Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. TI map Domain entity to Cloud App Events

TI map Domain entity to Cloud App Events

Back
Ida7d2b1e4-dd9c-40fd-9651-1a136eb8f0df
RulenameTI map Domain entity to Cloud App Events
DescriptionIdentifies compromises and attacks and detect malicious activities in one’s domain entity from TI.
SeverityMedium
TacticsCommandAndControl
TechniquesT1071
Required data connectorsMicrosoftDefenderThreatIntelligence
MicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_CloudAppEvents_Updated.yaml
Version1.0.6
Arm templatea7d2b1e4-dd9c-40fd-9651-1a136eb8f0df.json
Deploy To Azure
let dt_lookBack = 1h;
let ioc_lookBack = 14d; 
let list_tlds =
  ThreatIntelIndicators
    | where TimeGenerated >= ago(ioc_lookBack)
    | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id, ObservableValue
    | where IsActive and (ValidUntil > now() or isempty(ValidUntil))
    //extract key part of kv pair
    | extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0)))
    | where IndicatorType == "domain-name"
    | extend DomainName = tolower(IndicatorType)
    | extend parts = split(DomainName, '.')
    | extend tld = parts[(array_length(parts) - 1)]
    | extend IndicatorId = tostring(split(Id, "--")[2])
    | summarize count() by tostring(tld)
    | summarize make_set(tld);
let Domain_Indicators =
  ThreatIntelIndicators
    | where TimeGenerated >= ago(ioc_lookBack)
    | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id, ObservableValue
    | where IsActive and (ValidUntil > now() or isempty(ValidUntil))
    | extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0)))
    | where IndicatorType == "domain-name"
    | extend DomainName = tolower(ObservableValue)
    | extend IndicatorId = tostring(split(Id, "--")[2])
    | project-reorder *, IndicatorType, DomainName, Type;
  Domain_Indicators
    | join kind=innerunique (
  CloudAppEvents
    | extend IngestionTime = ingestion_time()
    | where IngestionTime > ago(dt_lookBack)
    | extend PAUrl = columnifexists("RequestURL", "None")
    | extend Domain = tolower(trim('"', tostring(parseurl(PAUrl).Host)))
    | extend parts = split(Domain, '.')
    | extend tld = parts[(array_length(parts) - 1)]
    | extend CloudAppEvents_TimeGenerated = TimeGenerated) on $left.DomainName == $right.Domain
    | where CloudAppEvents_TimeGenerated < ValidUntil
    | summarize CloudAppEvents_TimeGenerated = argmax(CloudAppEvents_TimeGenerated, *) by IndicatorId
    | extend 
          Description = tostring(parse_json(max_CloudAppEvents_TimeGenerated_Data).description),
          ActivityGroupNames = column_ifexists("max_CloudAppEvents_TimeGenerated_ActivityGroupNames", ""),
          ThreatType = column_ifexists("max_CloudAppEvents_TimeGenerated_ThreatType", ""),
          ExpirationDateTime = column_ifexists("max_CloudAppEvents_TimeGenerated_ExpirationDateTime", ""),
          ConfidenceScore = column_ifexists("max_CloudAppEvents_TimeGenerated_ConfidenceScore", ""),
          DomainName = column_ifexists("max_CloudAppEvents_TimeGenerated_DomainName", ""),
          ProviderName = column_ifexists("max_CloudAppEvents_TimeGenerated_IndicatorProvider", ""),
          AlertSeverity = column_ifexists("max_CloudAppEvents_TimeGenerated_ThreatSeverity", ""),
          IPAddress = column_ifexists("max_CloudAppEvents_TimeGenerated_IPAddress", "")
    | project CloudAppEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, ProviderName, AlertSeverity, IPAddress

requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - CloudAppEvents
- connectorId: MicrosoftDefenderThreatIntelligence
  dataTypes:
  - ThreatIntelIndicators
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_CloudAppEvents_Updated.yaml
triggerThreshold: 0
description: |
    'Identifies compromises and attacks and detect malicious activities in one's domain entity from TI.'
relevantTechniques:
- T1071
queryPeriod: 14d
name: TI map Domain entity to Cloud App Events
entityMappings:
- entityType: DNS
  fieldMappings:
  - columnName: DomainName
    identifier: DomainName
- entityType: IP
  fieldMappings:
  - columnName: IPAddress
    identifier: Address
queryFrequency: 1h
triggerOperator: gt
kind: Scheduled
tactics:
- CommandAndControl
severity: Medium
version: 1.0.6
query: |
  let dt_lookBack = 1h;
  let ioc_lookBack = 14d; 
  let list_tlds =
    ThreatIntelIndicators
      | where TimeGenerated >= ago(ioc_lookBack)
      | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id, ObservableValue
      | where IsActive and (ValidUntil > now() or isempty(ValidUntil))
      //extract key part of kv pair
      | extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0)))
      | where IndicatorType == "domain-name"
      | extend DomainName = tolower(IndicatorType)
      | extend parts = split(DomainName, '.')
      | extend tld = parts[(array_length(parts) - 1)]
      | extend IndicatorId = tostring(split(Id, "--")[2])
      | summarize count() by tostring(tld)
      | summarize make_set(tld);
  let Domain_Indicators =
    ThreatIntelIndicators
      | where TimeGenerated >= ago(ioc_lookBack)
      | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id, ObservableValue
      | where IsActive and (ValidUntil > now() or isempty(ValidUntil))
      | extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0)))
      | where IndicatorType == "domain-name"
      | extend DomainName = tolower(ObservableValue)
      | extend IndicatorId = tostring(split(Id, "--")[2])
      | project-reorder *, IndicatorType, DomainName, Type;
    Domain_Indicators
      | join kind=innerunique (
    CloudAppEvents
      | extend IngestionTime = ingestion_time()
      | where IngestionTime > ago(dt_lookBack)
      | extend PAUrl = columnifexists("RequestURL", "None")
      | extend Domain = tolower(trim('"', tostring(parseurl(PAUrl).Host)))
      | extend parts = split(Domain, '.')
      | extend tld = parts[(array_length(parts) - 1)]
      | extend CloudAppEvents_TimeGenerated = TimeGenerated) on $left.DomainName == $right.Domain
      | where CloudAppEvents_TimeGenerated < ValidUntil
      | summarize CloudAppEvents_TimeGenerated = argmax(CloudAppEvents_TimeGenerated, *) by IndicatorId
      | extend 
            Description = tostring(parse_json(max_CloudAppEvents_TimeGenerated_Data).description),
            ActivityGroupNames = column_ifexists("max_CloudAppEvents_TimeGenerated_ActivityGroupNames", ""),
            ThreatType = column_ifexists("max_CloudAppEvents_TimeGenerated_ThreatType", ""),
            ExpirationDateTime = column_ifexists("max_CloudAppEvents_TimeGenerated_ExpirationDateTime", ""),
            ConfidenceScore = column_ifexists("max_CloudAppEvents_TimeGenerated_ConfidenceScore", ""),
            DomainName = column_ifexists("max_CloudAppEvents_TimeGenerated_DomainName", ""),
            ProviderName = column_ifexists("max_CloudAppEvents_TimeGenerated_IndicatorProvider", ""),
            AlertSeverity = column_ifexists("max_CloudAppEvents_TimeGenerated_ThreatSeverity", ""),
            IPAddress = column_ifexists("max_CloudAppEvents_TimeGenerated_IPAddress", "")
      | project CloudAppEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, ProviderName, AlertSeverity, IPAddress  
id: a7d2b1e4-dd9c-40fd-9651-1a136eb8f0df