TI Map URL Entity to OfficeActivity Data [Deprecated]
Id | 36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b |
Rulename | TI Map URL Entity to OfficeActivity Data [Deprecated] |
Description | This query is Deprecated as its filter conditions will never yield results. This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in OfficeActivity data. |
Severity | Medium |
Tactics | CommandAndControl |
Techniques | T1071 |
Required data connectors | MicrosoftDefenderThreatIntelligence Office365 ThreatIntelligence ThreatIntelligenceTaxii |
Kind | Scheduled |
Query frequency | 1h |
Query period | 14d |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/URLEntity_OfficeActivity.yaml |
Version | 1.2.9 |
Arm template | 36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b.json |
let dt_lookBack = 1h;
// let ioc_lookBack = 14d;
// ThreatIntelligenceIndicator
// // Picking up only IOC's that contain the entities we want
// | where isnotempty(Url)
// | where TimeGenerated >= ago(ioc_lookBack)
// | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
// | where Active == true and ExpirationDateTime > now()
// // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
// | join kind=innerunique (
// OfficeActivity
// | where TimeGenerated >= ago(dt_lookBack)
// //Extract the Url from a number of potential fields
// | extend Url = iif(OfficeWorkload == "AzureActiveDirectory",extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))
// | where isnotempty(Url)
// // Ensure we get a clean URL
// | extend Url = tostring(split(Url, ';')[0])
// | extend OfficeActivity_TimeGenerated = TimeGenerated
// // Project a single user identity that we can use for entity mapping
// | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Value)))
// ) on Url
// | where OfficeActivity_TimeGenerated < ExpirationDateTime
// | summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, Url
// | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation,
// UserType, OfficeWorkload, Parameters, Url, User
// | extend timestamp = OfficeActivity_TimeGenerated, Name = tostring(split(User, '@', 0)[0]), UPNSuffix = tostring(split(User, '@', 1)[0])
datatable() []
id: 36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b
query: |
let dt_lookBack = 1h;
// let ioc_lookBack = 14d;
// ThreatIntelligenceIndicator
// // Picking up only IOC's that contain the entities we want
// | where isnotempty(Url)
// | where TimeGenerated >= ago(ioc_lookBack)
// | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
// | where Active == true and ExpirationDateTime > now()
// // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
// | join kind=innerunique (
// OfficeActivity
// | where TimeGenerated >= ago(dt_lookBack)
// //Extract the Url from a number of potential fields
// | extend Url = iif(OfficeWorkload == "AzureActiveDirectory",extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))
// | where isnotempty(Url)
// // Ensure we get a clean URL
// | extend Url = tostring(split(Url, ';')[0])
// | extend OfficeActivity_TimeGenerated = TimeGenerated
// // Project a single user identity that we can use for entity mapping
// | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Value)))
// ) on Url
// | where OfficeActivity_TimeGenerated < ExpirationDateTime
// | summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, Url
// | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation,
// UserType, OfficeWorkload, Parameters, Url, User
// | extend timestamp = OfficeActivity_TimeGenerated, Name = tostring(split(User, '@', 0)[0]), UPNSuffix = tostring(split(User, '@', 1)[0])
datatable() []
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/URLEntity_OfficeActivity.yaml
description: |
'This query is Deprecated as its filter conditions will never yield results. This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in OfficeActivity data.'
name: TI Map URL Entity to OfficeActivity Data [Deprecated]
relevantTechniques:
- T1071
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: User
- identifier: Name
columnName: Name
- identifier: UPNSuffix
columnName: UPNSuffix
- entityType: URL
fieldMappings:
- identifier: Url
columnName: Url
triggerThreshold: 0
severity: Medium
requiredDataConnectors:
- dataTypes:
- OfficeActivity
connectorId: Office365
- dataTypes:
- ThreatIntelligenceIndicator
connectorId: ThreatIntelligence
- dataTypes:
- ThreatIntelligenceIndicator
connectorId: MicrosoftDefenderThreatIntelligence
- dataTypes:
- ThreatIntelligenceIndicator
connectorId: ThreatIntelligenceTaxii
queryFrequency: 1h
queryPeriod: 14d
version: 1.2.9
kind: Scheduled
tactics:
- CommandAndControl
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b')]",
"properties": {
"alertRuleTemplateName": "36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b",
"customDetails": null,
"description": "'This query is Deprecated as its filter conditions will never yield results. This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in OfficeActivity data.'\n",
"displayName": "TI Map URL Entity to OfficeActivity Data [Deprecated]",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "User",
"identifier": "FullName"
},
{
"columnName": "Name",
"identifier": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "Url",
"identifier": "Url"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/URLEntity_OfficeActivity.yaml",
"query": "let dt_lookBack = 1h;\n// let ioc_lookBack = 14d;\n// ThreatIntelligenceIndicator\n// // Picking up only IOC's that contain the entities we want\n// | where isnotempty(Url)\n// | where TimeGenerated >= ago(ioc_lookBack)\n// | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n// | where Active == true and ExpirationDateTime > now()\n// // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n// | join kind=innerunique (\n// OfficeActivity\n// | where TimeGenerated >= ago(dt_lookBack)\n// //Extract the Url from a number of potential fields\n// | extend Url = iif(OfficeWorkload == \"AzureActiveDirectory\",extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\n// | where isnotempty(Url)\n// // Ensure we get a clean URL\n// | extend Url = tostring(split(Url, ';')[0])\n// | extend OfficeActivity_TimeGenerated = TimeGenerated\n// // Project a single user identity that we can use for entity mapping\n// | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Value)))\n// ) on Url\n// | where OfficeActivity_TimeGenerated < ExpirationDateTime\n// | summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, Url\n// | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation,\n// UserType, OfficeWorkload, Parameters, Url, User\n// | extend timestamp = OfficeActivity_TimeGenerated, Name = tostring(split(User, '@', 0)[0]), UPNSuffix = tostring(split(User, '@', 1)[0])\ndatatable() []\n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl"
],
"techniques": [
"T1071"
],
"templateVersion": "1.2.9",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}