Red Sift - New email with URL from previously unseen sender

Back


Id	6e0b70d4-0ab8-480e-9707-8ad45fc21a65
Rulename	Red Sift - New email with URL from previously unseen sender
Description	Detects email forensics events that contain one or more URLs where the sender in the from field has not been seen in the previous 14 days, which may indicate phishing activity or a newly observed sender.
Severity	Medium
Tactics	InitialAccess
Techniques	T1566
Required data connectors	RedSiftPush
Kind	Scheduled
Query frequency	1h
Query period	14d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Red Sift/Analytic Rules/RedSiftEmailUrlFromNewSender.yaml
Version	1.0.0
Arm template	6e0b70d4-0ab8-480e-9707-8ad45fc21a65.json

KQL

let lookback = 14d;
let recentWindow = 1h;
let historicalSenders = RedSiftEmailForensics_CL
| extend
    EmailFrom = tostring(column_ifexists("EmailFrom", ""))
| where TimeGenerated between (ago(lookback) .. ago(recentWindow))
| where isnotempty(EmailFrom)
| summarize by EmailFrom;
RedSiftEmailForensics_CL
| extend
    EmailFrom = tostring(column_ifexists("EmailFrom", "")),
    EmailSubject = tostring(column_ifexists("EmailSubject", "")),
    EmailReturnPath = tostring(column_ifexists("EmailReturnPath", "")),
    EmailMessageUid = tostring(column_ifexists("EmailMessageUid", "")),
    SrcIp = tostring(column_ifexists("SrcIp", "")),
    DstHostname = tostring(column_ifexists("DstHostname", "")),
    Severity = tostring(column_ifexists("Severity", "")),
    Message = tostring(column_ifexists("Message", "")),
    CorrelationUid = tostring(column_ifexists("CorrelationUid", "")),
    EmailUrls = todynamic(column_ifexists("EmailUrls", "[]"))
| where TimeGenerated >= ago(recentWindow)
| where isnotempty(EmailFrom)
| extend UrlCount = array_length(EmailUrls)
| where UrlCount > 0
| mv-apply Url = EmailUrls on (
    summarize UrlSet = make_set(tostring(Url.url_string), 50)
  )
| extend UrlList = strcat_array(UrlSet, ", ")
| join kind=leftanti (historicalSenders) on EmailFrom
| project
    TimeGenerated,
    EmailFrom,
    EmailSubject,
    EmailReturnPath,
    EmailMessageUid,
    SrcIp,
    DstHostname,
    UrlCount,
    UrlList,
    Severity,
    Message,
    CorrelationUid

YAML

relevantTechniques:
- T1566
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: EmailFrom
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: SrcIp
    identifier: Address
- entityType: DNS
  fieldMappings:
  - columnName: DstHostname
    identifier: DomainName
eventGroupingSettings:
  aggregationKind: AlertPerResult
version: 1.0.0
suppressionDuration: PT1H
id: 6e0b70d4-0ab8-480e-9707-8ad45fc21a65
suppressionEnabled: false
severity: Medium
kind: Scheduled
queryFrequency: 1h
description: |
    'Detects email forensics events that contain one or more URLs where the sender in the from field has not been seen in the previous 14 days, which may indicate phishing activity or a newly observed sender.'
requiredDataConnectors:
- connectorId: RedSiftPush
  dataTypes:
  - RedSiftEmailForensics_CL
triggerOperator: gt
name: Red Sift - New email with URL from previously unseen sender
tactics:
- InitialAccess
alertDetailsOverride:
  alertDescriptionFormat: Email from previously unseen sender {{EmailFrom}} contains {{UrlCount}} URL(s).
  alertDisplayNameFormat: RedSift - New URL-bearing sender {{EmailFrom}}
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Red Sift/Analytic Rules/RedSiftEmailUrlFromNewSender.yaml
triggerThreshold: 0
queryPeriod: 14d
query: |
  let lookback = 14d;
  let recentWindow = 1h;
  let historicalSenders = RedSiftEmailForensics_CL
  | extend
      EmailFrom = tostring(column_ifexists("EmailFrom", ""))
  | where TimeGenerated between (ago(lookback) .. ago(recentWindow))
  | where isnotempty(EmailFrom)
  | summarize by EmailFrom;
  RedSiftEmailForensics_CL
  | extend
      EmailFrom = tostring(column_ifexists("EmailFrom", "")),
      EmailSubject = tostring(column_ifexists("EmailSubject", "")),
      EmailReturnPath = tostring(column_ifexists("EmailReturnPath", "")),
      EmailMessageUid = tostring(column_ifexists("EmailMessageUid", "")),
      SrcIp = tostring(column_ifexists("SrcIp", "")),
      DstHostname = tostring(column_ifexists("DstHostname", "")),
      Severity = tostring(column_ifexists("Severity", "")),
      Message = tostring(column_ifexists("Message", "")),
      CorrelationUid = tostring(column_ifexists("CorrelationUid", "")),
      EmailUrls = todynamic(column_ifexists("EmailUrls", "[]"))
  | where TimeGenerated >= ago(recentWindow)
  | where isnotempty(EmailFrom)
  | extend UrlCount = array_length(EmailUrls)
  | where UrlCount > 0
  | mv-apply Url = EmailUrls on (
      summarize UrlSet = make_set(tostring(Url.url_string), 50)
    )
  | extend UrlList = strcat_array(UrlSet, ", ")
  | join kind=leftanti (historicalSenders) on EmailFrom
  | project
      TimeGenerated,
      EmailFrom,
      EmailSubject,
      EmailReturnPath,
      EmailMessageUid,
      SrcIp,
      DstHostname,
      UrlCount,
      UrlList,
      Severity,
      Message,
      CorrelationUid  
status: Available
customDetails:
  ReturnPath: EmailReturnPath
  UrlCount: UrlCount
  CorrelationUid: CorrelationUid
  EmailSubject: EmailSubject
  UrlList: UrlList
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: Selected
    groupByEntities:
    - Account
    groupByCustomDetails:
    - EmailSubject
    reopenClosedIncident: false
    enabled: true
    lookbackDuration: P1D

ARM