Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Detection of Malicious URLs in Syslog Events

Back
Id9acb3664-72c4-4676-80fa-9f81912e347e
RulenameDetection of Malicious URLs in Syslog Events
DescriptionIdentifies a match in Syslog from Recorded Future URLs Recently Reported as malicious by Insikt Group.
SeverityMedium
TacticsLateralMovement
Execution
TechniquesT1072
Required data connectorsSyslog
SyslogAma
KindScheduled
Query frequency1h
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Recorded Future/Analytic Rules/RecordedFutureUrlReportedbyInsiktGroupinSyslogEvents.yaml
Version1.0.2
Arm template9acb3664-72c4-4676-80fa-9f81912e347e.json
Deploy To Azure
// Identifies a match in Syslog from the Recorded Future URLs Recently Reported by Insikt Group
let dt_lookBack = 1h;
let ioc_lookBack = 1d;
ThreatIntelligenceIndicator
// Picking up only Recorded Future IOC's that have been recently reported as malicious by Insikt Group
| where Description == 'Recorded Future - URL - Recently Reported by Insikt Group'
| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
| where Active == true
// Picking up only IOC's that contain the entities we want
| where isnotempty(Url)
| join (
  Syslog
  | where TimeGenerated >= ago(dt_lookBack)
  // Extract URL from the Syslog message but only take messages that include URLs
  | extend Url = extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)", 1,SyslogMessage)
  | where isnotempty(Url)
  | extend Syslog_TimeGenerated = TimeGenerated
  ) 
on Url
| where Syslog_TimeGenerated >= TimeGenerated and Syslog_TimeGenerated < ExpirationDateTime
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, Url, AdditionalInformation, HostIP
| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url
requiredDataConnectors:
- connectorId: Syslog
  dataTypes:
  - Syslog
- connectorId: SyslogAma
  dataTypes:
  - Syslog
status: Available
relevantTechniques:
- T1072
queryFrequency: 1h
id: 9acb3664-72c4-4676-80fa-9f81912e347e
name: Detection of Malicious URLs in Syslog Events
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Recorded Future/Analytic Rules/RecordedFutureUrlReportedbyInsiktGroupinSyslogEvents.yaml
queryPeriod: 1d
entityMappings:
- fieldMappings:
  - columnName: HostCustomEntity
    identifier: FullName
  entityType: Host
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: URLCustomEntity
    identifier: Url
  entityType: URL
description: |
    'Identifies a match in Syslog from Recorded Future URLs Recently Reported as malicious by Insikt Group.'
triggerThreshold: 0
tactics:
- LateralMovement
- Execution
query: |
  // Identifies a match in Syslog from the Recorded Future URLs Recently Reported by Insikt Group
  let dt_lookBack = 1h;
  let ioc_lookBack = 1d;
  ThreatIntelligenceIndicator
  // Picking up only Recorded Future IOC's that have been recently reported as malicious by Insikt Group
  | where Description == 'Recorded Future - URL - Recently Reported by Insikt Group'
  | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
  | where Active == true
  // Picking up only IOC's that contain the entities we want
  | where isnotempty(Url)
  | join (
    Syslog
    | where TimeGenerated >= ago(dt_lookBack)
    // Extract URL from the Syslog message but only take messages that include URLs
    | extend Url = extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)", 1,SyslogMessage)
    | where isnotempty(Url)
    | extend Syslog_TimeGenerated = TimeGenerated
    ) 
  on Url
  | where Syslog_TimeGenerated >= TimeGenerated and Syslog_TimeGenerated < ExpirationDateTime
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, Url, AdditionalInformation, HostIP
  | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url  
kind: Scheduled
triggerOperator: gt
version: 1.0.2
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9acb3664-72c4-4676-80fa-9f81912e347e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9acb3664-72c4-4676-80fa-9f81912e347e')]",
      "properties": {
        "alertRuleTemplateName": "9acb3664-72c4-4676-80fa-9f81912e347e",
        "customDetails": null,
        "description": "'Identifies a match in Syslog from Recorded Future URLs Recently Reported as malicious by Insikt Group.'\n",
        "displayName": "Detection of Malicious URLs in Syslog Events",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "URLCustomEntity",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Recorded Future/Analytic Rules/RecordedFutureUrlReportedbyInsiktGroupinSyslogEvents.yaml",
        "query": "// Identifies a match in Syslog from the Recorded Future URLs Recently Reported by Insikt Group\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 1d;\nThreatIntelligenceIndicator\n// Picking up only Recorded Future IOC's that have been recently reported as malicious by Insikt Group\n| where Description == 'Recorded Future - URL - Recently Reported by Insikt Group'\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(Url)\n| join (\n  Syslog\n  | where TimeGenerated >= ago(dt_lookBack)\n  // Extract URL from the Syslog message but only take messages that include URLs\n  | extend Url = extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\", 1,SyslogMessage)\n  | where isnotempty(Url)\n  | extend Syslog_TimeGenerated = TimeGenerated\n  ) \non Url\n| where Syslog_TimeGenerated >= TimeGenerated and Syslog_TimeGenerated < ExpirationDateTime\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, Url, AdditionalInformation, HostIP\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution",
          "LateralMovement"
        ],
        "techniques": [
          "T1072"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}