Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Infoblox - TI - CommonSecurityLog Match Found - MalwareC2

Infoblox - TI - CommonSecurityLog Match Found - MalwareC2

Back
Id5b0864a9-4577-4087-b9fa-de3e14a8a999
RulenameInfoblox - TI - CommonSecurityLog Match Found - MalwareC2
DescriptionCommonSecurityLog (CEF) MalwareC2/MalwareC2DGA match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired.
SeverityMedium
TacticsImpact
TechniquesT1498
T1565
Required data connectorsCefAma
ThreatIntelligence
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-TI-CommonSecurityLogMatchFound-MalwareC2.yaml
Version1.0.3
Arm template5b0864a9-4577-4087-b9fa-de3e14a8a999.json
Deploy To Azure
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
let TI = ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| where Active == true and ExpirationDateTime > now()  
| where Description has_cs "Infoblox"
| where Description has_cs "MalwareC2"
| where isnotempty(DomainName)
;
let Data = CommonSecurityLog
| extend HitTime = TimeGenerated
| where TimeGenerated >= ago(dt_lookBack)
| where isnotempty(DestinationDnsDomain)
//Remove trailing period at end of domain
| extend DestinationDnsDomain = trim_end(@"\.$", DestinationDnsDomain)
;
TI | join kind=innerunique Data on $left.DomainName == $right.DestinationDnsDomain
| where HitTime >= TimeGenerated and HitTime < ExpirationDateTime
| project LatestIndicatorTime, HitTime, DeviceEventClassID, DestinationDnsDomain, DeviceAction, SourceIP, DeviceName, SourceMACAddress, SourceUserName, AdditionalExtensions, 
AdditionalInformation, Description, ThreatType, TrafficLightProtocolLevel, Type, ConfidenceScore, ExpirationDateTime, SourceSystem, Action, IndicatorId, ExternalIndicatorId, Tags

eventGroupingSettings:
  aggregationKind: SingleAlert
triggerThreshold: 0
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SourceIP
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: DeviceName
  - identifier: FullName
    columnName: SourceUserName
- entityType: DNS
  fieldMappings:
  - identifier: DomainName
    columnName: DestinationDnsDomain
requiredDataConnectors:
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligence
- dataTypes:
  - CommonSecurityLog
  connectorId: CefAma
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-TI-CommonSecurityLogMatchFound-MalwareC2.yaml
customDetails:
  SourceMACAddress: SourceMACAddress
incidentConfiguration:
  createIncident: true
name: Infoblox - TI - CommonSecurityLog Match Found - MalwareC2
relevantTechniques:
- T1498
- T1565
status: Available
version: 1.0.3
queryPeriod: 14d
kind: Scheduled
id: 5b0864a9-4577-4087-b9fa-de3e14a8a999
query: |
  let dt_lookBack = 1h;
  let ioc_lookBack = 14d;
  let TI = ThreatIntelligenceIndicator
  | where TimeGenerated >= ago(ioc_lookBack)
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
  | where Active == true and ExpirationDateTime > now()  
  | where Description has_cs "Infoblox"
  | where Description has_cs "MalwareC2"
  | where isnotempty(DomainName)
  ;
  let Data = CommonSecurityLog
  | extend HitTime = TimeGenerated
  | where TimeGenerated >= ago(dt_lookBack)
  | where isnotempty(DestinationDnsDomain)
  //Remove trailing period at end of domain
  | extend DestinationDnsDomain = trim_end(@"\.$", DestinationDnsDomain)
  ;
  TI | join kind=innerunique Data on $left.DomainName == $right.DestinationDnsDomain
  | where HitTime >= TimeGenerated and HitTime < ExpirationDateTime
  | project LatestIndicatorTime, HitTime, DeviceEventClassID, DestinationDnsDomain, DeviceAction, SourceIP, DeviceName, SourceMACAddress, SourceUserName, AdditionalExtensions, 
  AdditionalInformation, Description, ThreatType, TrafficLightProtocolLevel, Type, ConfidenceScore, ExpirationDateTime, SourceSystem, Action, IndicatorId, ExternalIndicatorId, Tags  
description: |
    'CommonSecurityLog (CEF) MalwareC2/MalwareC2DGA match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired.'
queryFrequency: 1h
severity: Medium
triggerOperator: gt
tactics:
- Impact