Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. TI map IP entity to AppServiceHTTPLogs

TI map IP entity to AppServiceHTTPLogs

Back
Id206277b1-9a2c-4c62-9ee8-a4c888810d3c
RulenameTI map IP entity to AppServiceHTTPLogs
DescriptionIdentifies a match in AppServiceHTTPLogs from any IP IOC from TI
SeverityMedium
TacticsCommandAndControl
TechniquesT1071
Required data connectorsMicrosoftDefenderThreatIntelligence
ThreatIntelligence
ThreatIntelligenceTaxii
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_AppServiceHTTPLogs.yaml
Version1.5.7
Arm template206277b1-9a2c-4c62-9ee8-a4c888810d3c.json
Deploy To Azure
let dt_lookBack = 1h; // Look back 1 hour for AppServiceHTTPLogs
let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators
// Fetch threat intelligence indicators related to IP addresses
let IP_Indicators = ThreatIntelIndicators
  //extract key part of kv pair
  | extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0)))
  | where IndicatorType in ("ipv4-addr", "ipv6-addr", "network-traffic")
  | extend NetworkSourceIP = ObservableValue
  | extend TrafficLightProtocolLevel = tostring(parse_json(AdditionalFields).TLPLevel)
  // Filter out indicators without relevant IP address fields
  | where TimeGenerated >= ago(ioc_lookBack)
  | where TimeGenerated >= ago(ioc_lookBack)
  // Filtering out rows where the Confidence Score is less than 50 as they would not have an Alert Priority label. 
  | where Confidence > 50
  // Select the IP entity based on availability of different IP fields
  | extend TI_ipEntity = iff(isnotempty(NetworkSourceIP), NetworkSourceIP, NetworkSourceIP)
  | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)
  | extend Url = iff(ObservableKey == "url:value", ObservableValue, "")
  // Determine AlertPriority based on ConfidenceScore
  | extend AlertPriority = case(Confidence > 82, "High",
                                Confidence > 74, "Medium",
                                "Low")
  // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes
  | where ipv4_is_private(TI_ipEntity) == false and  TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127."
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id, ObservableValue
  | where IsActive and (ValidUntil > now() or isempty(ValidUntil));
  // Perform a join between IP indicators and AppServiceHTTPLogs to identify potential malicious activity
IP_Indicators
| project-reorder *, IsActive, Tags, TrafficLightProtocolLevel, NetworkSourceIP, Type, TI_ipEntity, AlertPriority
  // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation
  | join kind=innerunique (
    AppServiceHTTPLogs | where TimeGenerated >= ago(dt_lookBack)
    | where isnotempty(CIp)
    | extend WebApp = split(_ResourceId, '/')[8]
    | extend AppService_TimeGenerated = TimeGenerated // Rename time column for clarity
  )
  on $left.TI_ipEntity == $right.CIp
  // Filter out logs that occurred after the expiration of the corresponding indicator
  | where AppService_TimeGenerated < ValidUntil
  // Group the results by IndicatorId and CIp, and keep the log entry with the latest timestamp
  | summarize AppService_TimeGenerated = arg_max(AppService_TimeGenerated, *) by Id, CIp
  // Select the desired output fields
  | extend Description = tostring(parse_json(Data).description)
  | extend ActivityGroupNames = extract(@"ActivityGroup:(\S+)", 1, tostring(parse_json(Data).labels))
  | project AppService_TimeGenerated, Description, ActivityGroupNames, Id, ValidUntil, Confidence, TI_ipEntity, CsUsername, WebApp = split(_ResourceId, '/')[8], CIp, CsHost, NetworkSourceIP, _ResourceId, Type, Url, AlertPriority
  // Extract hostname and DNS domain from the CsHost field
  | extend HostName = tostring(split(CsHost, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(CsHost, '.'), 1, -1), '.'))
  // Rename the timestamp field
  | extend timestamp = AppService_TimeGenerated

tactics:
- CommandAndControl
query: |
  let dt_lookBack = 1h; // Look back 1 hour for AppServiceHTTPLogs
  let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators
  // Fetch threat intelligence indicators related to IP addresses
  let IP_Indicators = ThreatIntelIndicators
    //extract key part of kv pair
    | extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0)))
    | where IndicatorType in ("ipv4-addr", "ipv6-addr", "network-traffic")
    | extend NetworkSourceIP = ObservableValue
    | extend TrafficLightProtocolLevel = tostring(parse_json(AdditionalFields).TLPLevel)
    // Filter out indicators without relevant IP address fields
    | where TimeGenerated >= ago(ioc_lookBack)
    | where TimeGenerated >= ago(ioc_lookBack)
    // Filtering out rows where the Confidence Score is less than 50 as they would not have an Alert Priority label. 
    | where Confidence > 50
    // Select the IP entity based on availability of different IP fields
    | extend TI_ipEntity = iff(isnotempty(NetworkSourceIP), NetworkSourceIP, NetworkSourceIP)
    | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)
    | extend Url = iff(ObservableKey == "url:value", ObservableValue, "")
    // Determine AlertPriority based on ConfidenceScore
    | extend AlertPriority = case(Confidence > 82, "High",
                                  Confidence > 74, "Medium",
                                  "Low")
    // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes
    | where ipv4_is_private(TI_ipEntity) == false and  TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127."
    | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id, ObservableValue
    | where IsActive and (ValidUntil > now() or isempty(ValidUntil));
    // Perform a join between IP indicators and AppServiceHTTPLogs to identify potential malicious activity
  IP_Indicators
  | project-reorder *, IsActive, Tags, TrafficLightProtocolLevel, NetworkSourceIP, Type, TI_ipEntity, AlertPriority
    // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation
    | join kind=innerunique (
      AppServiceHTTPLogs | where TimeGenerated >= ago(dt_lookBack)
      | where isnotempty(CIp)
      | extend WebApp = split(_ResourceId, '/')[8]
      | extend AppService_TimeGenerated = TimeGenerated // Rename time column for clarity
    )
    on $left.TI_ipEntity == $right.CIp
    // Filter out logs that occurred after the expiration of the corresponding indicator
    | where AppService_TimeGenerated < ValidUntil
    // Group the results by IndicatorId and CIp, and keep the log entry with the latest timestamp
    | summarize AppService_TimeGenerated = arg_max(AppService_TimeGenerated, *) by Id, CIp
    // Select the desired output fields
    | extend Description = tostring(parse_json(Data).description)
    | extend ActivityGroupNames = extract(@"ActivityGroup:(\S+)", 1, tostring(parse_json(Data).labels))
    | project AppService_TimeGenerated, Description, ActivityGroupNames, Id, ValidUntil, Confidence, TI_ipEntity, CsUsername, WebApp = split(_ResourceId, '/')[8], CIp, CsHost, NetworkSourceIP, _ResourceId, Type, Url, AlertPriority
    // Extract hostname and DNS domain from the CsHost field
    | extend HostName = tostring(split(CsHost, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(CsHost, '.'), 1, -1), '.'))
    // Rename the timestamp field
    | extend timestamp = AppService_TimeGenerated  
requiredDataConnectors:
- dataTypes:
  - ThreatIntelIndicators
  connectorId: ThreatIntelligence
- dataTypes:
  - ThreatIntelIndicators
  connectorId: ThreatIntelligenceTaxii
- dataTypes:
  - ThreatIntelIndicators
  connectorId: MicrosoftDefenderThreatIntelligence
name: TI map IP entity to AppServiceHTTPLogs
alertDetailsOverride:
  alertSeverityColumnName: AlertPriority
queryPeriod: 14d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_AppServiceHTTPLogs.yaml
triggerThreshold: 0
description: |
    Identifies a match in AppServiceHTTPLogs from any IP IOC from TI
version: 1.5.7
kind: Scheduled
queryFrequency: 1h
severity: Medium
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: DnsDomain
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: CsUsername
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: CIp
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: Url
- entityType: AzureResource
  fieldMappings:
  - identifier: ResourceId
    columnName: _ResourceId
triggerOperator: gt
id: 206277b1-9a2c-4c62-9ee8-a4c888810d3c
relevantTechniques:
- T1071