TI map Domain entity to Syslog

let dt_lookBack = 1h;  // Define the time range to look back for syslog data (1 hour)
let ioc_lookBack = 14d;  // Define the time range to look back for threat intelligence indicators (14 days)
// Create a list of top-level domains (TLDs) from the threat feed for later validation
let list_tlds = ThreatIntelIndicators
 | where TimeGenerated > ago(ioc_lookBack)
 | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
 | where IsActive and (ValidUntil > now() or isempty(ValidUntil))
 | extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0)))
 | where IndicatorType == "domain-name"
 | extend DomainName = tolower(ObservableValue)
 | extend parts = split(DomainName, '.')
 | extend tld = parts[(array_length(parts)-1)]
 | summarize count() by tostring(tld)
 | summarize make_list(tld);
// Fetch the latest active domain indicators from the threat intelligence data within the specified time range
let Domain_Indicators = ThreatIntelIndicators
| extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0)))
| where IndicatorType == "domain-name"
| extend DomainName = tolower(ObservableValue)
| extend TrafficLightProtocolLevel = tostring(parse_json(AdditionalFields).TLPLevel)
 | where TimeGenerated >= ago(ioc_lookBack)
 | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id, ObservableValue
 | where IsActive and (ValidUntil > now() or isempty(ValidUntil))
 | extend IndicatorId = tostring(split(Id, "--")[2])
 | extend Url = iff(ObservableKey == "url:value", ObservableValue, "");
// Join the threat intelligence indicators with syslog data on matching domain entities
Domain_Indicators
| project-reorder *, IsActive, Tags, TrafficLightProtocolLevel, DomainName, Type
 | join kind=innerunique (
   Syslog
   | where TimeGenerated > ago(dt_lookBack)
   // Extract domain patterns from syslog messages
   | extend domain = extract("(([a-z0-9]+(-[a-z0-9]+)*\\.)+[a-z]{2,})",1, tolower(SyslogMessage))
   | where isnotempty(domain)
   | extend parts = split(domain, '.')
   // Split out the top-level domain (TLD)
   | extend tld = parts[(array_length(parts)-1)]
   // Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed
   | where tld in~ (list_tlds)
   | extend Syslog_TimeGenerated = TimeGenerated
 ) on $left.DomainName==$right.domain
 | where Syslog_TimeGenerated < ValidUntil
 // Retrieve the latest syslog timestamp for each indicator and domain combination
 | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated, *) by IndicatorId, domain
 // Select the desired columns for the final result set
 | extend ActivityGroupNames = extract(@"ActivityGroup:(\S+)", 1, tostring(parse_json(Data).labels))
 | extend Description = tostring(parse_json(Data).description)
 | project Syslog_TimeGenerated, Description, ActivityGroupNames, Id, ValidUntil, Confidence, SyslogMessage, Computer, ProcessName, domain, HostIP, Type, DomainName, Url
 // Extract the hostname from the Computer field
 | extend HostName = tostring(split(Computer, '.', 0)[0])
 // Extract the DNS domain from the Computer field
 | extend DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))
 // Assign the Syslog_TimeGenerated value to the timestamp field
 | extend timestamp = Syslog_TimeGenerated

description: |
    Identifies a match in Syslog table from any Domain IOC from TI
kind: Scheduled
tactics:
- CommandAndControl
requiredDataConnectors:
- connectorId: Syslog
  dataTypes:
  - Syslog
- connectorId: ThreatIntelligence
  dataTypes:
  - ThreatIntelIndicators
- connectorId: ThreatIntelligenceTaxii
  dataTypes:
  - ThreatIntelIndicators
- connectorId: MicrosoftDefenderThreatIntelligence
  dataTypes:
  - ThreatIntelIndicators
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_Syslog.yaml
severity: Medium
name: TI map Domain entity to Syslog
triggerThreshold: 0
queryPeriod: 14d
query: |
  let dt_lookBack = 1h;  // Define the time range to look back for syslog data (1 hour)
  let ioc_lookBack = 14d;  // Define the time range to look back for threat intelligence indicators (14 days)
  // Create a list of top-level domains (TLDs) from the threat feed for later validation
  let list_tlds = ThreatIntelIndicators
   | where TimeGenerated > ago(ioc_lookBack)
   | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
   | where IsActive and (ValidUntil > now() or isempty(ValidUntil))
   | extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0)))
   | where IndicatorType == "domain-name"
   | extend DomainName = tolower(ObservableValue)
   | extend parts = split(DomainName, '.')
   | extend tld = parts[(array_length(parts)-1)]
   | summarize count() by tostring(tld)
   | summarize make_list(tld);
  // Fetch the latest active domain indicators from the threat intelligence data within the specified time range
  let Domain_Indicators = ThreatIntelIndicators
  | extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0)))
  | where IndicatorType == "domain-name"
  | extend DomainName = tolower(ObservableValue)
  | extend TrafficLightProtocolLevel = tostring(parse_json(AdditionalFields).TLPLevel)
   | where TimeGenerated >= ago(ioc_lookBack)
   | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id, ObservableValue
   | where IsActive and (ValidUntil > now() or isempty(ValidUntil))
   | extend IndicatorId = tostring(split(Id, "--")[2])
   | extend Url = iff(ObservableKey == "url:value", ObservableValue, "");
  // Join the threat intelligence indicators with syslog data on matching domain entities
  Domain_Indicators
  | project-reorder *, IsActive, Tags, TrafficLightProtocolLevel, DomainName, Type
   | join kind=innerunique (
     Syslog
     | where TimeGenerated > ago(dt_lookBack)
     // Extract domain patterns from syslog messages
     | extend domain = extract("(([a-z0-9]+(-[a-z0-9]+)*\\.)+[a-z]{2,})",1, tolower(SyslogMessage))
     | where isnotempty(domain)
     | extend parts = split(domain, '.')
     // Split out the top-level domain (TLD)
     | extend tld = parts[(array_length(parts)-1)]
     // Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed
     | where tld in~ (list_tlds)
     | extend Syslog_TimeGenerated = TimeGenerated
   ) on $left.DomainName==$right.domain
   | where Syslog_TimeGenerated < ValidUntil
   // Retrieve the latest syslog timestamp for each indicator and domain combination
   | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated, *) by IndicatorId, domain
   // Select the desired columns for the final result set
   | extend ActivityGroupNames = extract(@"ActivityGroup:(\S+)", 1, tostring(parse_json(Data).labels))
   | extend Description = tostring(parse_json(Data).description)
   | project Syslog_TimeGenerated, Description, ActivityGroupNames, Id, ValidUntil, Confidence, SyslogMessage, Computer, ProcessName, domain, HostIP, Type, DomainName, Url
   // Extract the hostname from the Computer field
   | extend HostName = tostring(split(Computer, '.', 0)[0])
   // Extract the DNS domain from the Computer field
   | extend DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))
   // Assign the Syslog_TimeGenerated value to the timestamp field
   | extend timestamp = Syslog_TimeGenerated  
relevantTechniques:
- T1071
id: cd19434e-10f2-4e2f-b3c1-ce6f08ac5357
queryFrequency: 1h
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: Computer
    identifier: FullName
  - columnName: HostName
    identifier: HostName
  - columnName: DnsDomain
    identifier: DnsDomain
- entityType: IP
  fieldMappings:
  - columnName: HostIP
    identifier: Address
- entityType: URL
  fieldMappings:
  - columnName: Url
    identifier: Url
triggerOperator: gt
version: 1.4.6