RecordedFuture Threat Hunting Url All Actors

Back


Id	3f6f0d1a-f2f9-4e01-881a-c55a4a71905b
Rulename	RecordedFuture Threat Hunting Url All Actors
Description	Recorded Future Threat Hunting Url correlation for all actors.
Severity	Medium
Tactics	Persistence PrivilegeEscalation DefenseEvasion
Techniques	T1098 T1078
Required data connectors	ThreatIntelligenceUploadIndicatorsAPI
Kind	Scheduled
Query frequency	15m
Query period	1d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Recorded Future/Analytic Rules/ThreatHunting/RecordedFutureThreatHuntingUrlAllActors.yaml
Version	1.0.4
Arm template	3f6f0d1a-f2f9-4e01-881a-c55a4a71905b.json

KQL

let ioc_lookBack = 1d;
// The source table (imWebSession) can be replaced by any infrastructure table containing Url data.
// The following workbook: Recorded Future - Url Correlation will help researching available data and selecting tables and columns  
imWebSession
| where isnotempty(Url)
| extend lowerUrl=tolower(Url)
| join kind=inner (
ThreatIntelligenceIndicator
// Only look for IOCs
| where isnotempty(Url)
// Only look at Recorded Future Threat Hunt Indicators.
| where Description startswith "Recorded Future - Threat Hunt"
// Only work with the latest indicators  
| where TimeGenerated >= ago(ioc_lookBack)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| where Active == true and ExpirationDateTime > now()
| extend lowerUrl=tolower(Url)
) on lowerUrl
// select column from the source table to match with Recorded Future ThreatIntelligenceIndicator $left.Url
| mv-expand RecordedFuturePortalLink=parse_json(tostring(parse_json(Tags)[0]))['RecordedFuturePortalLink']
| project Url, Description, Type, TimeGenerated, RecordedFuturePortalLink

YAML

name: RecordedFuture Threat Hunting Url All Actors
relevantTechniques:
- T1098
- T1078
incidentConfiguration:
  groupingConfiguration:
    matchingMethod: AllEntities
    lookbackDuration: 1h
    enabled: true
    reopenClosedIncident: false
  createIncident: true
customDetails:
  ActorInformation: RecordedFuturePortalLink
requiredDataConnectors:
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligenceUploadIndicatorsAPI
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Recorded Future/Analytic Rules/ThreatHunting/RecordedFutureThreatHuntingUrlAllActors.yaml
query: |
  let ioc_lookBack = 1d;
  // The source table (imWebSession) can be replaced by any infrastructure table containing Url data.
  // The following workbook: Recorded Future - Url Correlation will help researching available data and selecting tables and columns  
  imWebSession
  | where isnotempty(Url)
  | extend lowerUrl=tolower(Url)
  | join kind=inner (
  ThreatIntelligenceIndicator
  // Only look for IOCs
  | where isnotempty(Url)
  // Only look at Recorded Future Threat Hunt Indicators.
  | where Description startswith "Recorded Future - Threat Hunt"
  // Only work with the latest indicators  
  | where TimeGenerated >= ago(ioc_lookBack)
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
  | where Active == true and ExpirationDateTime > now()
  | extend lowerUrl=tolower(Url)
  ) on lowerUrl
  // select column from the source table to match with Recorded Future ThreatIntelligenceIndicator $left.Url
  | mv-expand RecordedFuturePortalLink=parse_json(tostring(parse_json(Tags)[0]))['RecordedFuturePortalLink']
  | project Url, Description, Type, TimeGenerated, RecordedFuturePortalLink  
tactics:
- Persistence
- PrivilegeEscalation
- DefenseEvasion
description: |
    'Recorded Future Threat Hunting Url correlation for all actors.'
entityMappings:
- fieldMappings:
  - columnName: Url
    identifier: Url
  entityType: URL
queryFrequency: 15m
alertDetailsOverride:
  alertDynamicProperties:
  - alertProperty: AlertLink
    value: RecordedFuturePortalLink
  alertDescriptionFormat: '*{{Description}}**\n\nCorrelation found on {{Url}} from the {{Type}} table.\n'
  alertDisplayNameFormat: '{{Description}}'
triggerOperator: gt
version: 1.0.4
queryPeriod: 1d
kind: Scheduled
severity: Medium
triggerThreshold: 0
id: 3f6f0d1a-f2f9-4e01-881a-c55a4a71905b

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3f6f0d1a-f2f9-4e01-881a-c55a4a71905b')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3f6f0d1a-f2f9-4e01-881a-c55a4a71905b')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "*{{Description}}**\\n\\nCorrelation found on {{Url}} from the {{Type}} table.\\n",
          "alertDisplayNameFormat": "{{Description}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "AlertLink",
              "value": "RecordedFuturePortalLink"
            }
          ]
        },
        "alertRuleTemplateName": "3f6f0d1a-f2f9-4e01-881a-c55a4a71905b",
        "customDetails": {
          "ActorInformation": "RecordedFuturePortalLink"
        },
        "description": "'Recorded Future Threat Hunting Url correlation for all actors.'\n",
        "displayName": "RecordedFuture Threat Hunting Url All Actors",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "Url",
                "identifier": "Url"
              }
            ]
          }
        ],
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "PT1H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Recorded Future/Analytic Rules/ThreatHunting/RecordedFutureThreatHuntingUrlAllActors.yaml",
        "query": "let ioc_lookBack = 1d;\n// The source table (imWebSession) can be replaced by any infrastructure table containing Url data.\n// The following workbook: Recorded Future - Url Correlation will help researching available data and selecting tables and columns  \nimWebSession\n| where isnotempty(Url)\n| extend lowerUrl=tolower(Url)\n| join kind=inner (\nThreatIntelligenceIndicator\n// Only look for IOCs\n| where isnotempty(Url)\n// Only look at Recorded Future Threat Hunt Indicators.\n| where Description startswith \"Recorded Future - Threat Hunt\"\n// Only work with the latest indicators  \n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| extend lowerUrl=tolower(Url)\n) on lowerUrl\n// select column from the source table to match with Recorded Future ThreatIntelligenceIndicator $left.Url\n| mv-expand RecordedFuturePortalLink=parse_json(tostring(parse_json(Tags)[0]))['RecordedFuturePortalLink']\n| project Url, Description, Type, TimeGenerated, RecordedFuturePortalLink\n",
        "queryFrequency": "PT15M",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion",
          "Persistence",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1078",
          "T1098"
        ],
        "templateVersion": "1.0.4",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}