Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Preview - TI map IP entity to Cloud App Events

Back
Id4e0a6fc8-697e-4455-be47-831b41ea91ac
RulenamePreview - TI map IP entity to Cloud App Events
DescriptionIdentifies compromises and attacks and detect malicious activities in one’s IP entity from TI
SeverityMedium
TacticsCommandAndControl
TechniquesT1071
Required data connectorsMicrosoftDefenderThreatIntelligence
MicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/IPEntity_CloudAppEvents.yaml
Version1.0.3
Arm template4e0a6fc8-697e-4455-be47-831b41ea91ac.json
Deploy To Azure
let dt_lookBack = 1d;
let ioc_lookBack = 14d; 
let IP_Indicators = ThreatIntelligenceIndicator
  | where TimeGenerated >= ago(ioc_lookBack)
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
  | where Active == true and ExpirationDateTime > now()
  | where isnotempty(NetworkIP)
or isnotempty(EmailSourceIpAddress)
or isnotempty(NetworkDestinationIP)
or isnotempty(NetworkSourceIP)
  | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)
  | extend TIipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)
  | extend TIipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity);
IP_Indicators
  | join kind=innerunique (
  CloudAppEvents
    | where isnotempty(IPAddress)
    | where TimeGenerated >= ago(dt_lookBack)
    | extend CloudAppEvents_TimeGenerated = TimeGenerated) on $left.TI_ipEntity == $right.IPAddress
    | where CloudAppEvents_TimeGenerated < ExpirationDateTime
    | summarize CloudAppEventsTimeGenerated = argmax(CloudAppEvents_TimeGenerated, *) by IndicatorId, IPAddress
    | extend
        Description = max_CloudAppEvents_TimeGenerated_Description,
        ActivityGroupNames = max_CloudAppEvents_TimeGenerated_ActivityGroupNames,
        ThreatType = max_CloudAppEvents_TimeGenerated_ThreatType,
        ExpirationDateTime = max_CloudAppEvents_TimeGenerated_ExpirationDateTime,
        ConfidenceScore = max_CloudAppEvents_TimeGenerated_ConfidenceScore,
        TI_ipEntity = max_CloudAppEvents_TimeGenerated_TI_ipEntity,
        NetworkDestinationIP = max_CloudAppEvents_TimeGenerated_NetworkDestinationIP,
        NetworkSourceIP = max_CloudAppEvents_TimeGenerated_NetworkSourceIP,
        EmailSourceIPAddress = max_CloudAppEvents_TimeGenerated_EmailSourceIpAddress
    | project CloudAppEventsTimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, NetworkDestinationIP, NetworkSourceIP, EmailSourceIPAddress
queryPeriod: 14d
tactics:
- CommandAndControl
kind: Scheduled
triggerThreshold: 0
query: |
  let dt_lookBack = 1d;
  let ioc_lookBack = 14d; 
  let IP_Indicators = ThreatIntelligenceIndicator
    | where TimeGenerated >= ago(ioc_lookBack)
    | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
    | where Active == true and ExpirationDateTime > now()
    | where isnotempty(NetworkIP)
  or isnotempty(EmailSourceIpAddress)
  or isnotempty(NetworkDestinationIP)
  or isnotempty(NetworkSourceIP)
    | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)
    | extend TIipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)
    | extend TIipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity);
  IP_Indicators
    | join kind=innerunique (
    CloudAppEvents
      | where isnotempty(IPAddress)
      | where TimeGenerated >= ago(dt_lookBack)
      | extend CloudAppEvents_TimeGenerated = TimeGenerated) on $left.TI_ipEntity == $right.IPAddress
      | where CloudAppEvents_TimeGenerated < ExpirationDateTime
      | summarize CloudAppEventsTimeGenerated = argmax(CloudAppEvents_TimeGenerated, *) by IndicatorId, IPAddress
      | extend
          Description = max_CloudAppEvents_TimeGenerated_Description,
          ActivityGroupNames = max_CloudAppEvents_TimeGenerated_ActivityGroupNames,
          ThreatType = max_CloudAppEvents_TimeGenerated_ThreatType,
          ExpirationDateTime = max_CloudAppEvents_TimeGenerated_ExpirationDateTime,
          ConfidenceScore = max_CloudAppEvents_TimeGenerated_ConfidenceScore,
          TI_ipEntity = max_CloudAppEvents_TimeGenerated_TI_ipEntity,
          NetworkDestinationIP = max_CloudAppEvents_TimeGenerated_NetworkDestinationIP,
          NetworkSourceIP = max_CloudAppEvents_TimeGenerated_NetworkSourceIP,
          EmailSourceIPAddress = max_CloudAppEvents_TimeGenerated_EmailSourceIpAddress
      | project CloudAppEventsTimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, NetworkDestinationIP, NetworkSourceIP, EmailSourceIPAddress  
severity: Medium
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: TI_ipEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: NetworkDestinationIP
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: NetworkSourceIP
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: EmailSourceIPAddress
id: 4e0a6fc8-697e-4455-be47-831b41ea91ac
version: 1.0.3
description: |
    'Identifies compromises and attacks and detect malicious activities in one's IP entity from TI'
triggerOperator: gt
queryFrequency: 1h
name: Preview - TI map IP entity to Cloud App Events
relevantTechniques:
- T1071
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - CloudAppEvents
- connectorId: MicrosoftDefenderThreatIntelligence
  dataTypes:
  - ThreatIntelligenceIndicator
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/IPEntity_CloudAppEvents.yaml
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4e0a6fc8-697e-4455-be47-831b41ea91ac')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4e0a6fc8-697e-4455-be47-831b41ea91ac')]",
      "properties": {
        "alertRuleTemplateName": "4e0a6fc8-697e-4455-be47-831b41ea91ac",
        "customDetails": null,
        "description": "'Identifies compromises and attacks and detect malicious activities in one's IP entity from TI'\n",
        "displayName": "Preview - TI map IP entity to Cloud App Events",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "TI_ipEntity",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "NetworkDestinationIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "NetworkSourceIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "EmailSourceIPAddress",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/IPEntity_CloudAppEvents.yaml",
        "query": "let dt_lookBack = 1d;\nlet ioc_lookBack = 14d; \nlet IP_Indicators = ThreatIntelligenceIndicator\n  | where TimeGenerated >= ago(ioc_lookBack)\n  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n  | where Active == true and ExpirationDateTime > now()\n  | where isnotempty(NetworkIP)\nor isnotempty(EmailSourceIpAddress)\nor isnotempty(NetworkDestinationIP)\nor isnotempty(NetworkSourceIP)\n  | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n  | extend TIipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n  | extend TIipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity);\nIP_Indicators\n  | join kind=innerunique (\n  CloudAppEvents\n    | where isnotempty(IPAddress)\n    | where TimeGenerated >= ago(dt_lookBack)\n    | extend CloudAppEvents_TimeGenerated = TimeGenerated) on $left.TI_ipEntity == $right.IPAddress\n    | where CloudAppEvents_TimeGenerated < ExpirationDateTime\n    | summarize CloudAppEventsTimeGenerated = argmax(CloudAppEvents_TimeGenerated, *) by IndicatorId, IPAddress\n    | extend\n        Description = max_CloudAppEvents_TimeGenerated_Description,\n        ActivityGroupNames = max_CloudAppEvents_TimeGenerated_ActivityGroupNames,\n        ThreatType = max_CloudAppEvents_TimeGenerated_ThreatType,\n        ExpirationDateTime = max_CloudAppEvents_TimeGenerated_ExpirationDateTime,\n        ConfidenceScore = max_CloudAppEvents_TimeGenerated_ConfidenceScore,\n        TI_ipEntity = max_CloudAppEvents_TimeGenerated_TI_ipEntity,\n        NetworkDestinationIP = max_CloudAppEvents_TimeGenerated_NetworkDestinationIP,\n        NetworkSourceIP = max_CloudAppEvents_TimeGenerated_NetworkSourceIP,\n        EmailSourceIPAddress = max_CloudAppEvents_TimeGenerated_EmailSourceIpAddress\n    | project CloudAppEventsTimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, NetworkDestinationIP, NetworkSourceIP, EmailSourceIPAddress\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "techniques": [
          "T1071"
        ],
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}