TI map IP entity to WorkdayASimAuditEventLogs

Back


Id	92e8e945-6e99-4e4b-bef8-468b4c19fc3a
Rulename	TI map IP entity to Workday(ASimAuditEventLogs)
Description	Detects a match in Workday activity from any IP Indicator of Compromise (IOC) provided by Threat Intelligence (TI).
Severity	Medium
Tactics	CommandAndControl
Techniques	T1071
Required data connectors	MicrosoftDefenderThreatIntelligence ThreatIntelligence ThreatIntelligenceTaxii Workday
Kind	Scheduled
Query frequency	1h
Query period	14d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_Workday_Updated.yaml
Version	1.0.0
Arm template	92e8e945-6e99-4e4b-bef8-468b4c19fc3a.json

KQL

let dtLookBack = 1h; // Define the lookback period for audit events
let ioc_lookBack = 14d; // Define the lookback period for threat intelligence indicators
ThreatIntelIndicators 
| where TimeGenerated >= ago(ioc_lookBack) // Filter threat intelligence indicators within the lookback period
//extract key part of kv pair
     | extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0)))
     | where isnotempty(IndicatorType) and IndicatorType == "ipv4-addr"
     | extend NetworkSourceIP = toupper(ObservableValue)
     | extend TrafficLightProtocolLevel = tostring(parse_json(AdditionalFields).TLPLevel)
| where isnotempty(NetworkSourceIP)
      or isnotempty(NetworkSourceIP) // Filter for indicators with relevant IP fields
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id // Get the latest indicator time for each IndicatorId
  | extend TI_ipEntity = coalesce(NetworkSourceIP, NetworkSourceIP, NetworkSourceIP, NetworkSourceIP) // Combine IP fields into a single entity
  | where IsActive == true and ValidUntil > now() // Filter for active indicators that have not expired
  | project-reorder *, Tags, TrafficLightProtocolLevel, NetworkSourceIP, Type, TI_ipEntity
  | join kind=inner (
      ASimAuditEventLogs
      | where EventVendor == "Workday" // Filter for Workday events
      | where TimeGenerated >= ago(dtLookBack) // Filter events within the lookback period
      | where isnotempty(DvcIpAddr) // Filter for events with a device IP address
      | extend WD_TimeGenerated = EventStartTime // Rename the event start time column
      | project WD_TimeGenerated, ActorUsername, DvcIpAddr, Operation, Object // Select relevant columns
      )
      on $left.TI_ipEntity == $right.DvcIpAddr // Join on the IP entity
      | extend Description = tostring(parse_json(Data).description)
      | extend ActivityGroupNames = extract(@"ActivityGroup:(\S+)", 1, tostring(parse_json(Data).labels))
  | project
      LatestIndicatorTime,
      Description,
      ActivityGroupNames,
      Id,
      ValidUntil,
      Confidence,
      WD_TimeGenerated,
      ActorUsername,
      DvcIpAddr,
      Operation,
      Object//ThreatType, Url // Select relevant columns after the join
  | extend
      timestamp = WD_TimeGenerated,
      Name = tostring(split(ActorUsername, '@', 0)),
      UPNSuffix = tostring(split(ActorUsername, '@', 1)) // Add additional fields for timestamp, name, and UPN suffix

YAML

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_Workday_Updated.yaml
query: |
  let dtLookBack = 1h; // Define the lookback period for audit events
  let ioc_lookBack = 14d; // Define the lookback period for threat intelligence indicators
  ThreatIntelIndicators 
  | where TimeGenerated >= ago(ioc_lookBack) // Filter threat intelligence indicators within the lookback period
  //extract key part of kv pair
       | extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0)))
       | where isnotempty(IndicatorType) and IndicatorType == "ipv4-addr"
       | extend NetworkSourceIP = toupper(ObservableValue)
       | extend TrafficLightProtocolLevel = tostring(parse_json(AdditionalFields).TLPLevel)
  | where isnotempty(NetworkSourceIP)
        or isnotempty(NetworkSourceIP) // Filter for indicators with relevant IP fields
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id // Get the latest indicator time for each IndicatorId
    | extend TI_ipEntity = coalesce(NetworkSourceIP, NetworkSourceIP, NetworkSourceIP, NetworkSourceIP) // Combine IP fields into a single entity
    | where IsActive == true and ValidUntil > now() // Filter for active indicators that have not expired
    | project-reorder *, Tags, TrafficLightProtocolLevel, NetworkSourceIP, Type, TI_ipEntity
    | join kind=inner (
        ASimAuditEventLogs
        | where EventVendor == "Workday" // Filter for Workday events
        | where TimeGenerated >= ago(dtLookBack) // Filter events within the lookback period
        | where isnotempty(DvcIpAddr) // Filter for events with a device IP address
        | extend WD_TimeGenerated = EventStartTime // Rename the event start time column
        | project WD_TimeGenerated, ActorUsername, DvcIpAddr, Operation, Object // Select relevant columns
        )
        on $left.TI_ipEntity == $right.DvcIpAddr // Join on the IP entity
        | extend Description = tostring(parse_json(Data).description)
        | extend ActivityGroupNames = extract(@"ActivityGroup:(\S+)", 1, tostring(parse_json(Data).labels))
    | project
        LatestIndicatorTime,
        Description,
        ActivityGroupNames,
        Id,
        ValidUntil,
        Confidence,
        WD_TimeGenerated,
        ActorUsername,
        DvcIpAddr,
        Operation,
        Object//ThreatType, Url // Select relevant columns after the join
    | extend
        timestamp = WD_TimeGenerated,
        Name = tostring(split(ActorUsername, '@', 0)),
        UPNSuffix = tostring(split(ActorUsername, '@', 1)) // Add additional fields for timestamp, name, and UPN suffix       
description: |
    Detects a match in Workday activity from any IP Indicator of Compromise (IOC) provided by Threat Intelligence (TI).
severity: Medium
requiredDataConnectors:
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligence
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligenceTaxii
- dataTypes:
  - Workday
  connectorId: Workday
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: MicrosoftDefenderThreatIntelligence
name: TI map IP entity to Workday(ASimAuditEventLogs)
triggerThreshold: 0
tactics:
- CommandAndControl
version: 1.0.0
relevantTechniques:
- T1071
triggerOperator: gt
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: ActorUsername
    identifier: FullName
  - columnName: Name
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
- entityType: IP
  fieldMappings:
  - columnName: DvcIpAddr
    identifier: Address
id: 92e8e945-6e99-4e4b-bef8-468b4c19fc3a
kind: Scheduled
queryFrequency: 1h
queryPeriod: 14d

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/92e8e945-6e99-4e4b-bef8-468b4c19fc3a')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/92e8e945-6e99-4e4b-bef8-468b4c19fc3a')]",
      "properties": {
        "alertRuleTemplateName": "92e8e945-6e99-4e4b-bef8-468b4c19fc3a",
        "customDetails": null,
        "description": "Detects a match in Workday activity from any IP Indicator of Compromise (IOC) provided by Threat Intelligence (TI).\n",
        "displayName": "TI map IP entity to Workday(ASimAuditEventLogs)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "ActorUsername",
                "identifier": "FullName"
              },
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "DvcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_Workday_Updated.yaml",
        "query": "let dtLookBack = 1h; // Define the lookback period for audit events\nlet ioc_lookBack = 14d; // Define the lookback period for threat intelligence indicators\nThreatIntelIndicators \n| where TimeGenerated >= ago(ioc_lookBack) // Filter threat intelligence indicators within the lookback period\n//extract key part of kv pair\n     | extend IndicatorType = replace(@\"\\[|\\]|\\\"\"\", \"\", tostring(split(ObservableKey, \":\", 0)))\n     | where isnotempty(IndicatorType) and IndicatorType == \"ipv4-addr\"\n     | extend NetworkSourceIP = toupper(ObservableValue)\n     | extend TrafficLightProtocolLevel = tostring(parse_json(AdditionalFields).TLPLevel)\n| where isnotempty(NetworkSourceIP)\n      or isnotempty(NetworkSourceIP) // Filter for indicators with relevant IP fields\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id // Get the latest indicator time for each IndicatorId\n  | extend TI_ipEntity = coalesce(NetworkSourceIP, NetworkSourceIP, NetworkSourceIP, NetworkSourceIP) // Combine IP fields into a single entity\n  | where IsActive == true and ValidUntil > now() // Filter for active indicators that have not expired\n  | project-reorder *, Tags, TrafficLightProtocolLevel, NetworkSourceIP, Type, TI_ipEntity\n  | join kind=inner (\n      ASimAuditEventLogs\n      | where EventVendor == \"Workday\" // Filter for Workday events\n      | where TimeGenerated >= ago(dtLookBack) // Filter events within the lookback period\n      | where isnotempty(DvcIpAddr) // Filter for events with a device IP address\n      | extend WD_TimeGenerated = EventStartTime // Rename the event start time column\n      | project WD_TimeGenerated, ActorUsername, DvcIpAddr, Operation, Object // Select relevant columns\n      )\n      on $left.TI_ipEntity == $right.DvcIpAddr // Join on the IP entity\n      | extend Description = tostring(parse_json(Data).description)\n      | extend ActivityGroupNames = extract(@\"ActivityGroup:(\\S+)\", 1, tostring(parse_json(Data).labels))\n  | project\n      LatestIndicatorTime,\n      Description,\n      ActivityGroupNames,\n      Id,\n      ValidUntil,\n      Confidence,\n      WD_TimeGenerated,\n      ActorUsername,\n      DvcIpAddr,\n      Operation,\n      Object//ThreatType, Url // Select relevant columns after the join\n  | extend\n      timestamp = WD_TimeGenerated,\n      Name = tostring(split(ActorUsername, '@', 0)),\n      UPNSuffix = tostring(split(ActorUsername, '@', 1)) // Add additional fields for timestamp, name, and UPN suffix     \n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "techniques": [
          "T1071"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}