90664a91.json |
let dt_lookBack = 1d; // Data lookback for SigninLogs
let ioc_lookBack = 14d; // TI lookback
let IP_Indicators = ThreatIntelIndicators
| where TimeGenerated >= ago(ioc_lookBack)
| where IsActive == true and ValidUntil > now()
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
| where SourceSystem == 'Lumen'
| where ObservableKey == 'ipv4-addr:value'
| extend TI_ipEntity = ObservableValue
| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith 'fe80' and TI_ipEntity !startswith '::' and TI_ipEntity !startswith '127.';
IP_Indicators
| join kind=innerunique (
SigninLogs
| where TimeGenerated >= ago(dt_lookBack)
| extend SL_ipEntity = IPAddress
| extend SigninLogs_TimeGenerated = TimeGenerated
) on $left.TI_ipEntity == $right.SL_ipEntity
| where SigninLogs_TimeGenerated < ValidUntil
| summarize arg_max(SigninLogs_TimeGenerated, *), StartTime = min(SigninLogs_TimeGenerated), EndTime = max(SigninLogs_TimeGenerated) by Id, SL_ipEntity
| project timestamp = EndTime, StartTime, EndTime, UserPrincipalName, IPAddress, ResultType, AppDisplayName, Id, Tags, ValidUntil, Confidence, TI_ipEntity, SL_ipEntity, Type
suppressionEnabled: true
relevantTechniques:
- T1071
entityMappings:
- fieldMappings:
- columnName: SL_ipEntity
identifier: Address
entityType: IP
suppressionDuration: 5h
description: |
This query maps Lumen IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SigninLogs.
tactics:
- CommandAndControl
displayName: Lumen TI IPAddress in SigninLogs
requiredDataConnectors:
- connectorId: LumenThreatFeedConnector
dataTypes:
- ThreatIntelligenceIndicator
- connectorId: ThreatIntelligenceUploadIndicatorsAPI
dataTypes:
- ThreatIntelligenceIndicator
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
triggerOperator: gt
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lumen Defender Threat Feed/Analytic Rules/Lumen_IPEntity_SigninLogs.yaml
id: 1425aea5-a9e5-4288-886e-934b90664a91
queryFrequency: 4h
query: |
let dt_lookBack = 1d; // Data lookback for SigninLogs
let ioc_lookBack = 14d; // TI lookback
let IP_Indicators = ThreatIntelIndicators
| where TimeGenerated >= ago(ioc_lookBack)
| where IsActive == true and ValidUntil > now()
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
| where SourceSystem == 'Lumen'
| where ObservableKey == 'ipv4-addr:value'
| extend TI_ipEntity = ObservableValue
| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith 'fe80' and TI_ipEntity !startswith '::' and TI_ipEntity !startswith '127.';
IP_Indicators
| join kind=innerunique (
SigninLogs
| where TimeGenerated >= ago(dt_lookBack)
| extend SL_ipEntity = IPAddress
| extend SigninLogs_TimeGenerated = TimeGenerated
) on $left.TI_ipEntity == $right.SL_ipEntity
| where SigninLogs_TimeGenerated < ValidUntil
| summarize arg_max(SigninLogs_TimeGenerated, *), StartTime = min(SigninLogs_TimeGenerated), EndTime = max(SigninLogs_TimeGenerated) by Id, SL_ipEntity
| project timestamp = EndTime, StartTime, EndTime, UserPrincipalName, IPAddress, ResultType, AppDisplayName, Id, Tags, ValidUntil, Confidence, TI_ipEntity, SL_ipEntity, Type
severity: Medium
queryPeriod: 14d
name: Lumen TI IPAddress in SigninLogs
triggerThreshold: 0
kind: Scheduled