Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. TI map Domain entity to Web Session Events ASIM Web Session schema

TI map Domain entity to Web Session Events ASIM Web Session schema

Back
Idb1832f60-6c3d-4722-a0a5-3d564ee61a63
RulenameTI map Domain entity to Web Session Events (ASIM Web Session schema)
DescriptionThis rule identifies Web Sessions for which the target URL hostname is a known IoC. This rule uses the Advanced Security Information Model (ASIM) and supports any web session source that complies with ASIM.
SeverityMedium
TacticsCommandAndControl
TechniquesT1071
Required data connectorsMicrosoftDefenderThreatIntelligence
SquidProxy
ThreatIntelligence
ThreatIntelligenceTaxii
Zscaler
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_imWebSession.yaml
Version1.0.6
Arm templateb1832f60-6c3d-4722-a0a5-3d564ee61a63.json
Deploy To Azure
let HAS_ANY_MAX = 10000;
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
//Create a list of TLDs in our threat feed for later validation
let DOMAIN_TI=ThreatIntelligenceIndicator
// Picking up only IOC's that contain the entities we want
| where isnotempty(DomainName)
| where TimeGenerated >= ago(ioc_lookBack)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| where Active == true and ExpirationDateTime > now();
let DOMAIN_TI_list= todynamic(toscalar(DOMAIN_TI | summarize NIoCs = dcount(DomainName), Domains = make_set(DomainName) 
  | project Domains=iff(NIoCs > HAS_ANY_MAX, dynamic([]), Domains) ));
DOMAIN_TI
// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
| join kind=innerunique (
    _Im_WebSession(starttime=ago(dt_lookBack), url_has_any= DOMAIN_TI_list )
    //Extract domain patterns from syslog message
    | extend domain = tostring(parse_url(Url)["Host"])
    | where isnotempty(domain)
    | extend tld = tostring(split(domain, '.')[-1])
    | extend Event_TimeGenerated = TimeGenerated
) on $left.DomainName==$right.domain
| where Event_TimeGenerated < ExpirationDateTime
| summarize Event_TimeGenerated  = arg_max(Event_TimeGenerated , *) by IndicatorId, domain
| project Event_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, domain, SrcIpAddr, Url   

id: b1832f60-6c3d-4722-a0a5-3d564ee61a63
description: |
    'This rule identifies Web Sessions for which the target URL hostname is a known IoC. This rule uses the [Advanced Security Information Model (ASIM)](https:/aka.ms/AboutASIM) and supports any web session source that complies with ASIM.'
requiredDataConnectors:
- connectorId: SquidProxy
  dataTypes:
  - SquidProxy_CL
- connectorId: Zscaler
  dataTypes:
  - CommonSecurityLog
- connectorId: ThreatIntelligence
  dataTypes:
  - ThreatIntelligenceIndicator
- connectorId: ThreatIntelligenceTaxii
  dataTypes:
  - ThreatIntelligenceIndicator
- connectorId: MicrosoftDefenderThreatIntelligence
  dataTypes:
  - ThreatIntelligenceIndicator
alertDetailsOverride:
  alertDisplayNameFormat: A web request from {{SrcIpAddr}} to hostname  {{domain}} matched an IoC
  alertDescriptionFormat: A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator.
tactics:
- CommandAndControl
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
kind: Scheduled
query: |
  let HAS_ANY_MAX = 10000;
  let dt_lookBack = 1h;
  let ioc_lookBack = 14d;
  //Create a list of TLDs in our threat feed for later validation
  let DOMAIN_TI=ThreatIntelligenceIndicator
  // Picking up only IOC's that contain the entities we want
  | where isnotempty(DomainName)
  | where TimeGenerated >= ago(ioc_lookBack)
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
  | where Active == true and ExpirationDateTime > now();
  let DOMAIN_TI_list= todynamic(toscalar(DOMAIN_TI | summarize NIoCs = dcount(DomainName), Domains = make_set(DomainName) 
    | project Domains=iff(NIoCs > HAS_ANY_MAX, dynamic([]), Domains) ));
  DOMAIN_TI
  // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
  | join kind=innerunique (
      _Im_WebSession(starttime=ago(dt_lookBack), url_has_any= DOMAIN_TI_list )
      //Extract domain patterns from syslog message
      | extend domain = tostring(parse_url(Url)["Host"])
      | where isnotempty(domain)
      | extend tld = tostring(split(domain, '.')[-1])
      | extend Event_TimeGenerated = TimeGenerated
  ) on $left.DomainName==$right.domain
  | where Event_TimeGenerated < ExpirationDateTime
  | summarize Event_TimeGenerated  = arg_max(Event_TimeGenerated , *) by IndicatorId, domain
  | project Event_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, domain, SrcIpAddr, Url     
customDetails:
  IndicatorId: IndicatorId
  ActivityGroupNames: ActivityGroupNames
  IoCExpirationTime: ExpirationDateTime
  EventTime: Event_TimeGenerated
  IoCConfidenceScore: ConfidenceScore
  IoCDescription: Description
  ThreatType: ThreatType
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_imWebSession.yaml
version: 1.0.6
relevantTechniques:
- T1071
severity: Medium
name: TI map Domain entity to Web Session Events (ASIM Web Session schema)
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
  entityType: IP
- fieldMappings:
  - identifier: Url
    columnName: Url
  entityType: URL
triggerThreshold: 0