Preview - TI map Email entity to Cloud App Events
| Id | 47b9bb10-d216-4359-8cef-08ca2c67e5be |
| Rulename | Preview - TI map Email entity to Cloud App Events |
| Description | Identifies compromises and attacks and detect malicious activities in one’s email entity from TI |
| Severity | Medium |
| Tactics | InitialAccess |
| Techniques | T1566 |
| Required data connectors | MicrosoftDefenderThreatIntelligence MicrosoftThreatProtection |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 14d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_CloudAppEvents.yaml |
| Version | 1.0.3 |
| Arm template | 47b9bb10-d216-4359-8cef-08ca2c67e5be.json |
let dt_lookBack = 10d;
let ioc_lookBack = 30d;
let emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$';
ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| where Active == true and ExpirationDateTime > now()
| where isnotempty(EmailSenderAddress)
| join kind=innerunique (CloudAppEvents
| extend User_Id = tostring(RawEventData.UserId)
| where isnotempty(User_Id)
| where TimeGenerated >= ago(dt_lookBack) and isnotempty(Application)
| extend CloudAppEvents_TimeGenerated = TimeGenerated
| where User_Id matches regex emailregex) on $left.EmailSenderAddress == $right.User_Id
| where CloudAppEvents_TimeGenerated < ExpirationDateTime
| summarize CloudAppEvents_TimeGenerated = argmax(CloudAppEvents_TimeGenerated, *) by IndicatorId, User_Id
| extend Name = tostring(split(User_Id, '@', 0)[0]), UPNSuffix = tostring(split(User_Id, '@', 1)[0])
| extend timestamp = CloudAppEvents_TimeGenerated
name: Preview - TI map Email entity to Cloud App Events
query: |
let dt_lookBack = 10d;
let ioc_lookBack = 30d;
let emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$';
ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| where Active == true and ExpirationDateTime > now()
| where isnotempty(EmailSenderAddress)
| join kind=innerunique (CloudAppEvents
| extend User_Id = tostring(RawEventData.UserId)
| where isnotempty(User_Id)
| where TimeGenerated >= ago(dt_lookBack) and isnotempty(Application)
| extend CloudAppEvents_TimeGenerated = TimeGenerated
| where User_Id matches regex emailregex) on $left.EmailSenderAddress == $right.User_Id
| where CloudAppEvents_TimeGenerated < ExpirationDateTime
| summarize CloudAppEvents_TimeGenerated = argmax(CloudAppEvents_TimeGenerated, *) by IndicatorId, User_Id
| extend Name = tostring(split(User_Id, '@', 0)[0]), UPNSuffix = tostring(split(User_Id, '@', 1)[0])
| extend timestamp = CloudAppEvents_TimeGenerated
queryFrequency: 1h
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
- CloudAppEvents
connectorId: MicrosoftThreatProtection
- dataTypes:
- ThreatIntelligenceIndicator
connectorId: MicrosoftDefenderThreatIntelligence
entityMappings:
- entityType: Account
fieldMappings:
- identifier: DisplayName
columnName: Name
- identifier: FullName
columnName: User_Id
- identifier: UPNSuffix
columnName: UPNSuffix
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_CloudAppEvents.yaml
description: |
'Identifies compromises and attacks and detect malicious activities in one's email entity from TI'
version: 1.0.3
id: 47b9bb10-d216-4359-8cef-08ca2c67e5be
kind: Scheduled
relevantTechniques:
- T1566
severity: Medium
tactics:
- InitialAccess
queryPeriod: 14d