TI map IP entity to WorkdayASimAuditEventLogs

let dtLookBack = 1h; // Define the lookback period for audit events
let ioc_lookBack = 14d; // Define the lookback period for threat intelligence indicators
ThreatIntelIndicators 
| where TimeGenerated >= ago(ioc_lookBack) // Filter threat intelligence indicators within the lookback period
//extract key part of kv pair
     | extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0)))
     | where IndicatorType in ("ipv4-addr", "ipv6-addr", "network-traffic")
     | extend NetworkSourceIP = toupper(ObservableValue)
     | extend TrafficLightProtocolLevel = tostring(parse_json(AdditionalFields).TLPLevel)
     | where isnotempty(NetworkSourceIP)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id, ObservableValue // Get the latest indicator time for each IndicatorId
  | extend TI_ipEntity = coalesce(NetworkSourceIP, NetworkSourceIP, NetworkSourceIP, NetworkSourceIP) // Combine IP fields into a single entity
  | where IsActive and (ValidUntil > now() or isempty(ValidUntil)) // Filter for active indicators that have not expired
  | project-reorder *, Tags, TrafficLightProtocolLevel, NetworkSourceIP, Type, TI_ipEntity
  | join kind=inner (
      ASimAuditEventLogs
      | where EventVendor == "Workday" // Filter for Workday events
      | where TimeGenerated >= ago(dtLookBack) // Filter events within the lookback period
      | where isnotempty(DvcIpAddr) // Filter for events with a device IP address
      | extend WD_TimeGenerated = EventStartTime // Rename the event start time column
      | project WD_TimeGenerated, ActorUsername, DvcIpAddr, Operation, Object // Select relevant columns
      )
      on $left.TI_ipEntity == $right.DvcIpAddr // Join on the IP entity
      | extend Description = tostring(parse_json(Data).description)
      | extend ActivityGroupNames = extract(@"ActivityGroup:(\S+)", 1, tostring(parse_json(Data).labels))
  | project
      LatestIndicatorTime,
      Description,
      ActivityGroupNames,
      Id,
      ValidUntil,
      Confidence,
      WD_TimeGenerated,
      ActorUsername,
      DvcIpAddr,
      Operation,
      Object // Select relevant columns after the join
  | extend
      timestamp = WD_TimeGenerated,
      Name = tostring(split(ActorUsername, '@', 0)),
      UPNSuffix = tostring(split(ActorUsername, '@', 1)) // Add additional fields for timestamp, name, and UPN suffix   

queryPeriod: 14d
query: |
  let dtLookBack = 1h; // Define the lookback period for audit events
  let ioc_lookBack = 14d; // Define the lookback period for threat intelligence indicators
  ThreatIntelIndicators 
  | where TimeGenerated >= ago(ioc_lookBack) // Filter threat intelligence indicators within the lookback period
  //extract key part of kv pair
       | extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0)))
       | where IndicatorType in ("ipv4-addr", "ipv6-addr", "network-traffic")
       | extend NetworkSourceIP = toupper(ObservableValue)
       | extend TrafficLightProtocolLevel = tostring(parse_json(AdditionalFields).TLPLevel)
       | where isnotempty(NetworkSourceIP)
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id, ObservableValue // Get the latest indicator time for each IndicatorId
    | extend TI_ipEntity = coalesce(NetworkSourceIP, NetworkSourceIP, NetworkSourceIP, NetworkSourceIP) // Combine IP fields into a single entity
    | where IsActive and (ValidUntil > now() or isempty(ValidUntil)) // Filter for active indicators that have not expired
    | project-reorder *, Tags, TrafficLightProtocolLevel, NetworkSourceIP, Type, TI_ipEntity
    | join kind=inner (
        ASimAuditEventLogs
        | where EventVendor == "Workday" // Filter for Workday events
        | where TimeGenerated >= ago(dtLookBack) // Filter events within the lookback period
        | where isnotempty(DvcIpAddr) // Filter for events with a device IP address
        | extend WD_TimeGenerated = EventStartTime // Rename the event start time column
        | project WD_TimeGenerated, ActorUsername, DvcIpAddr, Operation, Object // Select relevant columns
        )
        on $left.TI_ipEntity == $right.DvcIpAddr // Join on the IP entity
        | extend Description = tostring(parse_json(Data).description)
        | extend ActivityGroupNames = extract(@"ActivityGroup:(\S+)", 1, tostring(parse_json(Data).labels))
    | project
        LatestIndicatorTime,
        Description,
        ActivityGroupNames,
        Id,
        ValidUntil,
        Confidence,
        WD_TimeGenerated,
        ActorUsername,
        DvcIpAddr,
        Operation,
        Object // Select relevant columns after the join
    | extend
        timestamp = WD_TimeGenerated,
        Name = tostring(split(ActorUsername, '@', 0)),
        UPNSuffix = tostring(split(ActorUsername, '@', 1)) // Add additional fields for timestamp, name, and UPN suffix     
name: TI map IP entity to Workday(ASimAuditEventLogs)
entityMappings:
- fieldMappings:
  - columnName: ActorUsername
    identifier: FullName
  - columnName: Name
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: DvcIpAddr
    identifier: Address
  entityType: IP
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_Workday_Updated.yaml
requiredDataConnectors:
- connectorId: ThreatIntelligence
  dataTypes:
  - ThreatIntelIndicators
- connectorId: ThreatIntelligenceTaxii
  dataTypes:
  - ThreatIntelIndicators
- connectorId: Workday
  dataTypes:
  - Workday
- connectorId: MicrosoftDefenderThreatIntelligence
  dataTypes:
  - ThreatIntelIndicators
description: |
    Detects a match in Workday activity from any IP Indicator of Compromise (IOC) provided by Threat Intelligence (TI).
kind: Scheduled
version: 1.0.3
queryFrequency: 1h
severity: Medium
relevantTechniques:
- T1071
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandAndControl
id: 92e8e945-6e99-4e4b-bef8-468b4c19fc3a