Lumen TI IPAddress in CommonSecurityLog

let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let dt_lookBack = 1h; // Look back 1 hour for CommonSecurityLog events
let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators
// Fetch threat intelligence indicators related to IP addresses
let IP_Indicators = ThreatIntelIndicators
 | where TimeGenerated >= ago(ioc_lookBack)
 | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
 | where IsActive == true and ValidUntil > now()
 | where SourceSystem == 'Lumen'
 | where ObservableKey == "ipv4-addr:value"
 | extend TI_ipEntity = ObservableValue
 | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127.";
// Perform a join between IP indicators and CommonSecurityLog events
IP_Indicators
 | join kind=innerunique (
     CommonSecurityLog
     | where TimeGenerated >= ago(dt_lookBack)
     | extend MessageIP = extract(IPRegex, 0, Message)
     | extend CS_ipEntity = iff(isnotempty(SourceIP), SourceIP, DestinationIP)
     | extend CS_ipEntity = iff(isempty(CS_ipEntity) and isnotempty(MessageIP), MessageIP, CS_ipEntity)
     | extend CommonSecurityLog_TimeGenerated = TimeGenerated
 )
 on $left.TI_ipEntity == $right.CS_ipEntity
 | where CommonSecurityLog_TimeGenerated < ValidUntil
 | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by Id, CS_ipEntity
 | project timestamp = CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, Id, Tags, ValidUntil, Confidence, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction, Type

kind: Scheduled
suppressionDuration: 5h
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: CS_ipEntity
    identifier: Address
description: |
    This query maps Lumen IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in CommonSecurityLog.
severity: Medium
queryFrequency: 4h
triggerThreshold: 0
relevantTechniques:
- T1071
suppressionEnabled: true
displayName: Lumen TI IPAddress in CommonSecurityLog
tactics:
- CommandAndControl
name: Lumen TI IPAddress in CommonSecurityLog
id: bc8a262a-5db3-4ac1-8757-519ed36ed929
query: |
  let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
  let dt_lookBack = 1h; // Look back 1 hour for CommonSecurityLog events
  let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators
  // Fetch threat intelligence indicators related to IP addresses
  let IP_Indicators = ThreatIntelIndicators
   | where TimeGenerated >= ago(ioc_lookBack)
   | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
   | where IsActive == true and ValidUntil > now()
   | where SourceSystem == 'Lumen'
   | where ObservableKey == "ipv4-addr:value"
   | extend TI_ipEntity = ObservableValue
   | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127.";
  // Perform a join between IP indicators and CommonSecurityLog events
  IP_Indicators
   | join kind=innerunique (
       CommonSecurityLog
       | where TimeGenerated >= ago(dt_lookBack)
       | extend MessageIP = extract(IPRegex, 0, Message)
       | extend CS_ipEntity = iff(isnotempty(SourceIP), SourceIP, DestinationIP)
       | extend CS_ipEntity = iff(isempty(CS_ipEntity) and isnotempty(MessageIP), MessageIP, CS_ipEntity)
       | extend CommonSecurityLog_TimeGenerated = TimeGenerated
   )
   on $left.TI_ipEntity == $right.CS_ipEntity
   | where CommonSecurityLog_TimeGenerated < ValidUntil
   | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by Id, CS_ipEntity
   | project timestamp = CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, Id, Tags, ValidUntil, Confidence, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction, Type  
requiredDataConnectors:
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: LumenThreatFeedConnector
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligenceUploadIndicatorsAPI
- dataTypes:
  - CommonSecurityLog
  connectorId: CEF
- dataTypes:
  - CommonSecurityLog
  connectorId: CefAma
version: 1.0.0
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lumen Defender Threat Feed/Analytic Rules/Lumen_IPEntity_CommonSecurityLog.yaml
queryPeriod: 14d

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bc8a262a-5db3-4ac1-8757-519ed36ed929')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bc8a262a-5db3-4ac1-8757-519ed36ed929')]",
      "properties": {
        "alertRuleTemplateName": "bc8a262a-5db3-4ac1-8757-519ed36ed929",
        "customDetails": null,
        "description": "This query maps Lumen IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in CommonSecurityLog.\n",
        "displayName": "Lumen TI IPAddress in CommonSecurityLog",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "CS_ipEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lumen Defender Threat Feed/Analytic Rules/Lumen_IPEntity_CommonSecurityLog.yaml",
        "query": "let IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\nlet dt_lookBack = 1h; // Look back 1 hour for CommonSecurityLog events\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelIndicators\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id\n | where IsActive == true and ValidUntil > now()\n | where SourceSystem == 'Lumen'\n | where ObservableKey == \"ipv4-addr:value\"\n | extend TI_ipEntity = ObservableValue\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\";\n// Perform a join between IP indicators and CommonSecurityLog events\nIP_Indicators\n | join kind=innerunique (\n     CommonSecurityLog\n     | where TimeGenerated >= ago(dt_lookBack)\n     | extend MessageIP = extract(IPRegex, 0, Message)\n     | extend CS_ipEntity = iff(isnotempty(SourceIP), SourceIP, DestinationIP)\n     | extend CS_ipEntity = iff(isempty(CS_ipEntity) and isnotempty(MessageIP), MessageIP, CS_ipEntity)\n     | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n )\n on $left.TI_ipEntity == $right.CS_ipEntity\n | where CommonSecurityLog_TimeGenerated < ValidUntil\n | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by Id, CS_ipEntity\n | project timestamp = CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, Id, Tags, ValidUntil, Confidence, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction, Type\n",
        "queryFrequency": "PT4H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": true,
        "tactics": [
          "CommandAndControl"
        ],
        "techniques": [
          "T1071"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}