Lumen TI IPAddress in WindowsEvents
| Id | 4776281c-6c49-46ac-8444-4dd8ba2f4565 |
| Rulename | Lumen TI IPAddress in WindowsEvents |
| Description | This query maps Lumen IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in WindowsEvents. |
| Severity | Medium |
| Tactics | CommandAndControl |
| Techniques | T1071 |
| Required data connectors | LumenThreatFeedConnector ThreatIntelligenceUploadIndicatorsAPI WindowsForwardedEvents |
| Kind | Scheduled |
| Query frequency | 4h |
| Query period | 14d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lumen Defender Threat Feed/Analytic Rules/Lumen_IPEntity_WindowsEvents.yaml |
| Version | 1.0.0 |
| Arm template | 4776281c-6c49-46ac-8444-4dd8ba2f4565.json |
let dt_lookBack = 1d; // Data lookback for WindowsEvents
let ioc_lookBack = 14d; // TI lookback
let IP_Indicators = ThreatIntelIndicators
| where TimeGenerated >= ago(ioc_lookBack)
| where IsActive == true and ValidUntil > now()
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
| where SourceSystem == 'Lumen'
| where ObservableKey == 'ipv4-addr:value'
| extend TI_ipEntity = ObservableValue
| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith 'fe80' and TI_ipEntity !startswith '::' and TI_ipEntity !startswith '127.';
IP_Indicators
| join kind=innerunique (
WindowsEvent
| where TimeGenerated >= ago(dt_lookBack)
| extend WE_ipEntity = tostring(EventData.IpAddress)
| extend WindowsEvent_TimeGenerated = TimeGenerated
) on $left.TI_ipEntity == $right.WE_ipEntity
| where WindowsEvent_TimeGenerated < ValidUntil
| summarize arg_max(WindowsEvent_TimeGenerated, *), StartTime = min(WindowsEvent_TimeGenerated), EndTime = max(WindowsEvent_TimeGenerated) by Id, WE_ipEntity
| project timestamp = EndTime, StartTime, EndTime, Computer, EventID, Channel, Id, Tags, ValidUntil, Confidence, TI_ipEntity, WE_ipEntity, Type
suppressionEnabled: true
description: |
This query maps Lumen IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in WindowsEvents.
displayName: Lumen TI IPAddress in WindowsEvents
tactics:
- CommandAndControl
requiredDataConnectors:
- connectorId: LumenThreatFeedConnector
dataTypes:
- ThreatIntelligenceIndicator
- connectorId: ThreatIntelligenceUploadIndicatorsAPI
dataTypes:
- ThreatIntelligenceIndicator
- connectorId: WindowsForwardedEvents
dataTypes:
- WindowsEvents
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lumen Defender Threat Feed/Analytic Rules/Lumen_IPEntity_WindowsEvents.yaml
severity: Medium
name: Lumen TI IPAddress in WindowsEvents
suppressionDuration: 5h
triggerThreshold: 0
queryPeriod: 14d
query: |
let dt_lookBack = 1d; // Data lookback for WindowsEvents
let ioc_lookBack = 14d; // TI lookback
let IP_Indicators = ThreatIntelIndicators
| where TimeGenerated >= ago(ioc_lookBack)
| where IsActive == true and ValidUntil > now()
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
| where SourceSystem == 'Lumen'
| where ObservableKey == 'ipv4-addr:value'
| extend TI_ipEntity = ObservableValue
| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith 'fe80' and TI_ipEntity !startswith '::' and TI_ipEntity !startswith '127.';
IP_Indicators
| join kind=innerunique (
WindowsEvent
| where TimeGenerated >= ago(dt_lookBack)
| extend WE_ipEntity = tostring(EventData.IpAddress)
| extend WindowsEvent_TimeGenerated = TimeGenerated
) on $left.TI_ipEntity == $right.WE_ipEntity
| where WindowsEvent_TimeGenerated < ValidUntil
| summarize arg_max(WindowsEvent_TimeGenerated, *), StartTime = min(WindowsEvent_TimeGenerated), EndTime = max(WindowsEvent_TimeGenerated) by Id, WE_ipEntity
| project timestamp = EndTime, StartTime, EndTime, Computer, EventID, Channel, Id, Tags, ValidUntil, Confidence, TI_ipEntity, WE_ipEntity, Type
relevantTechniques:
- T1071
id: 4776281c-6c49-46ac-8444-4dd8ba2f4565
queryFrequency: 4h
entityMappings:
- entityType: IP
fieldMappings:
- columnName: WE_ipEntity
identifier: Address
triggerOperator: gt
version: 1.0.0
kind: Scheduled