Infoblox - TI - Syslog Match Found - URL

Back


Id	28ee3c2b-eb4b-44de-a71e-e462843fea72
Rulename	Infoblox - TI - Syslog Match Found - URL
Description	Syslog URL match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired.
Severity	Medium
Tactics	Impact
Techniques	T1498 T1565
Required data connectors	CefAma Syslog ThreatIntelligence
Kind	Scheduled
Query frequency	1h
Query period	14d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-TI-SyslogMatchFound-URL.yaml
Version	1.0.3
Arm template	28ee3c2b-eb4b-44de-a71e-e462843fea72.json

KQL

let dt_lookBack = 1h;
let ioc_lookBack = 14d;
let TI = ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| where Active == true and ExpirationDateTime > now()  
| where Description has_cs "Infoblox - URL"
| where isnotempty(DomainName)
;
let Data = Syslog
| extend HitTime = TimeGenerated
| where TimeGenerated >= ago(dt_lookBack)
//Extract URL patterns from syslog message
| extend Url = extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)", 1,SyslogMessage)
| where isnotempty(Url)
;
TI | join kind=innerunique Data on $left.DomainName == $right.Url
| where HitTime >= TimeGenerated and HitTime < ExpirationDateTime
| project LatestIndicatorTime, HitTime, SyslogMessage, Computer, ProcessName, Url, HostIP, 
AdditionalInformation, Description, ThreatType, TrafficLightProtocolLevel, Type, ConfidenceScore, ExpirationDateTime, SourceSystem, Action, IndicatorId, ExternalIndicatorId, Tags

YAML

kind: Scheduled
severity: Medium
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: HostIP
  entityType: IP
- fieldMappings:
  - identifier: HostName
    columnName: Computer
  entityType: Host
- fieldMappings:
  - identifier: DomainName
    columnName: Url
  entityType: DNS
- fieldMappings:
  - identifier: Url
    columnName: Url
  entityType: URL
name: Infoblox - TI - Syslog Match Found - URL
relevantTechniques:
- T1498
- T1565
triggerOperator: gt
tactics:
- Impact
query: |
  let dt_lookBack = 1h;
  let ioc_lookBack = 14d;
  let TI = ThreatIntelligenceIndicator
  | where TimeGenerated >= ago(ioc_lookBack)
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
  | where Active == true and ExpirationDateTime > now()  
  | where Description has_cs "Infoblox - URL"
  | where isnotempty(DomainName)
  ;
  let Data = Syslog
  | extend HitTime = TimeGenerated
  | where TimeGenerated >= ago(dt_lookBack)
  //Extract URL patterns from syslog message
  | extend Url = extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)", 1,SyslogMessage)
  | where isnotempty(Url)
  ;
  TI | join kind=innerunique Data on $left.DomainName == $right.Url
  | where HitTime >= TimeGenerated and HitTime < ExpirationDateTime
  | project LatestIndicatorTime, HitTime, SyslogMessage, Computer, ProcessName, Url, HostIP, 
  AdditionalInformation, Description, ThreatType, TrafficLightProtocolLevel, Type, ConfidenceScore, ExpirationDateTime, SourceSystem, Action, IndicatorId, ExternalIndicatorId, Tags  
triggerThreshold: 0
status: Available
description: |
    'Syslog URL match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired.'
eventGroupingSettings:
  aggregationKind: SingleAlert
queryFrequency: 1h
incidentConfiguration:
  createIncident: true
queryPeriod: 14d
id: 28ee3c2b-eb4b-44de-a71e-e462843fea72
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-TI-SyslogMatchFound-URL.yaml
requiredDataConnectors:
- connectorId: Syslog
  dataTypes:
  - Syslog
- connectorId: ThreatIntelligence
  dataTypes:
  - ThreatIntelligenceIndicator
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
version: 1.0.3

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/28ee3c2b-eb4b-44de-a71e-e462843fea72')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/28ee3c2b-eb4b-44de-a71e-e462843fea72')]",
      "properties": {
        "alertRuleTemplateName": "28ee3c2b-eb4b-44de-a71e-e462843fea72",
        "customDetails": null,
        "description": "'Syslog URL match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired.'\n",
        "displayName": "Infoblox - TI - Syslog Match Found - URL",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "HostIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Computer",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "DNS",
            "fieldMappings": [
              {
                "columnName": "Url",
                "identifier": "DomainName"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "Url",
                "identifier": "Url"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-TI-SyslogMatchFound-URL.yaml",
        "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet TI = ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()  \n| where Description has_cs \"Infoblox - URL\"\n| where isnotempty(DomainName)\n;\nlet Data = Syslog\n| extend HitTime = TimeGenerated\n| where TimeGenerated >= ago(dt_lookBack)\n//Extract URL patterns from syslog message\n| extend Url = extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\", 1,SyslogMessage)\n| where isnotempty(Url)\n;\nTI | join kind=innerunique Data on $left.DomainName == $right.Url\n| where HitTime >= TimeGenerated and HitTime < ExpirationDateTime\n| project LatestIndicatorTime, HitTime, SyslogMessage, Computer, ProcessName, Url, HostIP, \nAdditionalInformation, Description, ThreatType, TrafficLightProtocolLevel, Type, ConfidenceScore, ExpirationDateTime, SourceSystem, Action, IndicatorId, ExternalIndicatorId, Tags\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": [
          "T1498",
          "T1565"
        ],
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}