Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

TI map Domain entity to Syslog

Back
Idcd19434e-10f2-4e2f-b3c1-ce6f08ac5357
RulenameTI map Domain entity to Syslog
DescriptionIdentifies a match in Syslog table from any Domain IOC from TI
SeverityMedium
TacticsCommandAndControl
TechniquesT1071
Required data connectorsMicrosoftDefenderThreatIntelligence
Syslog
ThreatIntelligence
ThreatIntelligenceTaxii
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_Syslog.yaml
Version1.4.5
Arm templatecd19434e-10f2-4e2f-b3c1-ce6f08ac5357.json
Deploy To Azure
let dt_lookBack = 1h;  // Define the time range to look back for syslog data (1 hour)
let ioc_lookBack = 14d;  // Define the time range to look back for threat intelligence indicators (14 days)
// Create a list of top-level domains (TLDs) from the threat feed for later validation
let list_tlds = ThreatIntelIndicators
 | where TimeGenerated > ago(ioc_lookBack)
 | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
 | where IsActive and (ValidUntil > now() or isempty(ValidUntil))
 | extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0)))
 | where IndicatorType == "domain-name"
 | extend DomainName = tolower(ObservableValue)
 | extend parts = split(DomainName, '.')
 | extend tld = parts[(array_length(parts)-1)]
 | summarize count() by tostring(tld)
 | summarize make_list(tld);
// Fetch the latest active domain indicators from the threat intelligence data within the specified time range
let Domain_Indicators = ThreatIntelIndicators
| extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0)))
| where IndicatorType == "domain-name"
| extend DomainName = tolower(ObservableValue)
| extend TrafficLightProtocolLevel = tostring(parse_json(AdditionalFields).TLPLevel)
 | where TimeGenerated >= ago(ioc_lookBack)
 | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id, ObservableValue
 | where IsActive and (ValidUntil > now() or isempty(ValidUntil))
 | extend IndicatorId = tostring(split(Id, "--")[2])
 | extend Url = iff(ObservableKey == "url:value", ObservableValue, "");
// Join the threat intelligence indicators with syslog data on matching domain entities
Domain_Indicators
| project-reorder *, IsActive, Tags, TrafficLightProtocolLevel, DomainName, Type
 | join kind=innerunique (
   Syslog
   | where TimeGenerated > ago(dt_lookBack)
   // Extract domain patterns from syslog messages
   | extend domain = extract("(([a-z0-9]+(-[a-z0-9]+)*\\.)+[a-z]{2,})",1, tolower(SyslogMessage))
   | where isnotempty(domain)
   | extend parts = split(domain, '.')
   // Split out the top-level domain (TLD)
   | extend tld = parts[(array_length(parts)-1)]
   // Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed
   | where tld in~ (list_tlds)
   | extend Syslog_TimeGenerated = TimeGenerated
 ) on $left.DomainName==$right.domain
 | where Syslog_TimeGenerated < ValidUntil
 // Retrieve the latest syslog timestamp for each indicator and domain combination
 | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated, *) by IndicatorId, domain
 // Select the desired columns for the final result set
 | extend ActivityGroupNames = extract(@"ActivityGroup:(\S+)", 1, tostring(parse_json(Data).labels))
 | extend Description = tostring(parse_json(Data).description)
 | project Syslog_TimeGenerated, Description, ActivityGroupNames, Id, ValidUntil, Confidence, SyslogMessage, Computer, ProcessName, domain, HostIP, Type, DomainName, Url
 // Extract the hostname from the Computer field
 | extend HostName = tostring(split(Computer, '.', 0)[0])
 // Extract the DNS domain from the Computer field
 | extend DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))
 // Assign the Syslog_TimeGenerated value to the timestamp field
 | extend timestamp = Syslog_TimeGenerated
id: cd19434e-10f2-4e2f-b3c1-ce6f08ac5357
requiredDataConnectors:
- dataTypes:
  - Syslog
  connectorId: Syslog
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligence
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligenceTaxii
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: MicrosoftDefenderThreatIntelligence
triggerThreshold: 0
queryPeriod: 14d
query: |
  let dt_lookBack = 1h;  // Define the time range to look back for syslog data (1 hour)
  let ioc_lookBack = 14d;  // Define the time range to look back for threat intelligence indicators (14 days)
  // Create a list of top-level domains (TLDs) from the threat feed for later validation
  let list_tlds = ThreatIntelIndicators
   | where TimeGenerated > ago(ioc_lookBack)
   | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
   | where IsActive and (ValidUntil > now() or isempty(ValidUntil))
   | extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0)))
   | where IndicatorType == "domain-name"
   | extend DomainName = tolower(ObservableValue)
   | extend parts = split(DomainName, '.')
   | extend tld = parts[(array_length(parts)-1)]
   | summarize count() by tostring(tld)
   | summarize make_list(tld);
  // Fetch the latest active domain indicators from the threat intelligence data within the specified time range
  let Domain_Indicators = ThreatIntelIndicators
  | extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0)))
  | where IndicatorType == "domain-name"
  | extend DomainName = tolower(ObservableValue)
  | extend TrafficLightProtocolLevel = tostring(parse_json(AdditionalFields).TLPLevel)
   | where TimeGenerated >= ago(ioc_lookBack)
   | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id, ObservableValue
   | where IsActive and (ValidUntil > now() or isempty(ValidUntil))
   | extend IndicatorId = tostring(split(Id, "--")[2])
   | extend Url = iff(ObservableKey == "url:value", ObservableValue, "");
  // Join the threat intelligence indicators with syslog data on matching domain entities
  Domain_Indicators
  | project-reorder *, IsActive, Tags, TrafficLightProtocolLevel, DomainName, Type
   | join kind=innerunique (
     Syslog
     | where TimeGenerated > ago(dt_lookBack)
     // Extract domain patterns from syslog messages
     | extend domain = extract("(([a-z0-9]+(-[a-z0-9]+)*\\.)+[a-z]{2,})",1, tolower(SyslogMessage))
     | where isnotempty(domain)
     | extend parts = split(domain, '.')
     // Split out the top-level domain (TLD)
     | extend tld = parts[(array_length(parts)-1)]
     // Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed
     | where tld in~ (list_tlds)
     | extend Syslog_TimeGenerated = TimeGenerated
   ) on $left.DomainName==$right.domain
   | where Syslog_TimeGenerated < ValidUntil
   // Retrieve the latest syslog timestamp for each indicator and domain combination
   | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated, *) by IndicatorId, domain
   // Select the desired columns for the final result set
   | extend ActivityGroupNames = extract(@"ActivityGroup:(\S+)", 1, tostring(parse_json(Data).labels))
   | extend Description = tostring(parse_json(Data).description)
   | project Syslog_TimeGenerated, Description, ActivityGroupNames, Id, ValidUntil, Confidence, SyslogMessage, Computer, ProcessName, domain, HostIP, Type, DomainName, Url
   // Extract the hostname from the Computer field
   | extend HostName = tostring(split(Computer, '.', 0)[0])
   // Extract the DNS domain from the Computer field
   | extend DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))
   // Assign the Syslog_TimeGenerated value to the timestamp field
   | extend timestamp = Syslog_TimeGenerated  
name: TI map Domain entity to Syslog
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: Computer
    identifier: FullName
  - columnName: HostName
    identifier: HostName
  - columnName: DnsDomain
    identifier: DnsDomain
- entityType: IP
  fieldMappings:
  - columnName: HostIP
    identifier: Address
- entityType: URL
  fieldMappings:
  - columnName: Url
    identifier: Url
description: |
    Identifies a match in Syslog table from any Domain IOC from TI
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_Syslog.yaml
tactics:
- CommandAndControl
triggerOperator: gt
relevantTechniques:
- T1071
version: 1.4.5
kind: Scheduled
severity: Medium
queryFrequency: 1h
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/cd19434e-10f2-4e2f-b3c1-ce6f08ac5357')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/cd19434e-10f2-4e2f-b3c1-ce6f08ac5357')]",
      "properties": {
        "alertRuleTemplateName": "cd19434e-10f2-4e2f-b3c1-ce6f08ac5357",
        "customDetails": null,
        "description": "Identifies a match in Syslog table from any Domain IOC from TI\n",
        "displayName": "TI map Domain entity to Syslog",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Computer",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DnsDomain",
                "identifier": "DnsDomain"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "HostIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "Url",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence (NEW)/Analytic Rules/DomainEntity_Syslog.yaml",
        "query": "let dt_lookBack = 1h;  // Define the time range to look back for syslog data (1 hour)\nlet ioc_lookBack = 14d;  // Define the time range to look back for threat intelligence indicators (14 days)\n// Create a list of top-level domains (TLDs) from the threat feed for later validation\nlet list_tlds = ThreatIntelIndicators\n | where TimeGenerated > ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id\n | where IsActive and (ValidUntil > now() or isempty(ValidUntil))\n | extend IndicatorType = replace(@\"\\[|\\]|\\\"\"\", \"\", tostring(split(ObservableKey, \":\", 0)))\n | where IndicatorType == \"domain-name\"\n | extend DomainName = tolower(ObservableValue)\n | extend parts = split(DomainName, '.')\n | extend tld = parts[(array_length(parts)-1)]\n | summarize count() by tostring(tld)\n | summarize make_list(tld);\n// Fetch the latest active domain indicators from the threat intelligence data within the specified time range\nlet Domain_Indicators = ThreatIntelIndicators\n| extend IndicatorType = replace(@\"\\[|\\]|\\\"\"\", \"\", tostring(split(ObservableKey, \":\", 0)))\n| where IndicatorType == \"domain-name\"\n| extend DomainName = tolower(ObservableValue)\n| extend TrafficLightProtocolLevel = tostring(parse_json(AdditionalFields).TLPLevel)\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id, ObservableValue\n | where IsActive and (ValidUntil > now() or isempty(ValidUntil))\n | extend IndicatorId = tostring(split(Id, \"--\")[2])\n | extend Url = iff(ObservableKey == \"url:value\", ObservableValue, \"\");\n// Join the threat intelligence indicators with syslog data on matching domain entities\nDomain_Indicators\n| project-reorder *, IsActive, Tags, TrafficLightProtocolLevel, DomainName, Type\n | join kind=innerunique (\n   Syslog\n   | where TimeGenerated > ago(dt_lookBack)\n   // Extract domain patterns from syslog messages\n   | extend domain = extract(\"(([a-z0-9]+(-[a-z0-9]+)*\\\\.)+[a-z]{2,})\",1, tolower(SyslogMessage))\n   | where isnotempty(domain)\n   | extend parts = split(domain, '.')\n   // Split out the top-level domain (TLD)\n   | extend tld = parts[(array_length(parts)-1)]\n   // Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\n   | where tld in~ (list_tlds)\n   | extend Syslog_TimeGenerated = TimeGenerated\n ) on $left.DomainName==$right.domain\n | where Syslog_TimeGenerated < ValidUntil\n // Retrieve the latest syslog timestamp for each indicator and domain combination\n | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated, *) by IndicatorId, domain\n // Select the desired columns for the final result set\n | extend ActivityGroupNames = extract(@\"ActivityGroup:(\\S+)\", 1, tostring(parse_json(Data).labels))\n | extend Description = tostring(parse_json(Data).description)\n | project Syslog_TimeGenerated, Description, ActivityGroupNames, Id, ValidUntil, Confidence, SyslogMessage, Computer, ProcessName, domain, HostIP, Type, DomainName, Url\n // Extract the hostname from the Computer field\n | extend HostName = tostring(split(Computer, '.', 0)[0])\n // Extract the DNS domain from the Computer field\n | extend DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n // Assign the Syslog_TimeGenerated value to the timestamp field\n | extend timestamp = Syslog_TimeGenerated\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "techniques": [
          "T1071"
        ],
        "templateVersion": "1.4.5",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}