RecordedFuture Threat Hunting Url All Actors

let ioc_lookBack = 1d;
// The source table (_Im_WebSession) is a ASIM parser table, but can be replaced by any infrastructure table containing Url data.
// The following workbook: Recorded Future - Url Correlation will help researching available data and selecting tables and columns
_Im_WebSession
| where isnotempty(Url)
| extend lowerUrl=tolower(Url)
| join kind=inner (
ThreatIntelIndicators
// Only look for IOCs
| where ObservableKey == 'url:value'
| where isnotempty(ObservableValue)
// Only look at Recorded Future Threat Hunt Indicators.
| where Data.description startswith "Recorded Future - Threat Hunt"
// Only work with the latest indicators
| where TimeGenerated >= ago(ioc_lookBack)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
| where IsActive == true and ValidUntil > now()
| extend lowerUrl=tolower(ObservableValue)
) on lowerUrl
// select column from the source table to match with Recorded Future ThreatIntelIndicators $left.Url
| mv-expand RecordedFuturePortalLink=parse_json(tostring(parse_json(Tags)))['recordedfutureportallink']
| project Url=ObservableValue, Description=Data.description, Type, TimeGenerated, RecordedFuturePortalLink

query: |
  let ioc_lookBack = 1d;
  // The source table (_Im_WebSession) is a ASIM parser table, but can be replaced by any infrastructure table containing Url data.
  // The following workbook: Recorded Future - Url Correlation will help researching available data and selecting tables and columns
  _Im_WebSession
  | where isnotempty(Url)
  | extend lowerUrl=tolower(Url)
  | join kind=inner (
  ThreatIntelIndicators
  // Only look for IOCs
  | where ObservableKey == 'url:value'
  | where isnotempty(ObservableValue)
  // Only look at Recorded Future Threat Hunt Indicators.
  | where Data.description startswith "Recorded Future - Threat Hunt"
  // Only work with the latest indicators
  | where TimeGenerated >= ago(ioc_lookBack)
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
  | where IsActive == true and ValidUntil > now()
  | extend lowerUrl=tolower(ObservableValue)
  ) on lowerUrl
  // select column from the source table to match with Recorded Future ThreatIntelIndicators $left.Url
  | mv-expand RecordedFuturePortalLink=parse_json(tostring(parse_json(Tags)))['recordedfutureportallink']
  | project Url=ObservableValue, Description=Data.description, Type, TimeGenerated, RecordedFuturePortalLink  
name: RecordedFuture Threat Hunting Url All Actors
queryPeriod: 1d
id: 3f6f0d1a-f2f9-4e01-881a-c55a4a71905b
alertDetailsOverride:
  alertDynamicProperties:
  - alertProperty: AlertLink
    value: RecordedFuturePortalLink
  alertDescriptionFormat: '*{{Description}}**\n\nCorrelation found on {{Url}} from the {{Type}} table.\n'
  alertDisplayNameFormat: '{{Description}}'
requiredDataConnectors:
- connectorId: ThreatIntelligenceUploadIndicatorsAPI
  dataTypes:
  - ThreatIntelIndicators
entityMappings:
- entityType: URL
  fieldMappings:
  - columnName: Url
    identifier: Url
kind: Scheduled
queryFrequency: 15m
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: 1h
    enabled: true
    matchingMethod: AllEntities
    reopenClosedIncident: false
tactics:
- Persistence
- PrivilegeEscalation
- DefenseEvasion
triggerThreshold: 0
triggerOperator: gt
relevantTechniques:
- T1098
- T1078
version: 1.1.0
description: |
    'Recorded Future Threat Hunting Url correlation for all actors.'
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Recorded Future/Analytic Rules/ThreatHunting/RecordedFutureThreatHuntingUrlAllActors.yaml
customDetails:
  ActorInformation: RecordedFuturePortalLink