TI map IP entity to AWSCloudTrail

Back


Id	69f55be4-1b13-42d0-b975-a1e59c996dd2
Rulename	TI map IP entity to AWSCloudTrail
Description	Identifies a match in AWSCloudTrail from any IP IOC from TI
Severity	Medium
Tactics	CommandAndControl
Techniques	T1071
Required data connectors	AWS MicrosoftDefenderThreatIntelligence ThreatIntelligence ThreatIntelligenceTaxii
Kind	Scheduled
Query frequency	1h
Query period	14d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_AWSCloudTrail.yaml
Version	1.4.3
Arm template	69f55be4-1b13-42d0-b975-a1e59c996dd2.json

KQL

let dt_lookBack = 1h; // Look back 1 hour for AWSCloudTrail logs
let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators
// Fetch threat intelligence indicators related to IP addresses
let IP_Indicators = ThreatIntelIndicators
  //extract key part of kv pair
      | extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0)))
      | where isnotempty(IndicatorType) and IndicatorType == "ipv4-addr"
      | extend NetworkSourceIP = toupper(ObservableValue)
      | extend TrafficLightProtocolLevel = tostring(parse_json(AdditionalFields).TLPLevel)
  // Filter out indicators without relevant IP address fields
  | where isnotempty(NetworkSourceIP)
  | where TimeGenerated >= ago(ioc_lookBack)
  // Select the IP entity based on availability of different IP fields
  | extend TI_ipEntity = iff(isnotempty(NetworkSourceIP), NetworkSourceIP, NetworkSourceIP)
  | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)
  | extend Url = iff(ObservableKey == "url:value", ObservableValue, "")
  //| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)
  // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes
  | where ipv4_is_private(TI_ipEntity) == false and  TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127."
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
  | where IsActive == true and ValidUntil > now();
// Perform a join between IP indicators and AWSCloudTrail logs to identify potential malicious activity
IP_Indicators
   | project-reorder *, Tags, TrafficLightProtocolLevel, NetworkSourceIP, Type, TI_ipEntity
  // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation
  | join kind=innerunique (
      AWSCloudTrail
      | where TimeGenerated >= ago(dt_lookBack)
      | extend AWSCloudTrail_TimeGenerated = TimeGenerated // Rename time column for clarity
    )
    on $left.TI_ipEntity == $right.SourceIpAddress
  // Filter out logs that occurred after the expiration of the corresponding indicator
  | where AWSCloudTrail_TimeGenerated < ValidUntil
  // Group the results by IndicatorId and SourceIpAddress, and keep the log entry with the latest timestamp
  | summarize AWSCloudTrail_TimeGenerated = arg_max(AWSCloudTrail_TimeGenerated, *) by Id, SourceIpAddress
  // Select the desired output fields
  | extend Description = tostring(parse_json(Data).description)
  | extend ActivityGroupNames = extract(@"ActivityGroup:(\S+)", 1, tostring(parse_json(Data).labels))
  | project AWSCloudTrail_TimeGenerated, Description, ActivityGroupNames, Id, ValidUntil, Confidence,
    TI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,
    NetworkSourceIP, Url//, NetworkDestinationIP, EmailSourceIpAddress, Type
  // Rename the timestamp field
  | extend timestamp = AWSCloudTrail_TimeGenerated

YAML

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_AWSCloudTrail.yaml
query: |
  let dt_lookBack = 1h; // Look back 1 hour for AWSCloudTrail logs
  let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators
  // Fetch threat intelligence indicators related to IP addresses
  let IP_Indicators = ThreatIntelIndicators
    //extract key part of kv pair
        | extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0)))
        | where isnotempty(IndicatorType) and IndicatorType == "ipv4-addr"
        | extend NetworkSourceIP = toupper(ObservableValue)
        | extend TrafficLightProtocolLevel = tostring(parse_json(AdditionalFields).TLPLevel)
    // Filter out indicators without relevant IP address fields
    | where isnotempty(NetworkSourceIP)
    | where TimeGenerated >= ago(ioc_lookBack)
    // Select the IP entity based on availability of different IP fields
    | extend TI_ipEntity = iff(isnotempty(NetworkSourceIP), NetworkSourceIP, NetworkSourceIP)
    | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)
    | extend Url = iff(ObservableKey == "url:value", ObservableValue, "")
    //| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)
    // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes
    | where ipv4_is_private(TI_ipEntity) == false and  TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127."
    | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
    | where IsActive == true and ValidUntil > now();
  // Perform a join between IP indicators and AWSCloudTrail logs to identify potential malicious activity
  IP_Indicators
     | project-reorder *, Tags, TrafficLightProtocolLevel, NetworkSourceIP, Type, TI_ipEntity
    // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation
    | join kind=innerunique (
        AWSCloudTrail
        | where TimeGenerated >= ago(dt_lookBack)
        | extend AWSCloudTrail_TimeGenerated = TimeGenerated // Rename time column for clarity
      )
      on $left.TI_ipEntity == $right.SourceIpAddress
    // Filter out logs that occurred after the expiration of the corresponding indicator
    | where AWSCloudTrail_TimeGenerated < ValidUntil
    // Group the results by IndicatorId and SourceIpAddress, and keep the log entry with the latest timestamp
    | summarize AWSCloudTrail_TimeGenerated = arg_max(AWSCloudTrail_TimeGenerated, *) by Id, SourceIpAddress
    // Select the desired output fields
    | extend Description = tostring(parse_json(Data).description)
    | extend ActivityGroupNames = extract(@"ActivityGroup:(\S+)", 1, tostring(parse_json(Data).labels))
    | project AWSCloudTrail_TimeGenerated, Description, ActivityGroupNames, Id, ValidUntil, Confidence,
      TI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,
      NetworkSourceIP, Url//, NetworkDestinationIP, EmailSourceIpAddress, Type
    // Rename the timestamp field
    | extend timestamp = AWSCloudTrail_TimeGenerated  
description: |
    Identifies a match in AWSCloudTrail from any IP IOC from TI
severity: Medium
requiredDataConnectors:
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligence
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligenceTaxii
- dataTypes:
  - AWSCloudTrail
  connectorId: AWS
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: MicrosoftDefenderThreatIntelligence
name: TI map IP entity to AWSCloudTrail
triggerThreshold: 0
tactics:
- CommandAndControl
version: 1.4.3
relevantTechniques:
- T1071
triggerOperator: gt
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: UserIdentityUserName
    identifier: ObjectGuid
- entityType: IP
  fieldMappings:
  - columnName: SourceIpAddress
    identifier: Address
- entityType: URL
  fieldMappings:
  - columnName: Url
    identifier: Url
id: 69f55be4-1b13-42d0-b975-a1e59c996dd2
kind: Scheduled
queryFrequency: 1h
queryPeriod: 14d

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/69f55be4-1b13-42d0-b975-a1e59c996dd2')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/69f55be4-1b13-42d0-b975-a1e59c996dd2')]",
      "properties": {
        "alertRuleTemplateName": "69f55be4-1b13-42d0-b975-a1e59c996dd2",
        "customDetails": null,
        "description": "Identifies a match in AWSCloudTrail from any IP IOC from TI\n",
        "displayName": "TI map IP entity to AWSCloudTrail",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "UserIdentityUserName",
                "identifier": "ObjectGuid"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIpAddress",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "Url",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_AWSCloudTrail.yaml",
        "query": "let dt_lookBack = 1h; // Look back 1 hour for AWSCloudTrail logs\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelIndicators\n  //extract key part of kv pair\n      | extend IndicatorType = replace(@\"\\[|\\]|\\\"\"\", \"\", tostring(split(ObservableKey, \":\", 0)))\n      | where isnotempty(IndicatorType) and IndicatorType == \"ipv4-addr\"\n      | extend NetworkSourceIP = toupper(ObservableValue)\n      | extend TrafficLightProtocolLevel = tostring(parse_json(AdditionalFields).TLPLevel)\n  // Filter out indicators without relevant IP address fields\n  | where isnotempty(NetworkSourceIP)\n  | where TimeGenerated >= ago(ioc_lookBack)\n  // Select the IP entity based on availability of different IP fields\n  | extend TI_ipEntity = iff(isnotempty(NetworkSourceIP), NetworkSourceIP, NetworkSourceIP)\n  | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n  | extend Url = iff(ObservableKey == \"url:value\", ObservableValue, \"\")\n  //| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n  // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes\n  | where ipv4_is_private(TI_ipEntity) == false and  TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\"\n  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id\n  | where IsActive == true and ValidUntil > now();\n// Perform a join between IP indicators and AWSCloudTrail logs to identify potential malicious activity\nIP_Indicators\n   | project-reorder *, Tags, TrafficLightProtocolLevel, NetworkSourceIP, Type, TI_ipEntity\n  // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n  | join kind=innerunique (\n      AWSCloudTrail\n      | where TimeGenerated >= ago(dt_lookBack)\n      | extend AWSCloudTrail_TimeGenerated = TimeGenerated // Rename time column for clarity\n    )\n    on $left.TI_ipEntity == $right.SourceIpAddress\n  // Filter out logs that occurred after the expiration of the corresponding indicator\n  | where AWSCloudTrail_TimeGenerated < ValidUntil\n  // Group the results by IndicatorId and SourceIpAddress, and keep the log entry with the latest timestamp\n  | summarize AWSCloudTrail_TimeGenerated = arg_max(AWSCloudTrail_TimeGenerated, *) by Id, SourceIpAddress\n  // Select the desired output fields\n  | extend Description = tostring(parse_json(Data).description)\n  | extend ActivityGroupNames = extract(@\"ActivityGroup:(\\S+)\", 1, tostring(parse_json(Data).labels))\n  | project AWSCloudTrail_TimeGenerated, Description, ActivityGroupNames, Id, ValidUntil, Confidence,\n    TI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\n    NetworkSourceIP, Url//, NetworkDestinationIP, EmailSourceIpAddress, Type\n  // Rename the timestamp field\n  | extend timestamp = AWSCloudTrail_TimeGenerated\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "techniques": [
          "T1071"
        ],
        "templateVersion": "1.4.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}