High Urgency IONIX Action Items

Back


Id	8e0403b1-07f8-4865-b2e9-74d1e83200a4
Rulename	High Urgency IONIX Action Items
Description	This query creates an alert for active IONIX Action Items with high urgency (9-10). Urgency can be altered using the “min_urgency” variable in the query.
Severity	High
Tactics	InitialAccess
Techniques	T1190 T1195
Required data connectors	CyberpionSecurityLogs
Kind	Scheduled
Query frequency	1d
Query period	14d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IONIX/Analytic Rules/HighUrgencyActionItems.yaml
Version	1.0.1
Arm template	8e0403b1-07f8-4865-b2e9-74d1e83200a4.json

KQL

let timeframe = 14d;
let time_generated_bucket = 1h;
let min_urgency = 9;
let maxTimeGeneratedBucket = toscalar(
   CyberpionActionItems_CL
   | where TimeGenerated > ago(timeframe)
   | summarize max(bin(TimeGenerated, time_generated_bucket))
   );
CyberpionActionItems_CL
 | where TimeGenerated > ago(timeframe) and is_open_b == true
 | where bin(TimeGenerated, time_generated_bucket) == maxTimeGeneratedBucket
 | where urgency_d >= min_urgency
 | extend timestamp = opening_datetime_t
 | extend DNSCustomEntity = host_s

YAML

relevantTechniques:
- T1190
- T1195
name: High Urgency IONIX Action Items
requiredDataConnectors:
- dataTypes:
  - CyberpionActionItems_CL
  connectorId: CyberpionSecurityLogs
entityMappings:
- fieldMappings:
  - identifier: DomainName
    columnName: DNSCustomEntity
  entityType: DNS
triggerThreshold: 0
id: 8e0403b1-07f8-4865-b2e9-74d1e83200a4
tactics:
- InitialAccess
version: 1.0.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IONIX/Analytic Rules/HighUrgencyActionItems.yaml
queryPeriod: 14d
kind: Scheduled
queryFrequency: 1d
severity: High
status: Available
description: |
  'This query creates an alert for active IONIX Action Items with high urgency (9-10).
   Urgency can be altered using the "min_urgency" variable in the query.'  
query: |
  let timeframe = 14d;
  let time_generated_bucket = 1h;
  let min_urgency = 9;
  let maxTimeGeneratedBucket = toscalar(
     CyberpionActionItems_CL
     | where TimeGenerated > ago(timeframe)
     | summarize max(bin(TimeGenerated, time_generated_bucket))
     );
  CyberpionActionItems_CL
   | where TimeGenerated > ago(timeframe) and is_open_b == true
   | where bin(TimeGenerated, time_generated_bucket) == maxTimeGeneratedBucket
   | where urgency_d >= min_urgency
   | extend timestamp = opening_datetime_t
   | extend DNSCustomEntity = host_s  
triggerOperator: gt

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8e0403b1-07f8-4865-b2e9-74d1e83200a4')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8e0403b1-07f8-4865-b2e9-74d1e83200a4')]",
      "properties": {
        "alertRuleTemplateName": "8e0403b1-07f8-4865-b2e9-74d1e83200a4",
        "customDetails": null,
        "description": "'This query creates an alert for active IONIX Action Items with high urgency (9-10).\n Urgency can be altered using the \"min_urgency\" variable in the query.'\n",
        "displayName": "High Urgency IONIX Action Items",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "DNS",
            "fieldMappings": [
              {
                "columnName": "DNSCustomEntity",
                "identifier": "DomainName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IONIX/Analytic Rules/HighUrgencyActionItems.yaml",
        "query": "let timeframe = 14d;\nlet time_generated_bucket = 1h;\nlet min_urgency = 9;\nlet maxTimeGeneratedBucket = toscalar(\n   CyberpionActionItems_CL\n   | where TimeGenerated > ago(timeframe)\n   | summarize max(bin(TimeGenerated, time_generated_bucket))\n   );\nCyberpionActionItems_CL\n | where TimeGenerated > ago(timeframe) and is_open_b == true\n | where bin(TimeGenerated, time_generated_bucket) == maxTimeGeneratedBucket\n | where urgency_d >= min_urgency\n | extend timestamp = opening_datetime_t\n | extend DNSCustomEntity = host_s\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P14D",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1190",
          "T1195"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}