Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. TI map IP entity to AWSCloudTrail

TI map IP entity to AWSCloudTrail

Back
Id69f55be4-1b13-42d0-b975-a1e59c996dd2
RulenameTI map IP entity to AWSCloudTrail
DescriptionIdentifies a match in AWSCloudTrail from any IP IOC from TI
SeverityMedium
TacticsCommandAndControl
TechniquesT1071
Required data connectorsAWS
MicrosoftDefenderThreatIntelligence
ThreatIntelligence
ThreatIntelligenceTaxii
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_AWSCloudTrail.yaml
Version1.4.6
Arm template69f55be4-1b13-42d0-b975-a1e59c996dd2.json
Deploy To Azure
let dt_lookBack = 1h; // Look back 1 hour for AWSCloudTrail logs
let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators
// Fetch threat intelligence indicators related to IP addresses
let IP_Indicators = ThreatIntelIndicators
  //extract key part of kv pair
      | extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0)))
      | where IndicatorType in ("ipv4-addr", "ipv6-addr", "network-traffic")
      | extend NetworkSourceIP = toupper(ObservableValue)
      | extend TrafficLightProtocolLevel = tostring(parse_json(AdditionalFields).TLPLevel)
  // Filter out indicators without relevant IP address fields
  | where TimeGenerated >= ago(ioc_lookBack)
  // Select the IP entity based on availability of different IP fields
  | extend TI_ipEntity = iff(isnotempty(NetworkSourceIP), NetworkSourceIP, NetworkSourceIP)
  | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)
  | extend Url = iff(ObservableKey == "url:value", ObservableValue, "")
  // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes
  | where ipv4_is_private(TI_ipEntity) == false and  TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127."
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id, ObservableValue
  | where IsActive and (ValidUntil > now() or isempty(ValidUntil));
// Perform a join between IP indicators and AWSCloudTrail logs to identify potential malicious activity
IP_Indicators
   | project-reorder *, Tags, TrafficLightProtocolLevel, NetworkSourceIP, Type, TI_ipEntity
  // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation
  | join kind=innerunique (
      AWSCloudTrail
      | where TimeGenerated >= ago(dt_lookBack)
      | extend AWSCloudTrail_TimeGenerated = TimeGenerated // Rename time column for clarity
    )
    on $left.TI_ipEntity == $right.SourceIpAddress
  // Filter out logs that occurred after the expiration of the corresponding indicator
  | where AWSCloudTrail_TimeGenerated < ValidUntil
  // Group the results by IndicatorId and SourceIpAddress, and keep the log entry with the latest timestamp
  | summarize AWSCloudTrail_TimeGenerated = arg_max(AWSCloudTrail_TimeGenerated, *) by Id, SourceIpAddress
  // Select the desired output fields
  | extend Description = tostring(parse_json(Data).description)
  | extend ActivityGroupNames = extract(@"ActivityGroup:(\S+)", 1, tostring(parse_json(Data).labels))
  | project AWSCloudTrail_TimeGenerated, Description, ActivityGroupNames, Id, ValidUntil, Confidence,
    TI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,
    NetworkSourceIP, Url
  // Rename the timestamp field
  | extend timestamp = AWSCloudTrail_TimeGenerated

tactics:
- CommandAndControl
triggerOperator: gt
queryPeriod: 14d
queryFrequency: 1h
requiredDataConnectors:
- dataTypes:
  - ThreatIntelIndicators
  connectorId: ThreatIntelligence
- dataTypes:
  - ThreatIntelIndicators
  connectorId: ThreatIntelligenceTaxii
- dataTypes:
  - AWSCloudTrail
  connectorId: AWS
- dataTypes:
  - ThreatIntelIndicators
  connectorId: MicrosoftDefenderThreatIntelligence
id: 69f55be4-1b13-42d0-b975-a1e59c996dd2
relevantTechniques:
- T1071
triggerThreshold: 0
kind: Scheduled
entityMappings:
- fieldMappings:
  - identifier: ObjectGuid
    columnName: UserIdentityUserName
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: SourceIpAddress
  entityType: IP
- fieldMappings:
  - identifier: Url
    columnName: Url
  entityType: URL
query: |
  let dt_lookBack = 1h; // Look back 1 hour for AWSCloudTrail logs
  let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators
  // Fetch threat intelligence indicators related to IP addresses
  let IP_Indicators = ThreatIntelIndicators
    //extract key part of kv pair
        | extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0)))
        | where IndicatorType in ("ipv4-addr", "ipv6-addr", "network-traffic")
        | extend NetworkSourceIP = toupper(ObservableValue)
        | extend TrafficLightProtocolLevel = tostring(parse_json(AdditionalFields).TLPLevel)
    // Filter out indicators without relevant IP address fields
    | where TimeGenerated >= ago(ioc_lookBack)
    // Select the IP entity based on availability of different IP fields
    | extend TI_ipEntity = iff(isnotempty(NetworkSourceIP), NetworkSourceIP, NetworkSourceIP)
    | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)
    | extend Url = iff(ObservableKey == "url:value", ObservableValue, "")
    // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes
    | where ipv4_is_private(TI_ipEntity) == false and  TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127."
    | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id, ObservableValue
    | where IsActive and (ValidUntil > now() or isempty(ValidUntil));
  // Perform a join between IP indicators and AWSCloudTrail logs to identify potential malicious activity
  IP_Indicators
     | project-reorder *, Tags, TrafficLightProtocolLevel, NetworkSourceIP, Type, TI_ipEntity
    // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation
    | join kind=innerunique (
        AWSCloudTrail
        | where TimeGenerated >= ago(dt_lookBack)
        | extend AWSCloudTrail_TimeGenerated = TimeGenerated // Rename time column for clarity
      )
      on $left.TI_ipEntity == $right.SourceIpAddress
    // Filter out logs that occurred after the expiration of the corresponding indicator
    | where AWSCloudTrail_TimeGenerated < ValidUntil
    // Group the results by IndicatorId and SourceIpAddress, and keep the log entry with the latest timestamp
    | summarize AWSCloudTrail_TimeGenerated = arg_max(AWSCloudTrail_TimeGenerated, *) by Id, SourceIpAddress
    // Select the desired output fields
    | extend Description = tostring(parse_json(Data).description)
    | extend ActivityGroupNames = extract(@"ActivityGroup:(\S+)", 1, tostring(parse_json(Data).labels))
    | project AWSCloudTrail_TimeGenerated, Description, ActivityGroupNames, Id, ValidUntil, Confidence,
      TI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,
      NetworkSourceIP, Url
    // Rename the timestamp field
    | extend timestamp = AWSCloudTrail_TimeGenerated  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_AWSCloudTrail.yaml
name: TI map IP entity to AWSCloudTrail
version: 1.4.6
severity: Medium
description: |
    Identifies a match in AWSCloudTrail from any IP IOC from TI