Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. TI map IP entity to Network Session Events ASIM Network Session schema

TI map IP entity to Network Session Events ASIM Network Session schema

Back
Id54f4ceb4-fd83-4633-b5b0-c0de9feb8890
RulenameTI map IP entity to Network Session Events (ASIM Network Session schema)
DescriptionThis rule identifies a match Network Sessions for which the source or destination IP address is a known IoC. This analytic rule uses ASIM and supports any built-in or custom source that supports the ASIM NetworkSession schema
SeverityMedium
TacticsCommandAndControl
TechniquesT1071
Required data connectorsAIVectraStream
AWSS3
AzureFirewall
AzureMonitor(VMInsights)
AzureNSG
CheckPoint
CiscoASA
CiscoMeraki
Corelight
Fortinet
MicrosoftDefenderThreatIntelligence
MicrosoftSysmonForLinux
MicrosoftThreatProtection
PaloAltoNetworks
SecurityEvents
ThreatIntelligenceTaxii
WindowsForwardedEvents
Zscaler
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_imNetworkSession.yaml
Version1.2.7
Arm template54f4ceb4-fd83-4633-b5b0-c0de9feb8890.json
Deploy To Azure
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
let IP_TI = materialize (
  ThreatIntelIndicators
  //extract key part of kv pair
     | extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0)))
     | where isnotempty(IndicatorType) and IndicatorType == "ipv4-addr"
     | extend NetworkSourceIP = toupper(ObservableValue)
     | extend TrafficLightProtocolLevel = tostring(parse_json(AdditionalFields).TLPLevel)
  | where TimeGenerated >= ago(ioc_lookBack)
  | extend TI_ipEntity = NetworkSourceIP
  | where TI_ipEntity != "NO_IP"
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
  | where IsActive == true and ValidUntil > now()
);
IP_TI
   | project-reorder *, Tags, TrafficLightProtocolLevel, NetworkSourceIP, Type, TI_ipEntity
  // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
 | join kind=innerunique 
 (
   _Im_NetworkSession (starttime=ago(dt_lookBack))
   | where isnotempty(SrcIpAddr)
   | summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated) by SrcIpAddr, DstIpAddr, Dvc, EventProduct, EventVendor 
   | lookup (IP_TI | project TI_ipEntity, IsActive) on $left.SrcIpAddr == $right.TI_ipEntity
   | project-rename SrcMatch = IsActive
   | lookup (IP_TI | project TI_ipEntity, IsActive) on $left.DstIpAddr == $right.TI_ipEntity
   | project-rename DstMatch = IsActive
   | where SrcMatch or DstMatch
   | extend 
       IoCIP = iff(SrcMatch, SrcIpAddr, DstIpAddr),
       IoCDirection = iff(SrcMatch, "Source", "Destination")
 )on $left.TI_ipEntity == $right.IoCIP
 | where imNWS_mintime < ValidUntil
 | extend Description = tostring(parse_json(Data).description)
 | extend ActivityGroupNames = extract(@"ActivityGroup:(\S+)", 1, tostring(parse_json(Data).labels))
 | project imNWS_mintime, imNWS_maxtime, Description, ActivityGroupNames, Id, Type, ValidUntil, Confidence, SrcIpAddr, DstIpAddr, IoCDirection, IoCIP, Dvc, EventVendor, EventProduct

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_imNetworkSession.yaml
query: |
  let dt_lookBack = 1h;
  let ioc_lookBack = 14d;
  let IP_TI = materialize (
    ThreatIntelIndicators
    //extract key part of kv pair
       | extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0)))
       | where isnotempty(IndicatorType) and IndicatorType == "ipv4-addr"
       | extend NetworkSourceIP = toupper(ObservableValue)
       | extend TrafficLightProtocolLevel = tostring(parse_json(AdditionalFields).TLPLevel)
    | where TimeGenerated >= ago(ioc_lookBack)
    | extend TI_ipEntity = NetworkSourceIP
    | where TI_ipEntity != "NO_IP"
    | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
    | where IsActive == true and ValidUntil > now()
  );
  IP_TI
     | project-reorder *, Tags, TrafficLightProtocolLevel, NetworkSourceIP, Type, TI_ipEntity
    // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
   | join kind=innerunique 
   (
     _Im_NetworkSession (starttime=ago(dt_lookBack))
     | where isnotempty(SrcIpAddr)
     | summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated) by SrcIpAddr, DstIpAddr, Dvc, EventProduct, EventVendor 
     | lookup (IP_TI | project TI_ipEntity, IsActive) on $left.SrcIpAddr == $right.TI_ipEntity
     | project-rename SrcMatch = IsActive
     | lookup (IP_TI | project TI_ipEntity, IsActive) on $left.DstIpAddr == $right.TI_ipEntity
     | project-rename DstMatch = IsActive
     | where SrcMatch or DstMatch
     | extend 
         IoCIP = iff(SrcMatch, SrcIpAddr, DstIpAddr),
         IoCDirection = iff(SrcMatch, "Source", "Destination")
   )on $left.TI_ipEntity == $right.IoCIP
   | where imNWS_mintime < ValidUntil
   | extend Description = tostring(parse_json(Data).description)
   | extend ActivityGroupNames = extract(@"ActivityGroup:(\S+)", 1, tostring(parse_json(Data).labels))
   | project imNWS_mintime, imNWS_maxtime, Description, ActivityGroupNames, Id, Type, ValidUntil, Confidence, SrcIpAddr, DstIpAddr, IoCDirection, IoCIP, Dvc, EventVendor, EventProduct  
description: |
    'This rule identifies a match Network Sessions for which the source or destination IP address is a known IoC. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema'
severity: Medium
requiredDataConnectors:
- dataTypes:
  - AWSVPCFlow
  connectorId: AWSS3
- dataTypes:
  - DeviceNetworkEvents
  connectorId: MicrosoftThreatProtection
- dataTypes:
  - SecurityEvent
  connectorId: SecurityEvents
- dataTypes:
  - WindowsEvent
  connectorId: WindowsForwardedEvents
- dataTypes:
  - CommonSecurityLog
  connectorId: Zscaler
- dataTypes:
  - Syslog
  connectorId: MicrosoftSysmonForLinux
- dataTypes:
  - CommonSecurityLog
  connectorId: PaloAltoNetworks
- dataTypes:
  - VMConnection
  connectorId: AzureMonitor(VMInsights)
- dataTypes:
  - AzureDiagnostics
  connectorId: AzureFirewall
- dataTypes:
  - AzureDiagnostics
  connectorId: AzureNSG
- dataTypes:
  - CommonSecurityLog
  connectorId: CiscoASA
- dataTypes:
  - Corelight_CL
  connectorId: Corelight
- dataTypes:
  - VectraStream
  connectorId: AIVectraStream
- dataTypes:
  - CommonSecurityLog
  connectorId: CheckPoint
- dataTypes:
  - CommonSecurityLog
  connectorId: Fortinet
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: MicrosoftDefenderThreatIntelligence
- dataTypes:
  - Syslog
  - CiscoMerakiNativePoller
  connectorId: CiscoMeraki
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligenceTaxii
name: TI map IP entity to Network Session Events (ASIM Network Session schema)
triggerThreshold: 0
version: 1.2.7
customDetails:
  IoCIPDirection: IoCDirection
  IndicatorId: IndicatorId
  ActivityGroupNames: ActivityGroupNames
  IoCConfidenceScore: ConfidenceScore
  EventStartTime: imNWS_mintime
  IoCDescription: Description
  EventEndTime: imNWS_maxtime
  ThreatType: ThreatType
  IoCExpirationTime: ExpirationDateTime
tags:
- Schema: ASIMNetworkSession
  SchemaVersion: 0.2.4
tactics:
- CommandAndControl
alertDetailsOverride:
  alertDescriptionFormat: The {{IoCDirection}} address {{IoCIP}} of a network session  matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.
  alertDisplayNameFormat: A network session {{IoCDirection}} address {{IoCIP}} matched an IoC.
relevantTechniques:
- T1071
triggerOperator: gt
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: IoCIP
    identifier: Address
- entityType: IP
  fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
id: 54f4ceb4-fd83-4633-b5b0-c0de9feb8890
status: Available
kind: Scheduled
queryFrequency: 1h
queryPeriod: 14d

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/54f4ceb4-fd83-4633-b5b0-c0de9feb8890')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/54f4ceb4-fd83-4633-b5b0-c0de9feb8890')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "The {{IoCDirection}} address {{IoCIP}} of a network session  matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.",
          "alertDisplayNameFormat": "A network session {{IoCDirection}} address {{IoCIP}} matched an IoC."
        },
        "alertRuleTemplateName": "54f4ceb4-fd83-4633-b5b0-c0de9feb8890",
        "customDetails": {
          "ActivityGroupNames": "ActivityGroupNames",
          "EventEndTime": "imNWS_maxtime",
          "EventStartTime": "imNWS_mintime",
          "IndicatorId": "IndicatorId",
          "IoCConfidenceScore": "ConfidenceScore",
          "IoCDescription": "Description",
          "IoCExpirationTime": "ExpirationDateTime",
          "IoCIPDirection": "IoCDirection",
          "ThreatType": "ThreatType"
        },
        "description": "'This rule identifies a match Network Sessions for which the source or destination IP address is a known IoC. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema'\n",
        "displayName": "TI map IP entity to Network Session Events (ASIM Network Session schema)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IoCIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_imNetworkSession.yaml",
        "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet IP_TI = materialize (\n  ThreatIntelIndicators\n  //extract key part of kv pair\n     | extend IndicatorType = replace(@\"\\[|\\]|\\\"\"\", \"\", tostring(split(ObservableKey, \":\", 0)))\n     | where isnotempty(IndicatorType) and IndicatorType == \"ipv4-addr\"\n     | extend NetworkSourceIP = toupper(ObservableValue)\n     | extend TrafficLightProtocolLevel = tostring(parse_json(AdditionalFields).TLPLevel)\n  | where TimeGenerated >= ago(ioc_lookBack)\n  | extend TI_ipEntity = NetworkSourceIP\n  | where TI_ipEntity != \"NO_IP\"\n  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id\n  | where IsActive == true and ValidUntil > now()\n);\nIP_TI\n   | project-reorder *, Tags, TrafficLightProtocolLevel, NetworkSourceIP, Type, TI_ipEntity\n  // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n | join kind=innerunique \n (\n   _Im_NetworkSession (starttime=ago(dt_lookBack))\n   | where isnotempty(SrcIpAddr)\n   | summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated) by SrcIpAddr, DstIpAddr, Dvc, EventProduct, EventVendor \n   | lookup (IP_TI | project TI_ipEntity, IsActive) on $left.SrcIpAddr == $right.TI_ipEntity\n   | project-rename SrcMatch = IsActive\n   | lookup (IP_TI | project TI_ipEntity, IsActive) on $left.DstIpAddr == $right.TI_ipEntity\n   | project-rename DstMatch = IsActive\n   | where SrcMatch or DstMatch\n   | extend \n       IoCIP = iff(SrcMatch, SrcIpAddr, DstIpAddr),\n       IoCDirection = iff(SrcMatch, \"Source\", \"Destination\")\n )on $left.TI_ipEntity == $right.IoCIP\n | where imNWS_mintime < ValidUntil\n | extend Description = tostring(parse_json(Data).description)\n | extend ActivityGroupNames = extract(@\"ActivityGroup:(\\S+)\", 1, tostring(parse_json(Data).labels))\n | project imNWS_mintime, imNWS_maxtime, Description, ActivityGroupNames, Id, Type, ValidUntil, Confidence, SrcIpAddr, DstIpAddr, IoCDirection, IoCIP, Dvc, EventVendor, EventProduct\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "tags": [
          {
            "Schema": "ASIMNetworkSession",
            "SchemaVersion": "0.2.4"
          }
        ],
        "techniques": [
          "T1071"
        ],
        "templateVersion": "1.2.7",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}