Infoblox - TI - Syslog Match Found - URL

Back


Id	28ee3c2b-eb4b-44de-a71e-e462843fea72
Rulename	Infoblox - TI - Syslog Match Found - URL
Description	Syslog URL match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired.
Severity	Medium
Tactics	Impact
Techniques	T1498 T1565
Required data connectors	Syslog ThreatIntelligence
Kind	Scheduled
Query frequency	1h
Query period	14d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-TI-SyslogMatchFound-URL.yaml
Version	1.0.0
Arm template	28ee3c2b-eb4b-44de-a71e-e462843fea72.json

KQL

let dt_lookBack = 1h;
let ioc_lookBack = 14d;
let TI = ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| where Active == true and ExpirationDateTime > now()  
| where Description has_cs "Infoblox - URL"
| where isnotempty(DomainName)
;
let Data = Syslog
| extend HitTime = TimeGenerated
| where TimeGenerated >= ago(dt_lookBack)
//Extract URL patterns from syslog message
| extend Url = extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)", 1,SyslogMessage)
| where isnotempty(Url)
;
TI | join kind=innerunique Data on $left.DomainName == $right.Url
| where HitTime >= TimeGenerated and HitTime < ExpirationDateTime
| project LatestIndicatorTime, HitTime, SyslogMessage, Computer, ProcessName, Url, HostIP, 
AdditionalInformation, Description, ThreatType, TrafficLightProtocolLevel, Type, ConfidenceScore, ExpirationDateTime, SourceSystem, Action, IndicatorId, ExternalIndicatorId, Tags

YAML

severity: Medium
name: Infoblox - TI - Syslog Match Found - URL
incidentConfiguration:
  createIncident: true
requiredDataConnectors:
- dataTypes:
  - Syslog
  connectorId: Syslog
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligence
id: 28ee3c2b-eb4b-44de-a71e-e462843fea72
tactics:
- Impact
queryFrequency: 1h
eventGroupingSettings:
  aggregationKind: SingleAlert
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-TI-SyslogMatchFound-URL.yaml
description: |
    'Syslog URL match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired.'
triggerThreshold: 0
kind: Scheduled
relevantTechniques:
- T1498
- T1565
query: |
  let dt_lookBack = 1h;
  let ioc_lookBack = 14d;
  let TI = ThreatIntelligenceIndicator
  | where TimeGenerated >= ago(ioc_lookBack)
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
  | where Active == true and ExpirationDateTime > now()  
  | where Description has_cs "Infoblox - URL"
  | where isnotempty(DomainName)
  ;
  let Data = Syslog
  | extend HitTime = TimeGenerated
  | where TimeGenerated >= ago(dt_lookBack)
  //Extract URL patterns from syslog message
  | extend Url = extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)", 1,SyslogMessage)
  | where isnotempty(Url)
  ;
  TI | join kind=innerunique Data on $left.DomainName == $right.Url
  | where HitTime >= TimeGenerated and HitTime < ExpirationDateTime
  | project LatestIndicatorTime, HitTime, SyslogMessage, Computer, ProcessName, Url, HostIP, 
  AdditionalInformation, Description, ThreatType, TrafficLightProtocolLevel, Type, ConfidenceScore, ExpirationDateTime, SourceSystem, Action, IndicatorId, ExternalIndicatorId, Tags  
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: HostIP
    identifier: Address
- entityType: Host
  fieldMappings:
  - columnName: Computer
    identifier: HostName
- entityType: DNS
  fieldMappings:
  - columnName: Url
    identifier: DomainName
- entityType: URL
  fieldMappings:
  - columnName: Url
    identifier: Url
status: Available
version: 1.0.0
queryPeriod: 14d

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/28ee3c2b-eb4b-44de-a71e-e462843fea72')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/28ee3c2b-eb4b-44de-a71e-e462843fea72')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Infoblox - TI - Syslog Match Found - URL",
        "description": "'Syslog URL match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet TI = ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()  \n| where Description has_cs \"Infoblox - URL\"\n| where isnotempty(DomainName)\n;\nlet Data = Syslog\n| extend HitTime = TimeGenerated\n| where TimeGenerated >= ago(dt_lookBack)\n//Extract URL patterns from syslog message\n| extend Url = extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\", 1,SyslogMessage)\n| where isnotempty(Url)\n;\nTI | join kind=innerunique Data on $left.DomainName == $right.Url\n| where HitTime >= TimeGenerated and HitTime < ExpirationDateTime\n| project LatestIndicatorTime, HitTime, SyslogMessage, Computer, ProcessName, Url, HostIP, \nAdditionalInformation, Description, ThreatType, TrafficLightProtocolLevel, Type, ConfidenceScore, ExpirationDateTime, SourceSystem, Action, IndicatorId, ExternalIndicatorId, Tags\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": [
          "T1498",
          "T1565"
        ],
        "alertRuleTemplateName": "28ee3c2b-eb4b-44de-a71e-e462843fea72",
        "incidentConfiguration": {
          "createIncident": true
        },
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "HostIP"
              }
            ],
            "entityType": "IP"
          },
          {
            "fieldMappings": [
              {
                "identifier": "HostName",
                "columnName": "Computer"
              }
            ],
            "entityType": "Host"
          },
          {
            "fieldMappings": [
              {
                "identifier": "DomainName",
                "columnName": "Url"
              }
            ],
            "entityType": "DNS"
          },
          {
            "fieldMappings": [
              {
                "identifier": "Url",
                "columnName": "Url"
              }
            ],
            "entityType": "URL"
          }
        ],
        "status": "Available",
        "templateVersion": "1.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-TI-SyslogMatchFound-URL.yaml"
      }
    }
  ]
}