Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. TI map Domain entity to EmailUrlInfo

TI map Domain entity to EmailUrlInfo

Back
Id87cc75df-d7b2-44f1-b064-ee924edfc879
RulenameTI map Domain entity to EmailUrlInfo
DescriptionIdentifies a match in EmailUrlInfo table from any Domain IOC from TI.
SeverityMedium
TacticsInitialAccess
TechniquesT1566
Required data connectorsMicrosoftDefenderThreatIntelligence
Office365
ThreatIntelligence
ThreatIntelligenceTaxii
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_EmailUrlInfo.yaml
Version1.0.3
Arm template87cc75df-d7b2-44f1-b064-ee924edfc879.json
Deploy To Azure
let dt_lookBack = 1h; // Define the lookback period for email data as 1 hour
let ioc_lookBack = 14d; // Define the lookback period for threat intelligence data as 14 days
let EmailUrlInfo_ = EmailUrlInfo
| where isnotempty(Url) or isnotempty(UrlDomain) // Filter for non-empty URLs or URL domains
| where TimeGenerated >= ago(dt_lookBack) // Filter for records within the lookback period
| extend Url = tolower(Url), UrlDomain = tolower(UrlDomain) // Convert URLs and domains to lowercase
| extend EmailUrlInfo_TimeGenerated = TimeGenerated; // Create a new column for the time generated
let EmailEvents_ = EmailEvents
| where TimeGenerated >= ago(dt_lookBack); // Filter email events within the lookback period
let TI_Urls = ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack) // Filter threat intelligence indicators within the lookback period
| where isnotempty(Url) // Filter for non-empty URLs
| extend Url = tolower(Url) // Convert URLs to lowercase
| join kind=innerunique (EmailUrlInfo_) on Url // Join with email URL info on URL
| where Active == true and ExpirationDateTime > now() // Filter for active indicators that haven't expired
| where EmailUrlInfo_TimeGenerated < ExpirationDateTime // Ensure email info was generated before the indicator expired
| summarize EmailUrlInfo_TimeGenerated = arg_max(EmailUrlInfo_TimeGenerated, *) by IndicatorId, Url // Get the latest email info for each indicator
| project EmailUrlInfo_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, UrlLocation, NetworkMessageId; // Select relevant columns
let TI_Domains = ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack) // Filter threat intelligence indicators within the lookback period
| where isnotempty(DomainName) // Filter for non-empty domain names
| extend DomainName = tolower(DomainName) // Convert domain names to lowercase
| join kind=innerunique (EmailUrlInfo_) on $left.DomainName == $right.UrlDomain // Join with email URL info on domain name
| where Active == true and ExpirationDateTime > now() // Filter for active indicators that haven't expired
| where EmailUrlInfo_TimeGenerated < ExpirationDateTime // Ensure email info was generated before the indicator expired
| summarize EmailUrlInfo_TimeGenerated = arg_max(EmailUrlInfo_TimeGenerated, *) by IndicatorId, UrlDomain // Get the latest email info for each indicator
| project EmailUrlInfo_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, UrlDomain, UrlLocation, NetworkMessageId; // Select relevant columns
union TI_Urls, TI_Domains // Combine URL and domain threat intelligence data
| extend timestamp = EmailUrlInfo_TimeGenerated // Add a timestamp column
| join kind=inner (EmailEvents_) on NetworkMessageId // Join with email events on network message ID
| where DeliveryAction !has "Blocked" // Filter out blocked delivery actions
| extend Name = tostring(split(RecipientEmailAddress, '@', 0)[0]), UPNSuffix = tostring(split(RecipientEmailAddress, '@', 1)[0]); // Extract name and UPN suffix from recipient email address

id: 87cc75df-d7b2-44f1-b064-ee924edfc879
tactics:
- InitialAccess
queryPeriod: 14d
triggerThreshold: 0
name: TI map Domain entity to EmailUrlInfo
query: |
  let dt_lookBack = 1h; // Define the lookback period for email data as 1 hour
  let ioc_lookBack = 14d; // Define the lookback period for threat intelligence data as 14 days
  let EmailUrlInfo_ = EmailUrlInfo
  | where isnotempty(Url) or isnotempty(UrlDomain) // Filter for non-empty URLs or URL domains
  | where TimeGenerated >= ago(dt_lookBack) // Filter for records within the lookback period
  | extend Url = tolower(Url), UrlDomain = tolower(UrlDomain) // Convert URLs and domains to lowercase
  | extend EmailUrlInfo_TimeGenerated = TimeGenerated; // Create a new column for the time generated
  let EmailEvents_ = EmailEvents
  | where TimeGenerated >= ago(dt_lookBack); // Filter email events within the lookback period
  let TI_Urls = ThreatIntelligenceIndicator
  | where TimeGenerated >= ago(ioc_lookBack) // Filter threat intelligence indicators within the lookback period
  | where isnotempty(Url) // Filter for non-empty URLs
  | extend Url = tolower(Url) // Convert URLs to lowercase
  | join kind=innerunique (EmailUrlInfo_) on Url // Join with email URL info on URL
  | where Active == true and ExpirationDateTime > now() // Filter for active indicators that haven't expired
  | where EmailUrlInfo_TimeGenerated < ExpirationDateTime // Ensure email info was generated before the indicator expired
  | summarize EmailUrlInfo_TimeGenerated = arg_max(EmailUrlInfo_TimeGenerated, *) by IndicatorId, Url // Get the latest email info for each indicator
  | project EmailUrlInfo_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, UrlLocation, NetworkMessageId; // Select relevant columns
  let TI_Domains = ThreatIntelligenceIndicator
  | where TimeGenerated >= ago(ioc_lookBack) // Filter threat intelligence indicators within the lookback period
  | where isnotempty(DomainName) // Filter for non-empty domain names
  | extend DomainName = tolower(DomainName) // Convert domain names to lowercase
  | join kind=innerunique (EmailUrlInfo_) on $left.DomainName == $right.UrlDomain // Join with email URL info on domain name
  | where Active == true and ExpirationDateTime > now() // Filter for active indicators that haven't expired
  | where EmailUrlInfo_TimeGenerated < ExpirationDateTime // Ensure email info was generated before the indicator expired
  | summarize EmailUrlInfo_TimeGenerated = arg_max(EmailUrlInfo_TimeGenerated, *) by IndicatorId, UrlDomain // Get the latest email info for each indicator
  | project EmailUrlInfo_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, UrlDomain, UrlLocation, NetworkMessageId; // Select relevant columns
  union TI_Urls, TI_Domains // Combine URL and domain threat intelligence data
  | extend timestamp = EmailUrlInfo_TimeGenerated // Add a timestamp column
  | join kind=inner (EmailEvents_) on NetworkMessageId // Join with email events on network message ID
  | where DeliveryAction !has "Blocked" // Filter out blocked delivery actions
  | extend Name = tostring(split(RecipientEmailAddress, '@', 0)[0]), UPNSuffix = tostring(split(RecipientEmailAddress, '@', 1)[0]); // Extract name and UPN suffix from recipient email address  
severity: Medium
triggerOperator: gt
kind: Scheduled
relevantTechniques:
- T1566
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_EmailUrlInfo.yaml
queryFrequency: 1h
requiredDataConnectors:
- connectorId: Office365
  dataTypes:
  - EmailUrlInfo
- connectorId: ThreatIntelligence
  dataTypes:
  - ThreatIntelligenceIndicator
- connectorId: ThreatIntelligenceTaxii
  dataTypes:
  - ThreatIntelligenceIndicator
- connectorId: MicrosoftDefenderThreatIntelligence
  dataTypes:
  - ThreatIntelligenceIndicator
description: |
    'Identifies a match in EmailUrlInfo table from any Domain IOC from TI.'
version: 1.0.3
entityMappings:
- fieldMappings:
  - columnName: RecipientEmailAddress
    identifier: FullName
  - columnName: Name
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: Url
    identifier: Url
  entityType: URL

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/87cc75df-d7b2-44f1-b064-ee924edfc879')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/87cc75df-d7b2-44f1-b064-ee924edfc879')]",
      "properties": {
        "alertRuleTemplateName": "87cc75df-d7b2-44f1-b064-ee924edfc879",
        "customDetails": null,
        "description": "'Identifies a match in EmailUrlInfo table from any Domain IOC from TI.'\n",
        "displayName": "TI map Domain entity to EmailUrlInfo",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "RecipientEmailAddress",
                "identifier": "FullName"
              },
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "Url",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_EmailUrlInfo.yaml",
        "query": "let dt_lookBack = 1h; // Define the lookback period for email data as 1 hour\nlet ioc_lookBack = 14d; // Define the lookback period for threat intelligence data as 14 days\nlet EmailUrlInfo_ = EmailUrlInfo\n| where isnotempty(Url) or isnotempty(UrlDomain) // Filter for non-empty URLs or URL domains\n| where TimeGenerated >= ago(dt_lookBack) // Filter for records within the lookback period\n| extend Url = tolower(Url), UrlDomain = tolower(UrlDomain) // Convert URLs and domains to lowercase\n| extend EmailUrlInfo_TimeGenerated = TimeGenerated; // Create a new column for the time generated\nlet EmailEvents_ = EmailEvents\n| where TimeGenerated >= ago(dt_lookBack); // Filter email events within the lookback period\nlet TI_Urls = ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) // Filter threat intelligence indicators within the lookback period\n| where isnotempty(Url) // Filter for non-empty URLs\n| extend Url = tolower(Url) // Convert URLs to lowercase\n| join kind=innerunique (EmailUrlInfo_) on Url // Join with email URL info on URL\n| where Active == true and ExpirationDateTime > now() // Filter for active indicators that haven't expired\n| where EmailUrlInfo_TimeGenerated < ExpirationDateTime // Ensure email info was generated before the indicator expired\n| summarize EmailUrlInfo_TimeGenerated = arg_max(EmailUrlInfo_TimeGenerated, *) by IndicatorId, Url // Get the latest email info for each indicator\n| project EmailUrlInfo_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, UrlLocation, NetworkMessageId; // Select relevant columns\nlet TI_Domains = ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) // Filter threat intelligence indicators within the lookback period\n| where isnotempty(DomainName) // Filter for non-empty domain names\n| extend DomainName = tolower(DomainName) // Convert domain names to lowercase\n| join kind=innerunique (EmailUrlInfo_) on $left.DomainName == $right.UrlDomain // Join with email URL info on domain name\n| where Active == true and ExpirationDateTime > now() // Filter for active indicators that haven't expired\n| where EmailUrlInfo_TimeGenerated < ExpirationDateTime // Ensure email info was generated before the indicator expired\n| summarize EmailUrlInfo_TimeGenerated = arg_max(EmailUrlInfo_TimeGenerated, *) by IndicatorId, UrlDomain // Get the latest email info for each indicator\n| project EmailUrlInfo_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, UrlDomain, UrlLocation, NetworkMessageId; // Select relevant columns\nunion TI_Urls, TI_Domains // Combine URL and domain threat intelligence data\n| extend timestamp = EmailUrlInfo_TimeGenerated // Add a timestamp column\n| join kind=inner (EmailEvents_) on NetworkMessageId // Join with email events on network message ID\n| where DeliveryAction !has \"Blocked\" // Filter out blocked delivery actions\n| extend Name = tostring(split(RecipientEmailAddress, '@', 0)[0]), UPNSuffix = tostring(split(RecipientEmailAddress, '@', 1)[0]); // Extract name and UPN suffix from recipient email address\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1566"
        ],
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}