Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

RecordedFuture Threat Hunting IP All Actors

Back
Ide31bc14e-2b4c-42a4-af34-5bfd7d768aea
RulenameRecordedFuture Threat Hunting IP All Actors
DescriptionRecorded Future Threat Hunting IP correlation for all actors.
SeverityMedium
TacticsExfiltration
CommandAndControl
TechniquesT1041
T1568
Required data connectorsThreatIntelligenceUploadIndicatorsAPI
KindScheduled
Query frequency15m
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Recorded Future/Analytic Rules/ThreatHunting/RecordedFutureThreatHuntingIPAllActors.yaml
Version1.1.0
Arm templatee31bc14e-2b4c-42a4-af34-5bfd7d768aea.json
Deploy To Azure
let ioc_lookBack = 1d;
// The source table (_Im_NetworkSession) is a ASIM parser table, but can be replaced by any infrastructure table containing ip data.
// The following workbook: Recorded Future - IP Correlation will help researching available data and selecting tables and columns
_Im_NetworkSession
| where isnotempty(DstIpAddr)
| join kind=inner (
ThreatIntelIndicators
// Only look for IOCs
| where ObservableKey == 'ipv4-addr:value'
| where isnotempty(ObservableValue)
// Only look at Recorded Future Threat Hunt Indicators.
| where Data.description startswith "Recorded Future - Threat Hunt"
// Only work with the latest indicators
| where TimeGenerated >= ago(ioc_lookBack)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
| where IsActive == true and ValidUntil > now()
) on $left.DstIpAddr == $right.ObservableValue
// select column from the source table to match with Recorded Future ThreatIntelIndicators $left.DstIpAddr
| mv-expand RecordedFuturePortalLink=parse_json(tostring(parse_json(Tags)))['recordedfutureportallink']
| project NetworkIP=ObservableValue, Description=Data.description, Type, TimeGenerated, RecordedFuturePortalLink
description: |
    'Recorded Future Threat Hunting IP correlation for all actors.'
query: |
  let ioc_lookBack = 1d;
  // The source table (_Im_NetworkSession) is a ASIM parser table, but can be replaced by any infrastructure table containing ip data.
  // The following workbook: Recorded Future - IP Correlation will help researching available data and selecting tables and columns
  _Im_NetworkSession
  | where isnotempty(DstIpAddr)
  | join kind=inner (
  ThreatIntelIndicators
  // Only look for IOCs
  | where ObservableKey == 'ipv4-addr:value'
  | where isnotempty(ObservableValue)
  // Only look at Recorded Future Threat Hunt Indicators.
  | where Data.description startswith "Recorded Future - Threat Hunt"
  // Only work with the latest indicators
  | where TimeGenerated >= ago(ioc_lookBack)
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
  | where IsActive == true and ValidUntil > now()
  ) on $left.DstIpAddr == $right.ObservableValue
  // select column from the source table to match with Recorded Future ThreatIntelIndicators $left.DstIpAddr
  | mv-expand RecordedFuturePortalLink=parse_json(tostring(parse_json(Tags)))['recordedfutureportallink']
  | project NetworkIP=ObservableValue, Description=Data.description, Type, TimeGenerated, RecordedFuturePortalLink  
queryPeriod: 1d
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Recorded Future/Analytic Rules/ThreatHunting/RecordedFutureThreatHuntingIPAllActors.yaml
id: e31bc14e-2b4c-42a4-af34-5bfd7d768aea
version: 1.1.0
requiredDataConnectors:
- connectorId: ThreatIntelligenceUploadIndicatorsAPI
  dataTypes:
  - ThreatIntelIndicators
tactics:
- Exfiltration
- CommandAndControl
severity: Medium
triggerOperator: gt
eventGroupingSettings:
  aggregationKind: AlertPerResult
customDetails:
  ActorInformation: RecordedFuturePortalLink
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: 1h
    enabled: true
  createIncident: true
name: RecordedFuture Threat Hunting IP All Actors
queryFrequency: 15m
alertDetailsOverride:
  alertDescriptionFormat: '**{{Description}}**\n\nCorrelation found on {{NetworkIP}} from the {{Type}} table.\n'
  alertDynamicProperties:
  - alertProperty: AlertLink
    value: RecordedFuturePortalLink
  alertDisplayNameFormat: '{{Description}}'
kind: Scheduled
relevantTechniques:
- T1041
- T1568
entityMappings:
- fieldMappings:
  - columnName: NetworkIP
    identifier: Address
  entityType: IP
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e31bc14e-2b4c-42a4-af34-5bfd7d768aea')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e31bc14e-2b4c-42a4-af34-5bfd7d768aea')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "**{{Description}}**\\n\\nCorrelation found on {{NetworkIP}} from the {{Type}} table.\\n",
          "alertDisplayNameFormat": "{{Description}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "AlertLink",
              "value": "RecordedFuturePortalLink"
            }
          ]
        },
        "alertRuleTemplateName": "e31bc14e-2b4c-42a4-af34-5bfd7d768aea",
        "customDetails": {
          "ActorInformation": "RecordedFuturePortalLink"
        },
        "description": "'Recorded Future Threat Hunting IP correlation for all actors.'\n",
        "displayName": "RecordedFuture Threat Hunting IP All Actors",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "NetworkIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "PT1H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Recorded Future/Analytic Rules/ThreatHunting/RecordedFutureThreatHuntingIPAllActors.yaml",
        "query": "let ioc_lookBack = 1d;\n// The source table (_Im_NetworkSession) is a ASIM parser table, but can be replaced by any infrastructure table containing ip data.\n// The following workbook: Recorded Future - IP Correlation will help researching available data and selecting tables and columns\n_Im_NetworkSession\n| where isnotempty(DstIpAddr)\n| join kind=inner (\nThreatIntelIndicators\n// Only look for IOCs\n| where ObservableKey == 'ipv4-addr:value'\n| where isnotempty(ObservableValue)\n// Only look at Recorded Future Threat Hunt Indicators.\n| where Data.description startswith \"Recorded Future - Threat Hunt\"\n// Only work with the latest indicators\n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id\n| where IsActive == true and ValidUntil > now()\n) on $left.DstIpAddr == $right.ObservableValue\n// select column from the source table to match with Recorded Future ThreatIntelIndicators $left.DstIpAddr\n| mv-expand RecordedFuturePortalLink=parse_json(tostring(parse_json(Tags)))['recordedfutureportallink']\n| project NetworkIP=ObservableValue, Description=Data.description, Type, TimeGenerated, RecordedFuturePortalLink\n",
        "queryFrequency": "PT15M",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "Exfiltration"
        ],
        "techniques": [
          "T1041",
          "T1568"
        ],
        "templateVersion": "1.1.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}