Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Infoblox - TI - Syslog Match Found - URL

Back
Id28ee3c2b-eb4b-44de-a71e-e462843fea72
RulenameInfoblox - TI - Syslog Match Found - URL
DescriptionSyslog URL match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired.
SeverityMedium
TacticsImpact
TechniquesT1498
T1565
Required data connectorsCefAma
Syslog
ThreatIntelligence
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-TI-SyslogMatchFound-URL.yaml
Version1.0.3
Arm template28ee3c2b-eb4b-44de-a71e-e462843fea72.json
Deploy To Azure
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
let TI = ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| where Active == true and ExpirationDateTime > now()  
| where Description has_cs "Infoblox - URL"
| where isnotempty(DomainName)
;
let Data = Syslog
| extend HitTime = TimeGenerated
| where TimeGenerated >= ago(dt_lookBack)
//Extract URL patterns from syslog message
| extend Url = extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)", 1,SyslogMessage)
| where isnotempty(Url)
;
TI | join kind=innerunique Data on $left.DomainName == $right.Url
| where HitTime >= TimeGenerated and HitTime < ExpirationDateTime
| project LatestIndicatorTime, HitTime, SyslogMessage, Computer, ProcessName, Url, HostIP, 
AdditionalInformation, Description, ThreatType, TrafficLightProtocolLevel, Type, ConfidenceScore, ExpirationDateTime, SourceSystem, Action, IndicatorId, ExternalIndicatorId, Tags
kind: Scheduled
severity: Medium
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: HostIP
  entityType: IP
- fieldMappings:
  - identifier: HostName
    columnName: Computer
  entityType: Host
- fieldMappings:
  - identifier: DomainName
    columnName: Url
  entityType: DNS
- fieldMappings:
  - identifier: Url
    columnName: Url
  entityType: URL
name: Infoblox - TI - Syslog Match Found - URL
relevantTechniques:
- T1498
- T1565
triggerOperator: gt
tactics:
- Impact
query: |
  let dt_lookBack = 1h;
  let ioc_lookBack = 14d;
  let TI = ThreatIntelligenceIndicator
  | where TimeGenerated >= ago(ioc_lookBack)
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
  | where Active == true and ExpirationDateTime > now()  
  | where Description has_cs "Infoblox - URL"
  | where isnotempty(DomainName)
  ;
  let Data = Syslog
  | extend HitTime = TimeGenerated
  | where TimeGenerated >= ago(dt_lookBack)
  //Extract URL patterns from syslog message
  | extend Url = extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)", 1,SyslogMessage)
  | where isnotempty(Url)
  ;
  TI | join kind=innerunique Data on $left.DomainName == $right.Url
  | where HitTime >= TimeGenerated and HitTime < ExpirationDateTime
  | project LatestIndicatorTime, HitTime, SyslogMessage, Computer, ProcessName, Url, HostIP, 
  AdditionalInformation, Description, ThreatType, TrafficLightProtocolLevel, Type, ConfidenceScore, ExpirationDateTime, SourceSystem, Action, IndicatorId, ExternalIndicatorId, Tags  
triggerThreshold: 0
status: Available
description: |
    'Syslog URL match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired.'
eventGroupingSettings:
  aggregationKind: SingleAlert
queryFrequency: 1h
incidentConfiguration:
  createIncident: true
queryPeriod: 14d
id: 28ee3c2b-eb4b-44de-a71e-e462843fea72
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-TI-SyslogMatchFound-URL.yaml
requiredDataConnectors:
- connectorId: Syslog
  dataTypes:
  - Syslog
- connectorId: ThreatIntelligence
  dataTypes:
  - ThreatIntelligenceIndicator
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
version: 1.0.3
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/28ee3c2b-eb4b-44de-a71e-e462843fea72')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/28ee3c2b-eb4b-44de-a71e-e462843fea72')]",
      "properties": {
        "alertRuleTemplateName": "28ee3c2b-eb4b-44de-a71e-e462843fea72",
        "customDetails": null,
        "description": "'Syslog URL match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired.'\n",
        "displayName": "Infoblox - TI - Syslog Match Found - URL",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "HostIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Computer",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "DNS",
            "fieldMappings": [
              {
                "columnName": "Url",
                "identifier": "DomainName"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "Url",
                "identifier": "Url"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-TI-SyslogMatchFound-URL.yaml",
        "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet TI = ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()  \n| where Description has_cs \"Infoblox - URL\"\n| where isnotempty(DomainName)\n;\nlet Data = Syslog\n| extend HitTime = TimeGenerated\n| where TimeGenerated >= ago(dt_lookBack)\n//Extract URL patterns from syslog message\n| extend Url = extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\", 1,SyslogMessage)\n| where isnotempty(Url)\n;\nTI | join kind=innerunique Data on $left.DomainName == $right.Url\n| where HitTime >= TimeGenerated and HitTime < ExpirationDateTime\n| project LatestIndicatorTime, HitTime, SyslogMessage, Computer, ProcessName, Url, HostIP, \nAdditionalInformation, Description, ThreatType, TrafficLightProtocolLevel, Type, ConfidenceScore, ExpirationDateTime, SourceSystem, Action, IndicatorId, ExternalIndicatorId, Tags\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": [
          "T1498",
          "T1565"
        ],
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}