Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Lumen TI IPAddress in WindowsEvents

Lumen TI IPAddress in WindowsEvents

Back
Id4776281c-6c49-46ac-8444-4dd8ba2f4565
RulenameLumen TI IPAddress in WindowsEvents
DescriptionThis query maps Lumen IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in WindowsEvents.
SeverityMedium
TacticsCommandAndControl
TechniquesT1071
Required data connectorsLumenThreatFeedConnector
ThreatIntelligenceUploadIndicatorsAPI
WindowsForwardedEvents
KindScheduled
Query frequency4h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lumen Defender Threat Feed/Analytic Rules/Lumen_IPEntity_WindowsEvents.yaml
Version1.0.0
Arm template4776281c-6c49-46ac-8444-4dd8ba2f4565.json
Deploy To Azure
let dt_lookBack = 1d;  // Data lookback for WindowsEvents
let ioc_lookBack = 14d; // TI lookback
let IP_Indicators = ThreatIntelIndicators
  | where TimeGenerated >= ago(ioc_lookBack)
  | where IsActive == true and ValidUntil > now()
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
  | where SourceSystem == 'Lumen'
  | where ObservableKey == 'ipv4-addr:value'
  | extend TI_ipEntity = ObservableValue
  | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith 'fe80' and TI_ipEntity !startswith '::' and TI_ipEntity !startswith '127.';
IP_Indicators
| join kind=innerunique (
    WindowsEvent
    | where TimeGenerated >= ago(dt_lookBack)
    | extend WE_ipEntity = tostring(EventData.IpAddress)
    | extend WindowsEvent_TimeGenerated = TimeGenerated
  ) on $left.TI_ipEntity == $right.WE_ipEntity
| where WindowsEvent_TimeGenerated < ValidUntil
| summarize arg_max(WindowsEvent_TimeGenerated, *), StartTime = min(WindowsEvent_TimeGenerated), EndTime = max(WindowsEvent_TimeGenerated) by Id, WE_ipEntity
| project timestamp = EndTime, StartTime, EndTime, Computer, EventID, Channel, Id, Tags, ValidUntil, Confidence, TI_ipEntity, WE_ipEntity, Type

requiredDataConnectors:
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: LumenThreatFeedConnector
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligenceUploadIndicatorsAPI
- dataTypes:
  - WindowsEvents
  connectorId: WindowsForwardedEvents
severity: Medium
kind: Scheduled
name: Lumen TI IPAddress in WindowsEvents
id: 4776281c-6c49-46ac-8444-4dd8ba2f4565
query: |
  let dt_lookBack = 1d;  // Data lookback for WindowsEvents
  let ioc_lookBack = 14d; // TI lookback
  let IP_Indicators = ThreatIntelIndicators
    | where TimeGenerated >= ago(ioc_lookBack)
    | where IsActive == true and ValidUntil > now()
    | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
    | where SourceSystem == 'Lumen'
    | where ObservableKey == 'ipv4-addr:value'
    | extend TI_ipEntity = ObservableValue
    | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith 'fe80' and TI_ipEntity !startswith '::' and TI_ipEntity !startswith '127.';
  IP_Indicators
  | join kind=innerunique (
      WindowsEvent
      | where TimeGenerated >= ago(dt_lookBack)
      | extend WE_ipEntity = tostring(EventData.IpAddress)
      | extend WindowsEvent_TimeGenerated = TimeGenerated
    ) on $left.TI_ipEntity == $right.WE_ipEntity
  | where WindowsEvent_TimeGenerated < ValidUntil
  | summarize arg_max(WindowsEvent_TimeGenerated, *), StartTime = min(WindowsEvent_TimeGenerated), EndTime = max(WindowsEvent_TimeGenerated) by Id, WE_ipEntity
  | project timestamp = EndTime, StartTime, EndTime, Computer, EventID, Channel, Id, Tags, ValidUntil, Confidence, TI_ipEntity, WE_ipEntity, Type  
queryPeriod: 14d
displayName: Lumen TI IPAddress in WindowsEvents
relevantTechniques:
- T1071
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lumen Defender Threat Feed/Analytic Rules/Lumen_IPEntity_WindowsEvents.yaml
description: |
    This query maps Lumen IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in WindowsEvents.
version: 1.0.0
suppressionEnabled: true
entityMappings:
- fieldMappings:
  - columnName: WE_ipEntity
    identifier: Address
  entityType: IP
queryFrequency: 4h
triggerOperator: gt
tactics:
- CommandAndControl
triggerThreshold: 0
suppressionDuration: 5h

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4776281c-6c49-46ac-8444-4dd8ba2f4565')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4776281c-6c49-46ac-8444-4dd8ba2f4565')]",
      "properties": {
        "alertRuleTemplateName": "4776281c-6c49-46ac-8444-4dd8ba2f4565",
        "customDetails": null,
        "description": "This query maps Lumen IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in WindowsEvents.\n",
        "displayName": "Lumen TI IPAddress in WindowsEvents",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "WE_ipEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lumen Defender Threat Feed/Analytic Rules/Lumen_IPEntity_WindowsEvents.yaml",
        "query": "let dt_lookBack = 1d;  // Data lookback for WindowsEvents\nlet ioc_lookBack = 14d; // TI lookback\nlet IP_Indicators = ThreatIntelIndicators\n  | where TimeGenerated >= ago(ioc_lookBack)\n  | where IsActive == true and ValidUntil > now()\n  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id\n  | where SourceSystem == 'Lumen'\n  | where ObservableKey == 'ipv4-addr:value'\n  | extend TI_ipEntity = ObservableValue\n  | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith 'fe80' and TI_ipEntity !startswith '::' and TI_ipEntity !startswith '127.';\nIP_Indicators\n| join kind=innerunique (\n    WindowsEvent\n    | where TimeGenerated >= ago(dt_lookBack)\n    | extend WE_ipEntity = tostring(EventData.IpAddress)\n    | extend WindowsEvent_TimeGenerated = TimeGenerated\n  ) on $left.TI_ipEntity == $right.WE_ipEntity\n| where WindowsEvent_TimeGenerated < ValidUntil\n| summarize arg_max(WindowsEvent_TimeGenerated, *), StartTime = min(WindowsEvent_TimeGenerated), EndTime = max(WindowsEvent_TimeGenerated) by Id, WE_ipEntity\n| project timestamp = EndTime, StartTime, EndTime, Computer, EventID, Channel, Id, Tags, ValidUntil, Confidence, TI_ipEntity, WE_ipEntity, Type\n",
        "queryFrequency": "PT4H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": true,
        "tactics": [
          "CommandAndControl"
        ],
        "techniques": [
          "T1071"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}