let dt_lookBack = 1h;
let ioc_lookBack = 14d;
let NetworkAccessTraffic_ =
NetworkAccessTraffic
| where TimeGenerated >= ago(dt_lookBack)
| where TrafficType == "internet"
| project-rename GSANetworkAccessTraffic_TimeGenerated = TimeGenerated;
let IPList = NetworkAccessTraffic_ | summarize by DestinationIp;
ThreatIntelIndicators
| project-rename TI_ipEntity = ObservableValue
| extend IndicatorType = replace(@'\[|\]|"""', "", tostring(split(ObservableKey, ":", 0)))
| where IndicatorType in ("ipv4-addr", "network-traffic")
| extend TrafficLightProtocolLevel = tostring(parse_json(AdditionalFields).TLPLevel)
| where TimeGenerated >= ago(ioc_lookBack)
| where TI_ipEntity in (IPList)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id, TI_ipEntity
| where IsActive and (ValidUntil > now() or isempty(ValidUntil))
| extend Description = tostring(parse_json(Data).description)
| where Description !contains_cs "State: inactive;" and Description !contains_cs "State: falsepos;"
| join kind=innerunique (NetworkAccessTraffic_) on $left.TI_ipEntity == $right.DestinationIp
| extend GSAThreatType = ThreatType
| summarize GSANetworkAccessTraffic_TimeGenerated = arg_max(GSANetworkAccessTraffic_TimeGenerated, *) by Id, DestinationIp
| project-reorder *,
Tags,
Confidence,
TrafficLightProtocolLevel,
Type,
TI_ipEntity,
UserPrincipalName,
UserId,
DeviceId,
InitiatingProcessName,
GSAThreatType,
DestinationFqdn,
DestinationUrl,
DestinationPort,
SourceIp,
SourcePort,
HttpUserAgent
kind: Scheduled
queryFrequency: 1h
queryPeriod: 14d
status: Available
tactics:
- CommandAndControl
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Analytic Rules/GSA - TI IP Entity.yaml
triggerThreshold: 0
description: |
This query identifies IP indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in GSA NetworkAccessTraffic.
severity: Medium
relevantTechniques:
- T1071
id: 3ebd25b1-6f54-49f9-b5a5-0246357ce4ca
name: GSA - TI IP Entity
requiredDataConnectors:
- dataTypes:
- NetworkAccessTrafficLogs
connectorId: AzureActiveDirectory
query: |
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
let NetworkAccessTraffic_ =
NetworkAccessTraffic
| where TimeGenerated >= ago(dt_lookBack)
| where TrafficType == "internet"
| project-rename GSANetworkAccessTraffic_TimeGenerated = TimeGenerated;
let IPList = NetworkAccessTraffic_ | summarize by DestinationIp;
ThreatIntelIndicators
| project-rename TI_ipEntity = ObservableValue
| extend IndicatorType = replace(@'\[|\]|"""', "", tostring(split(ObservableKey, ":", 0)))
| where IndicatorType in ("ipv4-addr", "network-traffic")
| extend TrafficLightProtocolLevel = tostring(parse_json(AdditionalFields).TLPLevel)
| where TimeGenerated >= ago(ioc_lookBack)
| where TI_ipEntity in (IPList)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id, TI_ipEntity
| where IsActive and (ValidUntil > now() or isempty(ValidUntil))
| extend Description = tostring(parse_json(Data).description)
| where Description !contains_cs "State: inactive;" and Description !contains_cs "State: falsepos;"
| join kind=innerunique (NetworkAccessTraffic_) on $left.TI_ipEntity == $right.DestinationIp
| extend GSAThreatType = ThreatType
| summarize GSANetworkAccessTraffic_TimeGenerated = arg_max(GSANetworkAccessTraffic_TimeGenerated, *) by Id, DestinationIp
| project-reorder *,
Tags,
Confidence,
TrafficLightProtocolLevel,
Type,
TI_ipEntity,
UserPrincipalName,
UserId,
DeviceId,
InitiatingProcessName,
GSAThreatType,
DestinationFqdn,
DestinationUrl,
DestinationPort,
SourceIp,
SourcePort,
HttpUserAgent
entityMappings:
- fieldMappings:
- identifier: Name
columnName: UserPrincipalName
entityType: Account
- fieldMappings:
- identifier: CommandLine
columnName: InitiatingProcessName
entityType: Process
- fieldMappings:
- identifier: Address
columnName: SourceIp
entityType: IP
- fieldMappings:
- identifier: AzureID
columnName: DeviceId
entityType: Host
triggerOperator: gt
