TI map IP entity to WorkdayASimAuditEventLogs
| Id | a924d317-03d2-4420-a71f-4d347bda4bd8 |
| Rulename | TI map IP entity to Workday(ASimAuditEventLogs) |
| Description | Detects a match in Workday activity from any IP Indicator of Compromise (IOC) provided by Threat Intelligence (TI). |
| Severity | Medium |
| Tactics | CommandAndControl |
| Techniques | T1071 |
| Required data connectors | MicrosoftDefenderThreatIntelligence ThreatIntelligence ThreatIntelligenceTaxii Workday |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 14d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/IPEntity_Workday.yaml |
| Version | 1.0.0 |
| Arm template | a924d317-03d2-4420-a71f-4d347bda4bd8.json |
let dtLookBack = 1h; // Define the lookback period for audit events
let ioc_lookBack = 14d; // Define the lookback period for threat intelligence indicators
ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack) // Filter threat intelligence indicators within the lookback period
| where isnotempty(NetworkIP)
or isnotempty(EmailSourceIpAddress)
or isnotempty(NetworkDestinationIP)
or isnotempty(NetworkSourceIP) // Filter for indicators with relevant IP fields
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId // Get the latest indicator time for each IndicatorId
| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress) // Combine IP fields into a single entity
| where Active == true and ExpirationDateTime > now() // Filter for active indicators that have not expired
| join kind=inner (
ASimAuditEventLogs
| where EventVendor == "Workday" // Filter for Workday events
| where TimeGenerated >= ago(dtLookBack) // Filter events within the lookback period
| where isnotempty(DvcIpAddr) // Filter for events with a device IP address
| extend WD_TimeGenerated = EventStartTime // Rename the event start time column
| project WD_TimeGenerated, ActorUsername, DvcIpAddr, Operation, Object // Select relevant columns
)
on $left.TI_ipEntity == $right.DvcIpAddr // Join on the IP entity
| project
LatestIndicatorTime,
Description,
ActivityGroupNames,
IndicatorId,
ThreatType,
Url,
ExpirationDateTime,
ConfidenceScore,
WD_TimeGenerated,
ActorUsername,
DvcIpAddr,
Operation,
Object // Select relevant columns after the join
| extend
timestamp = WD_TimeGenerated,
Name = tostring(split(ActorUsername, '@', 0)),
UPNSuffix = tostring(split(ActorUsername, '@', 1)) // Add additional fields for timestamp, name, and UPN suffix
relevantTechniques:
- T1071
name: TI map IP entity to Workday(ASimAuditEventLogs)
queryPeriod: 14d
triggerThreshold: 0
id: a924d317-03d2-4420-a71f-4d347bda4bd8
requiredDataConnectors:
- dataTypes:
- ThreatIntelligenceIndicator
connectorId: ThreatIntelligence
- dataTypes:
- ThreatIntelligenceIndicator
connectorId: ThreatIntelligenceTaxii
- dataTypes:
- Workday
connectorId: Workday
- dataTypes:
- ThreatIntelligenceIndicator
connectorId: MicrosoftDefenderThreatIntelligence
description: |
Detects a match in Workday activity from any IP Indicator of Compromise (IOC) provided by Threat Intelligence (TI).
version: 1.0.0
severity: Medium
entityMappings:
- entityType: Account
fieldMappings:
- columnName: ActorUsername
identifier: FullName
- columnName: Name
identifier: Name
- columnName: UPNSuffix
identifier: UPNSuffix
- entityType: IP
fieldMappings:
- columnName: DvcIpAddr
identifier: Address
tactics:
- CommandAndControl
query: |
let dtLookBack = 1h; // Define the lookback period for audit events
let ioc_lookBack = 14d; // Define the lookback period for threat intelligence indicators
ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack) // Filter threat intelligence indicators within the lookback period
| where isnotempty(NetworkIP)
or isnotempty(EmailSourceIpAddress)
or isnotempty(NetworkDestinationIP)
or isnotempty(NetworkSourceIP) // Filter for indicators with relevant IP fields
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId // Get the latest indicator time for each IndicatorId
| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress) // Combine IP fields into a single entity
| where Active == true and ExpirationDateTime > now() // Filter for active indicators that have not expired
| join kind=inner (
ASimAuditEventLogs
| where EventVendor == "Workday" // Filter for Workday events
| where TimeGenerated >= ago(dtLookBack) // Filter events within the lookback period
| where isnotempty(DvcIpAddr) // Filter for events with a device IP address
| extend WD_TimeGenerated = EventStartTime // Rename the event start time column
| project WD_TimeGenerated, ActorUsername, DvcIpAddr, Operation, Object // Select relevant columns
)
on $left.TI_ipEntity == $right.DvcIpAddr // Join on the IP entity
| project
LatestIndicatorTime,
Description,
ActivityGroupNames,
IndicatorId,
ThreatType,
Url,
ExpirationDateTime,
ConfidenceScore,
WD_TimeGenerated,
ActorUsername,
DvcIpAddr,
Operation,
Object // Select relevant columns after the join
| extend
timestamp = WD_TimeGenerated,
Name = tostring(split(ActorUsername, '@', 0)),
UPNSuffix = tostring(split(ActorUsername, '@', 1)) // Add additional fields for timestamp, name, and UPN suffix
kind: Scheduled
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/IPEntity_Workday.yaml
queryFrequency: 1h
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a924d317-03d2-4420-a71f-4d347bda4bd8')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a924d317-03d2-4420-a71f-4d347bda4bd8')]",
"properties": {
"alertRuleTemplateName": "a924d317-03d2-4420-a71f-4d347bda4bd8",
"customDetails": null,
"description": "Detects a match in Workday activity from any IP Indicator of Compromise (IOC) provided by Threat Intelligence (TI).\n",
"displayName": "TI map IP entity to Workday(ASimAuditEventLogs)",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "ActorUsername",
"identifier": "FullName"
},
{
"columnName": "Name",
"identifier": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "DvcIpAddr",
"identifier": "Address"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/IPEntity_Workday.yaml",
"query": "let dtLookBack = 1h; // Define the lookback period for audit events\nlet ioc_lookBack = 14d; // Define the lookback period for threat intelligence indicators\nThreatIntelligenceIndicator \n| where TimeGenerated >= ago(ioc_lookBack) // Filter threat intelligence indicators within the lookback period\n| where isnotempty(NetworkIP)\n or isnotempty(EmailSourceIpAddress)\n or isnotempty(NetworkDestinationIP)\n or isnotempty(NetworkSourceIP) // Filter for indicators with relevant IP fields\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId // Get the latest indicator time for each IndicatorId\n | extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress) // Combine IP fields into a single entity\n | where Active == true and ExpirationDateTime > now() // Filter for active indicators that have not expired\n | join kind=inner (\n ASimAuditEventLogs\n | where EventVendor == \"Workday\" // Filter for Workday events\n | where TimeGenerated >= ago(dtLookBack) // Filter events within the lookback period\n | where isnotempty(DvcIpAddr) // Filter for events with a device IP address\n | extend WD_TimeGenerated = EventStartTime // Rename the event start time column\n | project WD_TimeGenerated, ActorUsername, DvcIpAddr, Operation, Object // Select relevant columns\n )\n on $left.TI_ipEntity == $right.DvcIpAddr // Join on the IP entity\n | project\n LatestIndicatorTime,\n Description,\n ActivityGroupNames,\n IndicatorId,\n ThreatType,\n Url,\n ExpirationDateTime,\n ConfidenceScore,\n WD_TimeGenerated,\n ActorUsername,\n DvcIpAddr,\n Operation,\n Object // Select relevant columns after the join\n | extend\n timestamp = WD_TimeGenerated,\n Name = tostring(split(ActorUsername, '@', 0)),\n UPNSuffix = tostring(split(ActorUsername, '@', 1)) // Add additional fields for timestamp, name, and UPN suffix \n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl"
],
"techniques": [
"T1071"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}