Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. GSA - TI URL Entity

GSA - TI URL Entity

Back
Id347c6cb3-33d2-4753-b7f6-eab946a8cd51
RulenameGSA - TI URL Entity
DescriptionThis query identifies URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in GSA NetworkAccessTraffic.
SeverityMedium
TacticsCommandAndControl
TechniquesT1071
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Analytic Rules/GSA - TI URL Entity.yaml
Version1.0.1
Arm template347c6cb3-33d2-4753-b7f6-eab946a8cd51.json
Deploy To Azure
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
let GSANetworkAccessTraffic_ = NetworkAccessTraffic
| where TimeGenerated >= ago(dt_lookBack)
| where TrafficType  == "internet"
| extend DestinationUrlToLower = tolower(DestinationUrl)
| project-rename GSANetworkAccessTraffic_TimeGenerated = TimeGenerated;
let GSANetworkAccessTrafficUrls =
    GSANetworkAccessTraffic_
    | where isnotempty(DestinationUrl)
    | extend Url = tolower(DestinationUrl)
    | distinct Url;
ThreatIntelIndicators
  | extend IndicatorType = replace(@'[\[\]"]', "", tostring(split(ObservableKey, ":", 0)))
  | where IndicatorType == "url"
  | extend Url = ObservableValue
  | extend TrafficLightProtocolLevel = tostring(parse_json(AdditionalFields).TLPLevel)
  | where TimeGenerated >= ago(ioc_lookBack)
  | extend Url = tolower(Url)
  | where Url in (GSANetworkAccessTrafficUrls)
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id, ObservableValue
  | where IsActive and (ValidUntil > now() or isempty(ValidUntil))
  | extend Description = tostring(parse_json(Data).description)
  | where Description !contains_cs "State: inactive;" and Description !contains_cs "State: falsepos;"
  | project-reorder *, Tags, TrafficLightProtocolLevel, Url, Type
  | join kind=innerunique (GSANetworkAccessTraffic_) on $left.Url == $right.DestinationUrlToLower
  | where isempty(ValidUntil) or GSANetworkAccessTraffic_TimeGenerated < ValidUntil
  | extend GSAThreatType = ThreatType
| summarize GSANetworkAccessTraffic_TimeGenerated = arg_max(GSANetworkAccessTraffic_TimeGenerated, *) by Id, DestinationUrl
| project-reorder *,
    Tags,
    Confidence,
    TrafficLightProtocolLevel,
    Type,
    UserPrincipalName,
    UserId,
    DeviceId,
    InitiatingProcessName,
    GSAThreatType,
    DestinationIp,
    DestinationFqdn,
    DestinationUrl,
    DestinationPort,
    SourceIp,
    SourcePort,
    HttpUserAgent

entityMappings:
- fieldMappings:
  - columnName: UserPrincipalName
    identifier: Name
  entityType: Account
- fieldMappings:
  - columnName: SourceIp
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: DestinationUrl
    identifier: Url
  entityType: URL
- fieldMappings:
  - columnName: InitiatingProcessName
    identifier: CommandLine
  entityType: Process
triggerOperator: gt
tactics:
- CommandAndControl
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Analytic Rules/GSA - TI URL Entity.yaml
version: 1.0.1
query: |
  let dt_lookBack = 1h;
  let ioc_lookBack = 14d;
  let GSANetworkAccessTraffic_ = NetworkAccessTraffic
  | where TimeGenerated >= ago(dt_lookBack)
  | where TrafficType  == "internet"
  | extend DestinationUrlToLower = tolower(DestinationUrl)
  | project-rename GSANetworkAccessTraffic_TimeGenerated = TimeGenerated;
  let GSANetworkAccessTrafficUrls =
      GSANetworkAccessTraffic_
      | where isnotempty(DestinationUrl)
      | extend Url = tolower(DestinationUrl)
      | distinct Url;
  ThreatIntelIndicators
    | extend IndicatorType = replace(@'[\[\]"]', "", tostring(split(ObservableKey, ":", 0)))
    | where IndicatorType == "url"
    | extend Url = ObservableValue
    | extend TrafficLightProtocolLevel = tostring(parse_json(AdditionalFields).TLPLevel)
    | where TimeGenerated >= ago(ioc_lookBack)
    | extend Url = tolower(Url)
    | where Url in (GSANetworkAccessTrafficUrls)
    | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id, ObservableValue
    | where IsActive and (ValidUntil > now() or isempty(ValidUntil))
    | extend Description = tostring(parse_json(Data).description)
    | where Description !contains_cs "State: inactive;" and Description !contains_cs "State: falsepos;"
    | project-reorder *, Tags, TrafficLightProtocolLevel, Url, Type
    | join kind=innerunique (GSANetworkAccessTraffic_) on $left.Url == $right.DestinationUrlToLower
    | where isempty(ValidUntil) or GSANetworkAccessTraffic_TimeGenerated < ValidUntil
    | extend GSAThreatType = ThreatType
  | summarize GSANetworkAccessTraffic_TimeGenerated = arg_max(GSANetworkAccessTraffic_TimeGenerated, *) by Id, DestinationUrl
  | project-reorder *,
      Tags,
      Confidence,
      TrafficLightProtocolLevel,
      Type,
      UserPrincipalName,
      UserId,
      DeviceId,
      InitiatingProcessName,
      GSAThreatType,
      DestinationIp,
      DestinationFqdn,
      DestinationUrl,
      DestinationPort,
      SourceIp,
      SourcePort,
      HttpUserAgent  
triggerThreshold: 0
relevantTechniques:
- T1071
queryPeriod: 14d
status: Available
severity: Medium
kind: Scheduled
name: GSA - TI URL Entity
queryFrequency: 1h
id: 347c6cb3-33d2-4753-b7f6-eab946a8cd51
description: |
    This query identifies URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in GSA NetworkAccessTraffic.
requiredDataConnectors:
- dataTypes:
  - NetworkAccessTrafficLogs
  connectorId: AzureActiveDirectory