TI map Domain entity to Web Session Events ASIM Web Session schema

Back


Id	afa4cb9e-6fec-4742-a17f-f494b54c01e7
Rulename	TI map Domain entity to Web Session Events (ASIM Web Session schema)
Description	This rule identifies Web Sessions for which the target URL hostname is a known IoC. This rule uses the Advanced Security Information Model (ASIM) and supports any web session source that complies with ASIM.
Severity	Medium
Tactics	CommandAndControl
Techniques	T1071
Required data connectors	MicrosoftDefenderThreatIntelligence SquidProxy ThreatIntelligence ThreatIntelligenceTaxii Zscaler
Kind	Scheduled
Query frequency	1h
Query period	14d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_imWebSession.yaml
Version	1.0.7
Arm template	afa4cb9e-6fec-4742-a17f-f494b54c01e7.json

KQL

let HAS_ANY_MAX = 10000;
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
//Create a list of TLDs in our threat feed for later validation
let DOMAIN_TI=ThreatIntelIndicators
// Picking up only IOC's that contain the entities we want
| extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0)))
| where isnotempty(IndicatorType) and IndicatorType == "domain-name"
| extend DomainName = tolower(ObservableValue)
| where isnotempty(DomainName)
| extend TrafficLightProtocolLevel = tostring(parse_json(AdditionalFields).TLPLevel)
| extend IndicatorId = tostring(split(Id, "--")[2])
| extend Url = iff(ObservableKey == "url:value", ObservableValue, "")
| where TimeGenerated >= ago(ioc_lookBack)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
| where IsActive == true and ValidUntil > now();
let DOMAIN_TI_list= todynamic(toscalar(DOMAIN_TI | summarize NIoCs = dcount(DomainName), Domains = make_set(DomainName) 
  | project Domains=iff(NIoCs > HAS_ANY_MAX, dynamic([]), Domains) ));
DOMAIN_TI
| project-reorder *, IsActive, Tags, TrafficLightProtocolLevel, DomainName, Type
// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
| join kind=innerunique (
    _Im_WebSession(starttime=ago(dt_lookBack), url_has_any= DOMAIN_TI_list )
    //Extract domain patterns from syslog message
    | extend domain = tostring(parse_url(Url)["Host"])
    | where isnotempty(domain)
    | extend tld = tostring(split(domain, '.')[-1])
    | extend Event_TimeGenerated = TimeGenerated
) on $left.DomainName==$right.domain
| where Event_TimeGenerated < ValidUntil
| summarize Event_TimeGenerated  = arg_max(Event_TimeGenerated , *) by IndicatorId, domain
| extend Description = tostring(parse_json(Data).description)
| extend ActivityGroupNames = extract(@"ActivityGroup:(\S+)", 1, tostring(parse_json(Data).labels))
| project Event_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ValidUntil, Confidence, domain, SrcIpAddr, Url

YAML

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_imWebSession.yaml
query: |
  let HAS_ANY_MAX = 10000;
  let dt_lookBack = 1h;
  let ioc_lookBack = 14d;
  //Create a list of TLDs in our threat feed for later validation
  let DOMAIN_TI=ThreatIntelIndicators
  // Picking up only IOC's that contain the entities we want
  | extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0)))
  | where isnotempty(IndicatorType) and IndicatorType == "domain-name"
  | extend DomainName = tolower(ObservableValue)
  | where isnotempty(DomainName)
  | extend TrafficLightProtocolLevel = tostring(parse_json(AdditionalFields).TLPLevel)
  | extend IndicatorId = tostring(split(Id, "--")[2])
  | extend Url = iff(ObservableKey == "url:value", ObservableValue, "")
  | where TimeGenerated >= ago(ioc_lookBack)
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
  | where IsActive == true and ValidUntil > now();
  let DOMAIN_TI_list= todynamic(toscalar(DOMAIN_TI | summarize NIoCs = dcount(DomainName), Domains = make_set(DomainName) 
    | project Domains=iff(NIoCs > HAS_ANY_MAX, dynamic([]), Domains) ));
  DOMAIN_TI
  | project-reorder *, IsActive, Tags, TrafficLightProtocolLevel, DomainName, Type
  // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
  | join kind=innerunique (
      _Im_WebSession(starttime=ago(dt_lookBack), url_has_any= DOMAIN_TI_list )
      //Extract domain patterns from syslog message
      | extend domain = tostring(parse_url(Url)["Host"])
      | where isnotempty(domain)
      | extend tld = tostring(split(domain, '.')[-1])
      | extend Event_TimeGenerated = TimeGenerated
  ) on $left.DomainName==$right.domain
  | where Event_TimeGenerated < ValidUntil
  | summarize Event_TimeGenerated  = arg_max(Event_TimeGenerated , *) by IndicatorId, domain
  | extend Description = tostring(parse_json(Data).description)
  | extend ActivityGroupNames = extract(@"ActivityGroup:(\S+)", 1, tostring(parse_json(Data).labels))
  | project Event_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ValidUntil, Confidence, domain, SrcIpAddr, Url       
description: |
    'This rule identifies Web Sessions for which the target URL hostname is a known IoC. This rule uses the [Advanced Security Information Model (ASIM)](https:/aka.ms/AboutASIM) and supports any web session source that complies with ASIM.'
severity: Medium
requiredDataConnectors:
- dataTypes:
  - SquidProxy_CL
  connectorId: SquidProxy
- dataTypes:
  - CommonSecurityLog
  connectorId: Zscaler
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligence
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligenceTaxii
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: MicrosoftDefenderThreatIntelligence
name: TI map Domain entity to Web Session Events (ASIM Web Session schema)
triggerThreshold: 0
version: 1.0.7
customDetails:
  IndicatorId: IndicatorId
  ActivityGroupNames: ActivityGroupNames
  IoCConfidenceScore: ConfidenceScore
  EventTime: Event_TimeGenerated
  IoCDescription: Description
  IoCExpirationTime: ExpirationDateTime
  ThreatType: ThreatType
tactics:
- CommandAndControl
alertDetailsOverride:
  alertDescriptionFormat: A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator.
  alertDisplayNameFormat: A web request from {{SrcIpAddr}} to hostname  {{domain}} matched an IoC
relevantTechniques:
- T1071
triggerOperator: gt
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
- entityType: URL
  fieldMappings:
  - columnName: Url
    identifier: Url
id: afa4cb9e-6fec-4742-a17f-f494b54c01e7
kind: Scheduled
queryFrequency: 1h
queryPeriod: 14d

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/afa4cb9e-6fec-4742-a17f-f494b54c01e7')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/afa4cb9e-6fec-4742-a17f-f494b54c01e7')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator.",
          "alertDisplayNameFormat": "A web request from {{SrcIpAddr}} to hostname  {{domain}} matched an IoC"
        },
        "alertRuleTemplateName": "afa4cb9e-6fec-4742-a17f-f494b54c01e7",
        "customDetails": {
          "ActivityGroupNames": "ActivityGroupNames",
          "EventTime": "Event_TimeGenerated",
          "IndicatorId": "IndicatorId",
          "IoCConfidenceScore": "ConfidenceScore",
          "IoCDescription": "Description",
          "IoCExpirationTime": "ExpirationDateTime",
          "ThreatType": "ThreatType"
        },
        "description": "'This rule identifies Web Sessions for which the target URL hostname is a known IoC. This rule uses the [Advanced Security Information Model (ASIM)](https:/aka.ms/AboutASIM) and supports any web session source that complies with ASIM.'\n",
        "displayName": "TI map Domain entity to Web Session Events (ASIM Web Session schema)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "Url",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_imWebSession.yaml",
        "query": "let HAS_ANY_MAX = 10000;\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\n//Create a list of TLDs in our threat feed for later validation\nlet DOMAIN_TI=ThreatIntelIndicators\n// Picking up only IOC's that contain the entities we want\n| extend IndicatorType = replace(@\"\\[|\\]|\\\"\"\", \"\", tostring(split(ObservableKey, \":\", 0)))\n| where isnotempty(IndicatorType) and IndicatorType == \"domain-name\"\n| extend DomainName = tolower(ObservableValue)\n| where isnotempty(DomainName)\n| extend TrafficLightProtocolLevel = tostring(parse_json(AdditionalFields).TLPLevel)\n| extend IndicatorId = tostring(split(Id, \"--\")[2])\n| extend Url = iff(ObservableKey == \"url:value\", ObservableValue, \"\")\n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id\n| where IsActive == true and ValidUntil > now();\nlet DOMAIN_TI_list= todynamic(toscalar(DOMAIN_TI | summarize NIoCs = dcount(DomainName), Domains = make_set(DomainName) \n  | project Domains=iff(NIoCs > HAS_ANY_MAX, dynamic([]), Domains) ));\nDOMAIN_TI\n| project-reorder *, IsActive, Tags, TrafficLightProtocolLevel, DomainName, Type\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n    _Im_WebSession(starttime=ago(dt_lookBack), url_has_any= DOMAIN_TI_list )\n    //Extract domain patterns from syslog message\n    | extend domain = tostring(parse_url(Url)[\"Host\"])\n    | where isnotempty(domain)\n    | extend tld = tostring(split(domain, '.')[-1])\n    | extend Event_TimeGenerated = TimeGenerated\n) on $left.DomainName==$right.domain\n| where Event_TimeGenerated < ValidUntil\n| summarize Event_TimeGenerated  = arg_max(Event_TimeGenerated , *) by IndicatorId, domain\n| extend Description = tostring(parse_json(Data).description)\n| extend ActivityGroupNames = extract(@\"ActivityGroup:(\\S+)\", 1, tostring(parse_json(Data).labels))\n| project Event_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ValidUntil, Confidence, domain, SrcIpAddr, Url     \n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "techniques": [
          "T1071"
        ],
        "templateVersion": "1.0.7",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}