Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Lumen TI IPAddress in CommonSecurityLog

Lumen TI IPAddress in CommonSecurityLog

Back
Idbc8a262a-5db3-4ac1-8757-519ed36ed929
RulenameLumen TI IPAddress in CommonSecurityLog
DescriptionThis query maps Lumen IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in CommonSecurityLog.
SeverityMedium
TacticsCommandAndControl
TechniquesT1071
Required data connectorsCEF
CefAma
LumenThreatFeedConnector
ThreatIntelligenceUploadIndicatorsAPI
KindScheduled
Query frequency4h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lumen Defender Threat Feed/Analytic Rules/Lumen_IPEntity_CommonSecurityLog.yaml
Version1.0.0
Arm templatebc8a262a-5db3-4ac1-8757-519ed36ed929.json
Deploy To Azure
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let dt_lookBack = 1h; // Look back 1 hour for CommonSecurityLog events
let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators
// Fetch threat intelligence indicators related to IP addresses
let IP_Indicators = ThreatIntelIndicators
 | where TimeGenerated >= ago(ioc_lookBack)
 | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
 | where IsActive == true and ValidUntil > now()
 | where SourceSystem == 'Lumen'
 | where ObservableKey == "ipv4-addr:value"
 | extend TI_ipEntity = ObservableValue
 | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127.";
// Perform a join between IP indicators and CommonSecurityLog events
IP_Indicators
 | join kind=innerunique (
     CommonSecurityLog
     | where TimeGenerated >= ago(dt_lookBack)
     | extend MessageIP = extract(IPRegex, 0, Message)
     | extend CS_ipEntity = iff(isnotempty(SourceIP), SourceIP, DestinationIP)
     | extend CS_ipEntity = iff(isempty(CS_ipEntity) and isnotempty(MessageIP), MessageIP, CS_ipEntity)
     | extend CommonSecurityLog_TimeGenerated = TimeGenerated
 )
 on $left.TI_ipEntity == $right.CS_ipEntity
 | where CommonSecurityLog_TimeGenerated < ValidUntil
 | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by Id, CS_ipEntity
 | project timestamp = CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, Id, Tags, ValidUntil, Confidence, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction, Type

suppressionEnabled: true
description: |
    This query maps Lumen IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in CommonSecurityLog.
displayName: Lumen TI IPAddress in CommonSecurityLog
tactics:
- CommandAndControl
requiredDataConnectors:
- connectorId: LumenThreatFeedConnector
  dataTypes:
  - ThreatIntelligenceIndicator
- connectorId: ThreatIntelligenceUploadIndicatorsAPI
  dataTypes:
  - ThreatIntelligenceIndicator
- connectorId: CEF
  dataTypes:
  - CommonSecurityLog
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lumen Defender Threat Feed/Analytic Rules/Lumen_IPEntity_CommonSecurityLog.yaml
severity: Medium
name: Lumen TI IPAddress in CommonSecurityLog
suppressionDuration: 5h
triggerThreshold: 0
queryPeriod: 14d
query: |
  let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
  let dt_lookBack = 1h; // Look back 1 hour for CommonSecurityLog events
  let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators
  // Fetch threat intelligence indicators related to IP addresses
  let IP_Indicators = ThreatIntelIndicators
   | where TimeGenerated >= ago(ioc_lookBack)
   | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
   | where IsActive == true and ValidUntil > now()
   | where SourceSystem == 'Lumen'
   | where ObservableKey == "ipv4-addr:value"
   | extend TI_ipEntity = ObservableValue
   | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127.";
  // Perform a join between IP indicators and CommonSecurityLog events
  IP_Indicators
   | join kind=innerunique (
       CommonSecurityLog
       | where TimeGenerated >= ago(dt_lookBack)
       | extend MessageIP = extract(IPRegex, 0, Message)
       | extend CS_ipEntity = iff(isnotempty(SourceIP), SourceIP, DestinationIP)
       | extend CS_ipEntity = iff(isempty(CS_ipEntity) and isnotempty(MessageIP), MessageIP, CS_ipEntity)
       | extend CommonSecurityLog_TimeGenerated = TimeGenerated
   )
   on $left.TI_ipEntity == $right.CS_ipEntity
   | where CommonSecurityLog_TimeGenerated < ValidUntil
   | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by Id, CS_ipEntity
   | project timestamp = CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, Id, Tags, ValidUntil, Confidence, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction, Type  
relevantTechniques:
- T1071
id: bc8a262a-5db3-4ac1-8757-519ed36ed929
queryFrequency: 4h
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: CS_ipEntity
    identifier: Address
triggerOperator: gt
version: 1.0.0
kind: Scheduled