RecordedFuture Threat Hunting IP All Actors

let ioc_lookBack = 1d;
// The source table (_Im_NetworkSession) is a ASIM parser table, but can be replaced by any infrastructure table containing ip data.
// The following workbook: Recorded Future - IP Correlation will help researching available data and selecting tables and columns
_Im_NetworkSession
| where isnotempty(DstIpAddr)
| join kind=inner (
ThreatIntelIndicators
// Only look for IOCs
| where ObservableKey == 'ipv4-addr:value'
| where isnotempty(ObservableValue)
// Only look at Recorded Future Threat Hunt Indicators.
| where Data.description startswith "Recorded Future - Threat Hunt"
// Only work with the latest indicators
| where TimeGenerated >= ago(ioc_lookBack)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
| where IsActive == true and ValidUntil > now()
) on $left.DstIpAddr == $right.ObservableValue
// select column from the source table to match with Recorded Future ThreatIntelIndicators $left.DstIpAddr
| mv-expand RecordedFuturePortalLink=parse_json(tostring(parse_json(Tags)))['recordedfutureportallink']
| project NetworkIP=ObservableValue, Description=Data.description, Type, TimeGenerated, RecordedFuturePortalLink

triggerThreshold: 0
queryFrequency: 15m
alertDetailsOverride:
  alertDescriptionFormat: '**{{Description}}**\n\nCorrelation found on {{NetworkIP}} from the {{Type}} table.\n'
  alertDynamicProperties:
  - alertProperty: AlertLink
    value: RecordedFuturePortalLink
  alertDisplayNameFormat: '{{Description}}'
id: e31bc14e-2b4c-42a4-af34-5bfd7d768aea
eventGroupingSettings:
  aggregationKind: AlertPerResult
description: |
    'Recorded Future Threat Hunting IP correlation for all actors.'
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: NetworkIP
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    matchingMethod: AllEntities
    enabled: true
    lookbackDuration: 1h
kind: Scheduled
queryPeriod: 1d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Recorded Future/Analytic Rules/ThreatHunting/RecordedFutureThreatHuntingIPAllActors.yaml
query: |
  let ioc_lookBack = 1d;
  // The source table (_Im_NetworkSession) is a ASIM parser table, but can be replaced by any infrastructure table containing ip data.
  // The following workbook: Recorded Future - IP Correlation will help researching available data and selecting tables and columns
  _Im_NetworkSession
  | where isnotempty(DstIpAddr)
  | join kind=inner (
  ThreatIntelIndicators
  // Only look for IOCs
  | where ObservableKey == 'ipv4-addr:value'
  | where isnotempty(ObservableValue)
  // Only look at Recorded Future Threat Hunt Indicators.
  | where Data.description startswith "Recorded Future - Threat Hunt"
  // Only work with the latest indicators
  | where TimeGenerated >= ago(ioc_lookBack)
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
  | where IsActive == true and ValidUntil > now()
  ) on $left.DstIpAddr == $right.ObservableValue
  // select column from the source table to match with Recorded Future ThreatIntelIndicators $left.DstIpAddr
  | mv-expand RecordedFuturePortalLink=parse_json(tostring(parse_json(Tags)))['recordedfutureportallink']
  | project NetworkIP=ObservableValue, Description=Data.description, Type, TimeGenerated, RecordedFuturePortalLink  
requiredDataConnectors:
- connectorId: ThreatIntelligenceUploadIndicatorsAPI
  dataTypes:
  - ThreatIntelIndicators
severity: Medium
name: RecordedFuture Threat Hunting IP All Actors
tactics:
- Exfiltration
- CommandAndControl
version: 1.1.0
triggerOperator: gt
customDetails:
  ActorInformation: RecordedFuturePortalLink
relevantTechniques:
- T1041
- T1568