TI map Domain entity to EmailUrlInfo
| Id | b56e2290-c65b-45a5-9636-3651e85bbe5d |
| Rulename | TI map Domain entity to EmailUrlInfo |
| Description | Identifies a match in EmailUrlInfo table from any Domain IOC from TI. |
| Severity | Medium |
| Tactics | InitialAccess |
| Techniques | T1566 |
| Required data connectors | MicrosoftDefenderThreatIntelligence Office365 ThreatIntelligence ThreatIntelligenceTaxii |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 14d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_EmailUrlInfo_Updated.yaml |
| Version | 1.0.3 |
| Arm template | b56e2290-c65b-45a5-9636-3651e85bbe5d.json |
let dt_lookBack = 1h; // Define the lookback period for email data as 1 hour
let ioc_lookBack = 14d; // Define the lookback period for threat intelligence data as 14 days
let EmailUrlInfo_ = EmailUrlInfo
| where isnotempty(Url) or isnotempty(UrlDomain) // Filter for non-empty URLs or URL domains
| where TimeGenerated >= ago(dt_lookBack) // Filter for records within the lookback period
| extend Url = tolower(Url), UrlDomain = tolower(UrlDomain) // Convert URLs and domains to lowercase
| extend EmailUrlInfo_TimeGenerated = TimeGenerated; // Create a new column for the time generated
let EmailEvents_ = EmailEvents
| where TimeGenerated >= ago(dt_lookBack); // Filter email events within the lookback period
let TI_Urls = ThreatIntelIndicators
| where TimeGenerated >= ago(ioc_lookBack) // Filter threat intelligence indicators within the lookback period
| extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0)))
| where isnotempty(IndicatorType) and IndicatorType == "url"
| extend Url = ObservableValue
| where isnotempty(Url) // Filter for non-empty URLs
| extend Url = tolower(Url) // Convert URLs to lowercase
| join kind=innerunique (EmailUrlInfo_) on Url // Join with email URL info on URL
| where IsActive == true and ValidUntil > now() // Filter for active indicators that haven't expired
| where EmailUrlInfo_TimeGenerated < ValidUntil // Ensure email info was generated before the indicator expired
| summarize EmailUrlInfo_TimeGenerated = arg_max(EmailUrlInfo_TimeGenerated, *) by Id, Url // Get the latest email info for each indicator
| extend Description = tostring(parse_json(Data).description)
| extend ActivityGroupNames = extract("ActivityGroup:([^,]+)", 1, tostring(parse_json(Data).labels))
| project EmailUrlInfo_TimeGenerated, Description, ActivityGroupNames, Id, ValidUntil, Confidence, Url, UrlLocation, NetworkMessageId; // Select relevant columns
let TI_Domains = ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack) // Filter threat intelligence indicators within the lookback period
| where isnotempty(DomainName) // Filter for non-empty domain names
| extend DomainName = tolower(DomainName) // Convert domain names to lowercase
| extend IndicatorId = tostring(split(IndicatorId, "--")[2]);
TI_Domains
| project-reorder *, Active, Tags, TrafficLightProtocolLevel, DomainName, Url, Type
| join kind=innerunique (EmailUrlInfo_) on $left.DomainName == $right.UrlDomain // Join with email URL info on domain name
| where Active == true and ExpirationDateTime > now() // Filter for active indicators that haven't expired
| where EmailUrlInfo_TimeGenerated < ExpirationDateTime // Ensure email info was generated before the indicator expired
| summarize EmailUrlInfo_TimeGenerated = arg_max(EmailUrlInfo_TimeGenerated, *) by IndicatorId, UrlDomain // Get the latest email info for each indicator
| project EmailUrlInfo_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, UrlDomain, UrlLocation, NetworkMessageId; // Select relevant columns
union TI_Urls, TI_Domains // Combine URL and domain threat intelligence data
| extend timestamp = EmailUrlInfo_TimeGenerated // Add a timestamp column
| join kind=inner (EmailEvents_) on NetworkMessageId // Join with email events on network message ID
| where DeliveryAction !has "Blocked" // Filter out blocked delivery actions
| extend Name = tostring(split(RecipientEmailAddress, '@', 0)[0]), UPNSuffix = tostring(split(RecipientEmailAddress, '@', 1)[0]); // Extract name and UPN suffix from recipient email address
triggerThreshold: 0
severity: Medium
tactics:
- InitialAccess
relevantTechniques:
- T1566
queryFrequency: 1h
triggerOperator: gt
kind: Scheduled
version: 1.0.3
requiredDataConnectors:
- dataTypes:
- EmailUrlInfo
connectorId: Office365
- dataTypes:
- ThreatIntelligenceIndicator
connectorId: ThreatIntelligence
- dataTypes:
- ThreatIntelligenceIndicator
connectorId: ThreatIntelligenceTaxii
- dataTypes:
- ThreatIntelligenceIndicator
connectorId: MicrosoftDefenderThreatIntelligence
description: |
'Identifies a match in EmailUrlInfo table from any Domain IOC from TI.'
id: b56e2290-c65b-45a5-9636-3651e85bbe5d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_EmailUrlInfo_Updated.yaml
query: |
let dt_lookBack = 1h; // Define the lookback period for email data as 1 hour
let ioc_lookBack = 14d; // Define the lookback period for threat intelligence data as 14 days
let EmailUrlInfo_ = EmailUrlInfo
| where isnotempty(Url) or isnotempty(UrlDomain) // Filter for non-empty URLs or URL domains
| where TimeGenerated >= ago(dt_lookBack) // Filter for records within the lookback period
| extend Url = tolower(Url), UrlDomain = tolower(UrlDomain) // Convert URLs and domains to lowercase
| extend EmailUrlInfo_TimeGenerated = TimeGenerated; // Create a new column for the time generated
let EmailEvents_ = EmailEvents
| where TimeGenerated >= ago(dt_lookBack); // Filter email events within the lookback period
let TI_Urls = ThreatIntelIndicators
| where TimeGenerated >= ago(ioc_lookBack) // Filter threat intelligence indicators within the lookback period
| extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0)))
| where isnotempty(IndicatorType) and IndicatorType == "url"
| extend Url = ObservableValue
| where isnotempty(Url) // Filter for non-empty URLs
| extend Url = tolower(Url) // Convert URLs to lowercase
| join kind=innerunique (EmailUrlInfo_) on Url // Join with email URL info on URL
| where IsActive == true and ValidUntil > now() // Filter for active indicators that haven't expired
| where EmailUrlInfo_TimeGenerated < ValidUntil // Ensure email info was generated before the indicator expired
| summarize EmailUrlInfo_TimeGenerated = arg_max(EmailUrlInfo_TimeGenerated, *) by Id, Url // Get the latest email info for each indicator
| extend Description = tostring(parse_json(Data).description)
| extend ActivityGroupNames = extract("ActivityGroup:([^,]+)", 1, tostring(parse_json(Data).labels))
| project EmailUrlInfo_TimeGenerated, Description, ActivityGroupNames, Id, ValidUntil, Confidence, Url, UrlLocation, NetworkMessageId; // Select relevant columns
let TI_Domains = ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack) // Filter threat intelligence indicators within the lookback period
| where isnotempty(DomainName) // Filter for non-empty domain names
| extend DomainName = tolower(DomainName) // Convert domain names to lowercase
| extend IndicatorId = tostring(split(IndicatorId, "--")[2]);
TI_Domains
| project-reorder *, Active, Tags, TrafficLightProtocolLevel, DomainName, Url, Type
| join kind=innerunique (EmailUrlInfo_) on $left.DomainName == $right.UrlDomain // Join with email URL info on domain name
| where Active == true and ExpirationDateTime > now() // Filter for active indicators that haven't expired
| where EmailUrlInfo_TimeGenerated < ExpirationDateTime // Ensure email info was generated before the indicator expired
| summarize EmailUrlInfo_TimeGenerated = arg_max(EmailUrlInfo_TimeGenerated, *) by IndicatorId, UrlDomain // Get the latest email info for each indicator
| project EmailUrlInfo_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, UrlDomain, UrlLocation, NetworkMessageId; // Select relevant columns
union TI_Urls, TI_Domains // Combine URL and domain threat intelligence data
| extend timestamp = EmailUrlInfo_TimeGenerated // Add a timestamp column
| join kind=inner (EmailEvents_) on NetworkMessageId // Join with email events on network message ID
| where DeliveryAction !has "Blocked" // Filter out blocked delivery actions
| extend Name = tostring(split(RecipientEmailAddress, '@', 0)[0]), UPNSuffix = tostring(split(RecipientEmailAddress, '@', 1)[0]); // Extract name and UPN suffix from recipient email address
entityMappings:
- fieldMappings:
- columnName: RecipientEmailAddress
identifier: FullName
- columnName: Name
identifier: Name
- columnName: UPNSuffix
identifier: UPNSuffix
entityType: Account
- fieldMappings:
- columnName: Url
identifier: Url
entityType: URL
queryPeriod: 14d
name: TI map Domain entity to EmailUrlInfo
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b56e2290-c65b-45a5-9636-3651e85bbe5d')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b56e2290-c65b-45a5-9636-3651e85bbe5d')]",
"properties": {
"alertRuleTemplateName": "b56e2290-c65b-45a5-9636-3651e85bbe5d",
"customDetails": null,
"description": "'Identifies a match in EmailUrlInfo table from any Domain IOC from TI.'\n",
"displayName": "TI map Domain entity to EmailUrlInfo",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "RecipientEmailAddress",
"identifier": "FullName"
},
{
"columnName": "Name",
"identifier": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "Url",
"identifier": "Url"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_EmailUrlInfo_Updated.yaml",
"query": "let dt_lookBack = 1h; // Define the lookback period for email data as 1 hour\nlet ioc_lookBack = 14d; // Define the lookback period for threat intelligence data as 14 days\nlet EmailUrlInfo_ = EmailUrlInfo\n| where isnotempty(Url) or isnotempty(UrlDomain) // Filter for non-empty URLs or URL domains\n| where TimeGenerated >= ago(dt_lookBack) // Filter for records within the lookback period\n| extend Url = tolower(Url), UrlDomain = tolower(UrlDomain) // Convert URLs and domains to lowercase\n| extend EmailUrlInfo_TimeGenerated = TimeGenerated; // Create a new column for the time generated\nlet EmailEvents_ = EmailEvents\n| where TimeGenerated >= ago(dt_lookBack); // Filter email events within the lookback period\nlet TI_Urls = ThreatIntelIndicators\n| where TimeGenerated >= ago(ioc_lookBack) // Filter threat intelligence indicators within the lookback period\n| extend IndicatorType = replace(@\"\\[|\\]|\\\"\"\", \"\", tostring(split(ObservableKey, \":\", 0)))\n| where isnotempty(IndicatorType) and IndicatorType == \"url\"\n| extend Url = ObservableValue\n| where isnotempty(Url) // Filter for non-empty URLs\n| extend Url = tolower(Url) // Convert URLs to lowercase\n| join kind=innerunique (EmailUrlInfo_) on Url // Join with email URL info on URL\n| where IsActive == true and ValidUntil > now() // Filter for active indicators that haven't expired\n| where EmailUrlInfo_TimeGenerated < ValidUntil // Ensure email info was generated before the indicator expired\n| summarize EmailUrlInfo_TimeGenerated = arg_max(EmailUrlInfo_TimeGenerated, *) by Id, Url // Get the latest email info for each indicator\n| extend Description = tostring(parse_json(Data).description)\n| extend ActivityGroupNames = extract(\"ActivityGroup:([^,]+)\", 1, tostring(parse_json(Data).labels))\n| project EmailUrlInfo_TimeGenerated, Description, ActivityGroupNames, Id, ValidUntil, Confidence, Url, UrlLocation, NetworkMessageId; // Select relevant columns\nlet TI_Domains = ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) // Filter threat intelligence indicators within the lookback period\n| where isnotempty(DomainName) // Filter for non-empty domain names\n| extend DomainName = tolower(DomainName) // Convert domain names to lowercase\n| extend IndicatorId = tostring(split(IndicatorId, \"--\")[2]);\nTI_Domains\n| project-reorder *, Active, Tags, TrafficLightProtocolLevel, DomainName, Url, Type\n| join kind=innerunique (EmailUrlInfo_) on $left.DomainName == $right.UrlDomain // Join with email URL info on domain name\n| where Active == true and ExpirationDateTime > now() // Filter for active indicators that haven't expired\n| where EmailUrlInfo_TimeGenerated < ExpirationDateTime // Ensure email info was generated before the indicator expired\n| summarize EmailUrlInfo_TimeGenerated = arg_max(EmailUrlInfo_TimeGenerated, *) by IndicatorId, UrlDomain // Get the latest email info for each indicator\n| project EmailUrlInfo_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, UrlDomain, UrlLocation, NetworkMessageId; // Select relevant columns\nunion TI_Urls, TI_Domains // Combine URL and domain threat intelligence data\n| extend timestamp = EmailUrlInfo_TimeGenerated // Add a timestamp column\n| join kind=inner (EmailEvents_) on NetworkMessageId // Join with email events on network message ID\n| where DeliveryAction !has \"Blocked\" // Filter out blocked delivery actions\n| extend Name = tostring(split(RecipientEmailAddress, '@', 0)[0]), UPNSuffix = tostring(split(RecipientEmailAddress, '@', 1)[0]); // Extract name and UPN suffix from recipient email address\n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"InitialAccess"
],
"techniques": [
"T1566"
],
"templateVersion": "1.0.3",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}