Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

TI map Domain entity to Syslog

Back
Id532f62c1-fba6-4baa-bbb6-4a32a4ef32fa
RulenameTI map Domain entity to Syslog
DescriptionIdentifies a match in Syslog table from any Domain IOC from TI
SeverityMedium
TacticsImpact
Required data connectorsMicrosoftDefenderThreatIntelligence
Syslog
ThreatIntelligence
ThreatIntelligenceTaxii
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_Syslog.yaml
Version1.4.1
Arm template532f62c1-fba6-4baa-bbb6-4a32a4ef32fa.json
Deploy To Azure
let dt_lookBack = 1h;  // Define the time range to look back for syslog data (1 hour)
let ioc_lookBack = 14d;  // Define the time range to look back for threat intelligence indicators (14 days)
// Create a list of top-level domains (TLDs) from the threat feed for later validation
let list_tlds = ThreatIntelligenceIndicator
  | where isnotempty(DomainName)
  | where TimeGenerated > ago(ioc_lookBack)
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
  | where Active == true and ExpirationDateTime > now()
  | extend parts = split(DomainName, '.')
  | extend tld = parts[(array_length(parts)-1)]
  | summarize count() by tostring(tld)
  | summarize make_list(tld);
// Fetch the latest active domain indicators from the threat intelligence data within the specified time range
let Domain_Indicators = ThreatIntelligenceIndicator
  | where isnotempty(DomainName)
  | where TimeGenerated >= ago(ioc_lookBack)
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
  | where Active == true and ExpirationDateTime > now()
  | extend TI_DomainEntity = DomainName;
// Join the threat intelligence indicators with syslog data on matching domain entities
Domain_Indicators
  | join kind=innerunique (
    Syslog
    | where TimeGenerated > ago(dt_lookBack)
    // Extract domain patterns from syslog messages
    | extend domain = extract("(([a-z0-9]+(-[a-z0-9]+)*\\.)+[a-z]{2,})",1, tolower(SyslogMessage))
    | where isnotempty(domain)
    | extend parts = split(domain, '.')
    // Split out the top-level domain (TLD)
    | extend tld = parts[(array_length(parts)-1)]
    // Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed
    | where tld in~ (list_tlds)
    | extend Syslog_TimeGenerated = TimeGenerated
  ) on $left.TI_DomainEntity==$right.domain
  | where Syslog_TimeGenerated < ExpirationDateTime
  // Retrieve the latest syslog timestamp for each indicator and domain combination
  | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated, *) by IndicatorId, domain
  // Select the desired columns for the final result set
  | project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url, Type, TI_DomainEntity
  // Extract the hostname from the Computer field
  | extend HostName = tostring(split(Computer, '.', 0)[0])
  // Extract the DNS domain from the Computer field
  | extend DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))
  // Assign the Syslog_TimeGenerated value to the timestamp field
  | extend timestamp = Syslog_TimeGenerated
kind: Scheduled
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_Syslog.yaml
requiredDataConnectors:
- dataTypes:
  - Syslog
  connectorId: Syslog
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligence
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligenceTaxii
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: MicrosoftDefenderThreatIntelligence
queryPeriod: 14d
tactics:
- Impact
severity: Medium
triggerOperator: gt
description: |
    Identifies a match in Syslog table from any Domain IOC from TI
query: |
  let dt_lookBack = 1h;  // Define the time range to look back for syslog data (1 hour)
  let ioc_lookBack = 14d;  // Define the time range to look back for threat intelligence indicators (14 days)
  // Create a list of top-level domains (TLDs) from the threat feed for later validation
  let list_tlds = ThreatIntelligenceIndicator
    | where isnotempty(DomainName)
    | where TimeGenerated > ago(ioc_lookBack)
    | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
    | where Active == true and ExpirationDateTime > now()
    | extend parts = split(DomainName, '.')
    | extend tld = parts[(array_length(parts)-1)]
    | summarize count() by tostring(tld)
    | summarize make_list(tld);
  // Fetch the latest active domain indicators from the threat intelligence data within the specified time range
  let Domain_Indicators = ThreatIntelligenceIndicator
    | where isnotempty(DomainName)
    | where TimeGenerated >= ago(ioc_lookBack)
    | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
    | where Active == true and ExpirationDateTime > now()
    | extend TI_DomainEntity = DomainName;
  // Join the threat intelligence indicators with syslog data on matching domain entities
  Domain_Indicators
    | join kind=innerunique (
      Syslog
      | where TimeGenerated > ago(dt_lookBack)
      // Extract domain patterns from syslog messages
      | extend domain = extract("(([a-z0-9]+(-[a-z0-9]+)*\\.)+[a-z]{2,})",1, tolower(SyslogMessage))
      | where isnotempty(domain)
      | extend parts = split(domain, '.')
      // Split out the top-level domain (TLD)
      | extend tld = parts[(array_length(parts)-1)]
      // Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed
      | where tld in~ (list_tlds)
      | extend Syslog_TimeGenerated = TimeGenerated
    ) on $left.TI_DomainEntity==$right.domain
    | where Syslog_TimeGenerated < ExpirationDateTime
    // Retrieve the latest syslog timestamp for each indicator and domain combination
    | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated, *) by IndicatorId, domain
    // Select the desired columns for the final result set
    | project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url, Type, TI_DomainEntity
    // Extract the hostname from the Computer field
    | extend HostName = tostring(split(Computer, '.', 0)[0])
    // Extract the DNS domain from the Computer field
    | extend DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))
    // Assign the Syslog_TimeGenerated value to the timestamp field
    | extend timestamp = Syslog_TimeGenerated  
name: TI map Domain entity to Syslog
version: 1.4.1
id: 532f62c1-fba6-4baa-bbb6-4a32a4ef32fa
queryFrequency: 1h
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: HostName
    identifier: HostName
  - columnName: DnsDomain
    identifier: DnsDomain
- entityType: IP
  fieldMappings:
  - columnName: HostIP
    identifier: Address
- entityType: URL
  fieldMappings:
  - columnName: Url
    identifier: Url
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/532f62c1-fba6-4baa-bbb6-4a32a4ef32fa')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/532f62c1-fba6-4baa-bbb6-4a32a4ef32fa')]",
      "properties": {
        "alertRuleTemplateName": "532f62c1-fba6-4baa-bbb6-4a32a4ef32fa",
        "customDetails": null,
        "description": "Identifies a match in Syslog table from any Domain IOC from TI\n",
        "displayName": "TI map Domain entity to Syslog",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DnsDomain",
                "identifier": "DnsDomain"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "HostIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "Url",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_Syslog.yaml",
        "query": "let dt_lookBack = 1h;  // Define the time range to look back for syslog data (1 hour)\nlet ioc_lookBack = 14d;  // Define the time range to look back for threat intelligence indicators (14 days)\n// Create a list of top-level domains (TLDs) from the threat feed for later validation\nlet list_tlds = ThreatIntelligenceIndicator\n  | where isnotempty(DomainName)\n  | where TimeGenerated > ago(ioc_lookBack)\n  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n  | where Active == true and ExpirationDateTime > now()\n  | extend parts = split(DomainName, '.')\n  | extend tld = parts[(array_length(parts)-1)]\n  | summarize count() by tostring(tld)\n  | summarize make_list(tld);\n// Fetch the latest active domain indicators from the threat intelligence data within the specified time range\nlet Domain_Indicators = ThreatIntelligenceIndicator\n  | where isnotempty(DomainName)\n  | where TimeGenerated >= ago(ioc_lookBack)\n  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n  | where Active == true and ExpirationDateTime > now()\n  | extend TI_DomainEntity = DomainName;\n// Join the threat intelligence indicators with syslog data on matching domain entities\nDomain_Indicators\n  | join kind=innerunique (\n    Syslog\n    | where TimeGenerated > ago(dt_lookBack)\n    // Extract domain patterns from syslog messages\n    | extend domain = extract(\"(([a-z0-9]+(-[a-z0-9]+)*\\\\.)+[a-z]{2,})\",1, tolower(SyslogMessage))\n    | where isnotempty(domain)\n    | extend parts = split(domain, '.')\n    // Split out the top-level domain (TLD)\n    | extend tld = parts[(array_length(parts)-1)]\n    // Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\n    | where tld in~ (list_tlds)\n    | extend Syslog_TimeGenerated = TimeGenerated\n  ) on $left.TI_DomainEntity==$right.domain\n  | where Syslog_TimeGenerated < ExpirationDateTime\n  // Retrieve the latest syslog timestamp for each indicator and domain combination\n  | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated, *) by IndicatorId, domain\n  // Select the desired columns for the final result set\n  | project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url, Type, TI_DomainEntity\n  // Extract the hostname from the Computer field\n  | extend HostName = tostring(split(Computer, '.', 0)[0])\n  // Extract the DNS domain from the Computer field\n  | extend DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n  // Assign the Syslog_TimeGenerated value to the timestamp field\n  | extend timestamp = Syslog_TimeGenerated\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "templateVersion": "1.4.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}