Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. TI map URL entity to Cloud App Events

TI map URL entity to Cloud App Events

Back
Id526df43b-f514-477c-af7a-c8d3586457fb
RulenameTI map URL entity to Cloud App Events
DescriptionIdentifies compromises and attacks and detect malicious activities in one’s URL entity from TI
SeverityMedium
TacticsCommandAndControl
TechniquesT1071
Required data connectorsMicrosoftDefenderThreatIntelligence
MicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence (NEW)/Analytic Rules/URLEntity_CloudAppEvents_Updated.yaml
Version1.0.6
Arm template526df43b-f514-477c-af7a-c8d3586457fb.json
Deploy To Azure
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
ThreatIntelIndicators
//extract key part of kv pair
| extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0)))
| where IndicatorType == "url"
| extend Url = ObservableValue
| extend IndicatorId = tostring(split(Id, "--")[2])
| where TimeGenerated >= ago(ioc_lookBack)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId, ObservableValue
| where IsActive and (ValidUntil > now() or isempty(ValidUntil))
| join kind=innerunique (CloudAppEvents
| where TimeGenerated >= ago(dt_lookBack)
| extend Url = extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)", 1, tostring(ActivityObjects))
| extend userPrincipalName = tostring(RawEventData.UserId)
| extend TargetResourceDisplayName = tostring(ActivityObjects[0].displayName)
| extend CloudApps_TimeGenerated = TimeGenerated) on Url
| where CloudApps_TimeGenerated < ValidUntil
| summarize CloudApps_TimeGenerated = argmax(CloudApps_TimeGenerated, *) by IndicatorId, Url
| extend 
  Description = column_ifexists("max_CloudApps_TimeGenerated_Description", ""),
  ActivityGroupNames = column_ifexists("max_CloudApps_TimeGenerated_ActivityGroupNames", ""),
  ThreatType = column_ifexists("max_CloudApps_TimeGenerated_ThreatType", ""),
  ExpirationDateTime = column_ifexists("max_CloudApps_TimeGenerated_ExpirationDateTime", ""),
  ConfidenceScore = column_ifexists("max_CloudApps_TimeGenerated_ConfidenceScore", ""),
  IPAddress = column_ifexists("max_CloudApps_TimeGenerated_IPAddress", ""),
  AccountObjectId = column_ifexists("max_CloudApps_TimeGenerated_AccountObjectId", ""),
  AccountDisplayName = column_ifexists("max_CloudApps_TimeGenerated_AccountDisplayName", ""),
  ObjectName = column_ifexists("max_CloudApps_TimeGenerated_ObjectName", ""),
  Application = column_ifexists("max_CloudApps_TimeGenerated_Application", ""),
  ApplicationID = column_ifexists("max_CloudApps_TimeGenerated_ApplicationId", ""),
  userPrincipalName = column_ifexists("max_CloudApps_TimeGenerated_userPrincipalName", "")
| project CloudApps_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, IPAddress, userPrincipalName, AccountObjectId, AccountDisplayName, ObjectName, Application, ApplicationID

queryPeriod: 14d
query: |
  let dt_lookBack = 1h;
  let ioc_lookBack = 14d;
  ThreatIntelIndicators
  //extract key part of kv pair
  | extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0)))
  | where IndicatorType == "url"
  | extend Url = ObservableValue
  | extend IndicatorId = tostring(split(Id, "--")[2])
  | where TimeGenerated >= ago(ioc_lookBack)
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId, ObservableValue
  | where IsActive and (ValidUntil > now() or isempty(ValidUntil))
  | join kind=innerunique (CloudAppEvents
  | where TimeGenerated >= ago(dt_lookBack)
  | extend Url = extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)", 1, tostring(ActivityObjects))
  | extend userPrincipalName = tostring(RawEventData.UserId)
  | extend TargetResourceDisplayName = tostring(ActivityObjects[0].displayName)
  | extend CloudApps_TimeGenerated = TimeGenerated) on Url
  | where CloudApps_TimeGenerated < ValidUntil
  | summarize CloudApps_TimeGenerated = argmax(CloudApps_TimeGenerated, *) by IndicatorId, Url
  | extend 
    Description = column_ifexists("max_CloudApps_TimeGenerated_Description", ""),
    ActivityGroupNames = column_ifexists("max_CloudApps_TimeGenerated_ActivityGroupNames", ""),
    ThreatType = column_ifexists("max_CloudApps_TimeGenerated_ThreatType", ""),
    ExpirationDateTime = column_ifexists("max_CloudApps_TimeGenerated_ExpirationDateTime", ""),
    ConfidenceScore = column_ifexists("max_CloudApps_TimeGenerated_ConfidenceScore", ""),
    IPAddress = column_ifexists("max_CloudApps_TimeGenerated_IPAddress", ""),
    AccountObjectId = column_ifexists("max_CloudApps_TimeGenerated_AccountObjectId", ""),
    AccountDisplayName = column_ifexists("max_CloudApps_TimeGenerated_AccountDisplayName", ""),
    ObjectName = column_ifexists("max_CloudApps_TimeGenerated_ObjectName", ""),
    Application = column_ifexists("max_CloudApps_TimeGenerated_Application", ""),
    ApplicationID = column_ifexists("max_CloudApps_TimeGenerated_ApplicationId", ""),
    userPrincipalName = column_ifexists("max_CloudApps_TimeGenerated_userPrincipalName", "")
  | project CloudApps_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, IPAddress, userPrincipalName, AccountObjectId, AccountDisplayName, ObjectName, Application, ApplicationID  
name: TI map URL entity to Cloud App Events
entityMappings:
- fieldMappings:
  - columnName: AccountObjectId
    identifier: ObjectGuid
  - columnName: userPrincipalName
    identifier: FullName
  - columnName: AccountDisplayName
    identifier: DisplayName
  entityType: Account
- fieldMappings:
  - columnName: Url
    identifier: Url
  entityType: URL
- fieldMappings:
  - columnName: IPAddress
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: Application
    identifier: Name
  - columnName: ApplicationID
    identifier: AppId
  entityType: CloudApplication
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence (NEW)/Analytic Rules/URLEntity_CloudAppEvents_Updated.yaml
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - CloudAppEvents
- connectorId: MicrosoftDefenderThreatIntelligence
  dataTypes:
  - ThreatIntelIndicators
description: |
    'Identifies compromises and attacks and detect malicious activities in one's URL entity from TI'
kind: Scheduled
version: 1.0.6
queryFrequency: 1h
severity: Medium
relevantTechniques:
- T1071
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandAndControl
id: 526df43b-f514-477c-af7a-c8d3586457fb