Red Sift - New email with URL from previously unseen sender

let lookback = 14d;
let recentWindow = 1h;
let historicalSenders = RedSiftEmailForensics_CL
| extend
    EmailFrom = tostring(column_ifexists("EmailFrom", ""))
| where TimeGenerated between (ago(lookback) .. ago(recentWindow))
| where isnotempty(EmailFrom)
| summarize by EmailFrom;
RedSiftEmailForensics_CL
| extend
    EmailFrom = tostring(column_ifexists("EmailFrom", "")),
    EmailSubject = tostring(column_ifexists("EmailSubject", "")),
    EmailReturnPath = tostring(column_ifexists("EmailReturnPath", "")),
    EmailMessageUid = tostring(column_ifexists("EmailMessageUid", "")),
    SrcIp = tostring(column_ifexists("SrcIp", "")),
    DstHostname = tostring(column_ifexists("DstHostname", "")),
    Severity = tostring(column_ifexists("Severity", "")),
    Message = tostring(column_ifexists("Message", "")),
    CorrelationUid = tostring(column_ifexists("CorrelationUid", "")),
    EmailUrls = todynamic(column_ifexists("EmailUrls", "[]"))
| where TimeGenerated >= ago(recentWindow)
| where isnotempty(EmailFrom)
| extend UrlCount = array_length(EmailUrls)
| where UrlCount > 0
| mv-apply Url = EmailUrls on (
    summarize UrlSet = make_set(tostring(Url.url_string), 50)
  )
| extend UrlList = strcat_array(UrlSet, ", ")
| join kind=leftanti (historicalSenders) on EmailFrom
| project
    TimeGenerated,
    EmailFrom,
    EmailSubject,
    EmailReturnPath,
    EmailMessageUid,
    SrcIp,
    DstHostname,
    UrlCount,
    UrlList,
    Severity,
    Message,
    CorrelationUid

entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: EmailFrom
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SrcIp
- entityType: DNS
  fieldMappings:
  - identifier: DomainName
    columnName: DstHostname
tactics:
- InitialAccess
suppressionEnabled: false
suppressionDuration: PT1H
requiredDataConnectors:
- dataTypes:
  - RedSiftEmailForensics_CL
  connectorId: RedSiftPush
alertDetailsOverride:
  alertDisplayNameFormat: RedSift - New URL-bearing sender {{EmailFrom}}
  alertDescriptionFormat: Email from previously unseen sender {{EmailFrom}} contains {{UrlCount}} URL(s).
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    lookbackDuration: P1D
    groupByEntities:
    - Account
    groupByCustomDetails:
    - EmailSubject
    enabled: true
    matchingMethod: Selected
  createIncident: true
id: 6e0b70d4-0ab8-480e-9707-8ad45fc21a65
severity: Medium
eventGroupingSettings:
  aggregationKind: AlertPerResult
status: Available
customDetails:
  EmailSubject: EmailSubject
  UrlCount: UrlCount
  CorrelationUid: CorrelationUid
  UrlList: UrlList
  ReturnPath: EmailReturnPath
query: |
  let lookback = 14d;
  let recentWindow = 1h;
  let historicalSenders = RedSiftEmailForensics_CL
  | extend
      EmailFrom = tostring(column_ifexists("EmailFrom", ""))
  | where TimeGenerated between (ago(lookback) .. ago(recentWindow))
  | where isnotempty(EmailFrom)
  | summarize by EmailFrom;
  RedSiftEmailForensics_CL
  | extend
      EmailFrom = tostring(column_ifexists("EmailFrom", "")),
      EmailSubject = tostring(column_ifexists("EmailSubject", "")),
      EmailReturnPath = tostring(column_ifexists("EmailReturnPath", "")),
      EmailMessageUid = tostring(column_ifexists("EmailMessageUid", "")),
      SrcIp = tostring(column_ifexists("SrcIp", "")),
      DstHostname = tostring(column_ifexists("DstHostname", "")),
      Severity = tostring(column_ifexists("Severity", "")),
      Message = tostring(column_ifexists("Message", "")),
      CorrelationUid = tostring(column_ifexists("CorrelationUid", "")),
      EmailUrls = todynamic(column_ifexists("EmailUrls", "[]"))
  | where TimeGenerated >= ago(recentWindow)
  | where isnotempty(EmailFrom)
  | extend UrlCount = array_length(EmailUrls)
  | where UrlCount > 0
  | mv-apply Url = EmailUrls on (
      summarize UrlSet = make_set(tostring(Url.url_string), 50)
    )
  | extend UrlList = strcat_array(UrlSet, ", ")
  | join kind=leftanti (historicalSenders) on EmailFrom
  | project
      TimeGenerated,
      EmailFrom,
      EmailSubject,
      EmailReturnPath,
      EmailMessageUid,
      SrcIp,
      DstHostname,
      UrlCount,
      UrlList,
      Severity,
      Message,
      CorrelationUid  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Red Sift/Analytic Rules/RedSiftEmailUrlFromNewSender.yaml
kind: Scheduled
queryPeriod: 14d
version: 1.0.0
name: Red Sift - New email with URL from previously unseen sender
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1566
description: |
    'Detects email forensics events that contain one or more URLs where the sender in the from field has not been seen in the previous 14 days, which may indicate phishing activity or a newly observed sender.'
triggerOperator: gt