Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

TI Map URL Entity to OfficeActivity Data [Deprecated]

Back
Id36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b
RulenameTI Map URL Entity to OfficeActivity Data [Deprecated]
DescriptionThis query is Deprecated as its filter conditions will never yield results. This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in OfficeActivity data.
SeverityMedium
TacticsImpact
Required data connectorsMicrosoftDefenderThreatIntelligence
Office365
ThreatIntelligence
ThreatIntelligenceTaxii
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/URLEntity_OfficeActivity.yaml
Version1.2.6
Arm template36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b.json
Deploy To Azure
let dt_lookBack = 1h;
// let ioc_lookBack = 14d;
// ThreatIntelligenceIndicator
// // Picking up only IOC's that contain the entities we want
// | where isnotempty(Url)
// | where TimeGenerated >= ago(ioc_lookBack)
// | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
// | where Active == true and ExpirationDateTime > now()
// // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
// | join kind=innerunique (
// OfficeActivity
// | where TimeGenerated >= ago(dt_lookBack)
// //Extract the Url from a number of potential fields
// | extend Url = iif(OfficeWorkload == "AzureActiveDirectory",extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))
// | where isnotempty(Url)
// // Ensure we get a clean URL
// | extend Url = tostring(split(Url, ';')[0])
// | extend OfficeActivity_TimeGenerated = TimeGenerated
// // Project a single user identity that we can use for entity mapping
// | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Value)))
// ) on Url
// | where OfficeActivity_TimeGenerated < ExpirationDateTime
// | summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, Url
// | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation,
// UserType, OfficeWorkload, Parameters, Url, User
// | extend timestamp = OfficeActivity_TimeGenerated, Name = tostring(split(User, '@', 0)[0]), UPNSuffix = tostring(split(User, '@', 1)[0])
datatable() []
name: TI Map URL Entity to OfficeActivity Data [Deprecated]
triggerOperator: gt
query: |
  let dt_lookBack = 1h;
  // let ioc_lookBack = 14d;
  // ThreatIntelligenceIndicator
  // // Picking up only IOC's that contain the entities we want
  // | where isnotempty(Url)
  // | where TimeGenerated >= ago(ioc_lookBack)
  // | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
  // | where Active == true and ExpirationDateTime > now()
  // // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
  // | join kind=innerunique (
  // OfficeActivity
  // | where TimeGenerated >= ago(dt_lookBack)
  // //Extract the Url from a number of potential fields
  // | extend Url = iif(OfficeWorkload == "AzureActiveDirectory",extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))
  // | where isnotempty(Url)
  // // Ensure we get a clean URL
  // | extend Url = tostring(split(Url, ';')[0])
  // | extend OfficeActivity_TimeGenerated = TimeGenerated
  // // Project a single user identity that we can use for entity mapping
  // | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Value)))
  // ) on Url
  // | where OfficeActivity_TimeGenerated < ExpirationDateTime
  // | summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, Url
  // | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation,
  // UserType, OfficeWorkload, Parameters, Url, User
  // | extend timestamp = OfficeActivity_TimeGenerated, Name = tostring(split(User, '@', 0)[0]), UPNSuffix = tostring(split(User, '@', 1)[0])
  datatable() []  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/URLEntity_OfficeActivity.yaml
description: |
    'This query is Deprecated as its filter conditions will never yield results. This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in OfficeActivity data.'
triggerThreshold: 0
id: 36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b
kind: Scheduled
severity: Medium
version: 1.2.6
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: Name
  - identifier: UPNSuffix
    columnName: UPNSuffix
  entityType: Account
- fieldMappings:
  - identifier: Url
    columnName: Url
  entityType: URL
queryFrequency: 1h
queryPeriod: 14d
requiredDataConnectors:
- dataTypes:
  - OfficeActivity
  connectorId: Office365
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligence
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: MicrosoftDefenderThreatIntelligence
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligenceTaxii
tactics:
- Impact
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b')]",
      "properties": {
        "alertRuleTemplateName": "36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b",
        "customDetails": null,
        "description": "'This query is Deprecated as its filter conditions will never yield results. This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in OfficeActivity data.'\n",
        "displayName": "TI Map URL Entity to OfficeActivity Data [Deprecated]",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "Url",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/URLEntity_OfficeActivity.yaml",
        "query": "let dt_lookBack = 1h;\n// let ioc_lookBack = 14d;\n// ThreatIntelligenceIndicator\n// // Picking up only IOC's that contain the entities we want\n// | where isnotempty(Url)\n// | where TimeGenerated >= ago(ioc_lookBack)\n// | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n// | where Active == true and ExpirationDateTime > now()\n// // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n// | join kind=innerunique (\n// OfficeActivity\n// | where TimeGenerated >= ago(dt_lookBack)\n// //Extract the Url from a number of potential fields\n// | extend Url = iif(OfficeWorkload == \"AzureActiveDirectory\",extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\n// | where isnotempty(Url)\n// // Ensure we get a clean URL\n// | extend Url = tostring(split(Url, ';')[0])\n// | extend OfficeActivity_TimeGenerated = TimeGenerated\n// // Project a single user identity that we can use for entity mapping\n// | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Value)))\n// ) on Url\n// | where OfficeActivity_TimeGenerated < ExpirationDateTime\n// | summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, Url\n// | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation,\n// UserType, OfficeWorkload, Parameters, Url, User\n// | extend timestamp = OfficeActivity_TimeGenerated, Name = tostring(split(User, '@', 0)[0]), UPNSuffix = tostring(split(User, '@', 1)[0])\ndatatable() []\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "templateVersion": "1.2.6",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}