Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

TI map IP entity to WorkdayASimAuditEventLogs

Back
Ida924d317-03d2-4420-a71f-4d347bda4bd8
RulenameTI map IP entity to Workday(ASimAuditEventLogs)
DescriptionDetects a match in Workday activity from any IP Indicator of Compromise (IOC) provided by Threat Intelligence (TI).
SeverityMedium
TacticsCommandAndControl
TechniquesT1071
Required data connectorsMicrosoftDefenderThreatIntelligence
ThreatIntelligence
ThreatIntelligenceTaxii
Workday
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/IPEntity_Workday.yaml
Version1.0.0
Arm templatea924d317-03d2-4420-a71f-4d347bda4bd8.json
Deploy To Azure
let dtLookBack = 1h; // Define the lookback period for audit events
let ioc_lookBack = 14d; // Define the lookback period for threat intelligence indicators
ThreatIntelligenceIndicator 
| where TimeGenerated >= ago(ioc_lookBack) // Filter threat intelligence indicators within the lookback period
| where isnotempty(NetworkIP)
      or isnotempty(EmailSourceIpAddress)
      or isnotempty(NetworkDestinationIP)
      or isnotempty(NetworkSourceIP) // Filter for indicators with relevant IP fields
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId // Get the latest indicator time for each IndicatorId
  | extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress) // Combine IP fields into a single entity
  | where Active == true and ExpirationDateTime > now() // Filter for active indicators that have not expired
  | join kind=inner (
      ASimAuditEventLogs
      | where EventVendor == "Workday" // Filter for Workday events
      | where TimeGenerated >= ago(dtLookBack) // Filter events within the lookback period
      | where isnotempty(DvcIpAddr) // Filter for events with a device IP address
      | extend WD_TimeGenerated = EventStartTime // Rename the event start time column
      | project WD_TimeGenerated, ActorUsername, DvcIpAddr, Operation, Object // Select relevant columns
      )
      on $left.TI_ipEntity == $right.DvcIpAddr // Join on the IP entity
  | project
      LatestIndicatorTime,
      Description,
      ActivityGroupNames,
      IndicatorId,
      ThreatType,
      Url,
      ExpirationDateTime,
      ConfidenceScore,
      WD_TimeGenerated,
      ActorUsername,
      DvcIpAddr,
      Operation,
      Object // Select relevant columns after the join
  | extend
      timestamp = WD_TimeGenerated,
      Name = tostring(split(ActorUsername, '@', 0)),
      UPNSuffix = tostring(split(ActorUsername, '@', 1)) // Add additional fields for timestamp, name, and UPN suffix    
description: |
    Detects a match in Workday activity from any IP Indicator of Compromise (IOC) provided by Threat Intelligence (TI).
version: 1.0.0
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: ActorUsername
    identifier: FullName
  - columnName: Name
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
- entityType: IP
  fieldMappings:
  - columnName: DvcIpAddr
    identifier: Address
queryFrequency: 1h
triggerThreshold: 0
query: |
  let dtLookBack = 1h; // Define the lookback period for audit events
  let ioc_lookBack = 14d; // Define the lookback period for threat intelligence indicators
  ThreatIntelligenceIndicator 
  | where TimeGenerated >= ago(ioc_lookBack) // Filter threat intelligence indicators within the lookback period
  | where isnotempty(NetworkIP)
        or isnotempty(EmailSourceIpAddress)
        or isnotempty(NetworkDestinationIP)
        or isnotempty(NetworkSourceIP) // Filter for indicators with relevant IP fields
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId // Get the latest indicator time for each IndicatorId
    | extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress) // Combine IP fields into a single entity
    | where Active == true and ExpirationDateTime > now() // Filter for active indicators that have not expired
    | join kind=inner (
        ASimAuditEventLogs
        | where EventVendor == "Workday" // Filter for Workday events
        | where TimeGenerated >= ago(dtLookBack) // Filter events within the lookback period
        | where isnotempty(DvcIpAddr) // Filter for events with a device IP address
        | extend WD_TimeGenerated = EventStartTime // Rename the event start time column
        | project WD_TimeGenerated, ActorUsername, DvcIpAddr, Operation, Object // Select relevant columns
        )
        on $left.TI_ipEntity == $right.DvcIpAddr // Join on the IP entity
    | project
        LatestIndicatorTime,
        Description,
        ActivityGroupNames,
        IndicatorId,
        ThreatType,
        Url,
        ExpirationDateTime,
        ConfidenceScore,
        WD_TimeGenerated,
        ActorUsername,
        DvcIpAddr,
        Operation,
        Object // Select relevant columns after the join
    | extend
        timestamp = WD_TimeGenerated,
        Name = tostring(split(ActorUsername, '@', 0)),
        UPNSuffix = tostring(split(ActorUsername, '@', 1)) // Add additional fields for timestamp, name, and UPN suffix      
severity: Medium
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/IPEntity_Workday.yaml
queryPeriod: 14d
id: a924d317-03d2-4420-a71f-4d347bda4bd8
name: TI map IP entity to Workday(ASimAuditEventLogs)
kind: Scheduled
requiredDataConnectors:
- connectorId: ThreatIntelligence
  dataTypes:
  - ThreatIntelligenceIndicator
- connectorId: ThreatIntelligenceTaxii
  dataTypes:
  - ThreatIntelligenceIndicator
- connectorId: Workday
  dataTypes:
  - Workday
- connectorId: MicrosoftDefenderThreatIntelligence
  dataTypes:
  - ThreatIntelligenceIndicator
tactics:
- CommandAndControl
relevantTechniques:
- T1071
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a924d317-03d2-4420-a71f-4d347bda4bd8')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a924d317-03d2-4420-a71f-4d347bda4bd8')]",
      "properties": {
        "alertRuleTemplateName": "a924d317-03d2-4420-a71f-4d347bda4bd8",
        "customDetails": null,
        "description": "Detects a match in Workday activity from any IP Indicator of Compromise (IOC) provided by Threat Intelligence (TI).\n",
        "displayName": "TI map IP entity to Workday(ASimAuditEventLogs)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "ActorUsername",
                "identifier": "FullName"
              },
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "DvcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/IPEntity_Workday.yaml",
        "query": "let dtLookBack = 1h; // Define the lookback period for audit events\nlet ioc_lookBack = 14d; // Define the lookback period for threat intelligence indicators\nThreatIntelligenceIndicator \n| where TimeGenerated >= ago(ioc_lookBack) // Filter threat intelligence indicators within the lookback period\n| where isnotempty(NetworkIP)\n      or isnotempty(EmailSourceIpAddress)\n      or isnotempty(NetworkDestinationIP)\n      or isnotempty(NetworkSourceIP) // Filter for indicators with relevant IP fields\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId // Get the latest indicator time for each IndicatorId\n  | extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress) // Combine IP fields into a single entity\n  | where Active == true and ExpirationDateTime > now() // Filter for active indicators that have not expired\n  | join kind=inner (\n      ASimAuditEventLogs\n      | where EventVendor == \"Workday\" // Filter for Workday events\n      | where TimeGenerated >= ago(dtLookBack) // Filter events within the lookback period\n      | where isnotempty(DvcIpAddr) // Filter for events with a device IP address\n      | extend WD_TimeGenerated = EventStartTime // Rename the event start time column\n      | project WD_TimeGenerated, ActorUsername, DvcIpAddr, Operation, Object // Select relevant columns\n      )\n      on $left.TI_ipEntity == $right.DvcIpAddr // Join on the IP entity\n  | project\n      LatestIndicatorTime,\n      Description,\n      ActivityGroupNames,\n      IndicatorId,\n      ThreatType,\n      Url,\n      ExpirationDateTime,\n      ConfidenceScore,\n      WD_TimeGenerated,\n      ActorUsername,\n      DvcIpAddr,\n      Operation,\n      Object // Select relevant columns after the join\n  | extend\n      timestamp = WD_TimeGenerated,\n      Name = tostring(split(ActorUsername, '@', 0)),\n      UPNSuffix = tostring(split(ActorUsername, '@', 1)) // Add additional fields for timestamp, name, and UPN suffix    \n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "techniques": [
          "T1071"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}