Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Preview - TI map URL entity to Cloud App Events

Back
Ide8ae92dd-1d41-4530-8be8-85c5014c7b47
RulenamePreview - TI map URL entity to Cloud App Events
DescriptionIdentifies compromises and attacks and detect malicious activities in one’s URL entity from TI
SeverityMedium
TacticsCommandAndControl
TechniquesT1071
Required data connectorsMicrosoftDefenderThreatIntelligence
MicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/URLEntity_CloudAppEvents.yaml
Version1.0.3
Arm templatee8ae92dd-1d41-4530-8be8-85c5014c7b47.json
Deploy To Azure
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack)
| where isnotempty(Url)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| where Active == true and ExpirationDateTime > now()
| join kind=innerunique (CloudAppEvents
| where TimeGenerated >= ago(dt_lookBack)
| extend Url = extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)", 1, tostring(ActivityObjects))
| extend userPrincipalName = tostring(RawEventData.UserId)
| extend TargetResourceDisplayName = tostring(ActivityObjects[0].displayName)
| extend CloudApps_TimeGenerated = TimeGenerated) on Url
| where CloudApps_TimeGenerated < ExpirationDateTime
| summarize CloudApps_TimeGenerated = argmax(CloudApps_TimeGenerated, *) by IndicatorId, Url
| extend Description = max_CloudApps_TimeGenerated_Description, ActivityGroupNames = max_CloudApps_TimeGenerated_ActivityGroupNames, ThreatType = max_CloudApps_TimeGenerated_ThreatType, ExpirationDateTime = max_CloudApps_TimeGenerated_ExpirationDateTime, ConfidenceScore = max_CloudApps_TimeGenerated_ConfidenceScore, IPAddress = max_CloudApps_TimeGenerated_IPAddress, AccountObjectId = max_CloudApps_TimeGenerated_AccountObjectId, AccountDisplayName = max_CloudApps_TimeGenerated_AccountDisplayName, ObjectName = max_CloudApps_TimeGenerated_ObjectName, Application= max_CloudApps_TimeGenerated_Application, ApplicationID = max_CloudApps_TimeGenerated_ApplicationId, userPrincipalName = max_CloudApps_TimeGenerated_userPrincipalName
| project CloudApps_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, IPAddress, userPrincipalName, AccountObjectId, AccountDisplayName, ObjectName, Application, ApplicationID
id: e8ae92dd-1d41-4530-8be8-85c5014c7b47
query: |
  let dt_lookBack = 1h;
  let ioc_lookBack = 14d;
  ThreatIntelligenceIndicator
  | where TimeGenerated >= ago(ioc_lookBack)
  | where isnotempty(Url)
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
  | where Active == true and ExpirationDateTime > now()
  | join kind=innerunique (CloudAppEvents
  | where TimeGenerated >= ago(dt_lookBack)
  | extend Url = extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)", 1, tostring(ActivityObjects))
  | extend userPrincipalName = tostring(RawEventData.UserId)
  | extend TargetResourceDisplayName = tostring(ActivityObjects[0].displayName)
  | extend CloudApps_TimeGenerated = TimeGenerated) on Url
  | where CloudApps_TimeGenerated < ExpirationDateTime
  | summarize CloudApps_TimeGenerated = argmax(CloudApps_TimeGenerated, *) by IndicatorId, Url
  | extend Description = max_CloudApps_TimeGenerated_Description, ActivityGroupNames = max_CloudApps_TimeGenerated_ActivityGroupNames, ThreatType = max_CloudApps_TimeGenerated_ThreatType, ExpirationDateTime = max_CloudApps_TimeGenerated_ExpirationDateTime, ConfidenceScore = max_CloudApps_TimeGenerated_ConfidenceScore, IPAddress = max_CloudApps_TimeGenerated_IPAddress, AccountObjectId = max_CloudApps_TimeGenerated_AccountObjectId, AccountDisplayName = max_CloudApps_TimeGenerated_AccountDisplayName, ObjectName = max_CloudApps_TimeGenerated_ObjectName, Application= max_CloudApps_TimeGenerated_Application, ApplicationID = max_CloudApps_TimeGenerated_ApplicationId, userPrincipalName = max_CloudApps_TimeGenerated_userPrincipalName
  | project CloudApps_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, IPAddress, userPrincipalName, AccountObjectId, AccountDisplayName, ObjectName, Application, ApplicationID  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/URLEntity_CloudAppEvents.yaml
description: |
    'Identifies compromises and attacks and detect malicious activities in one's URL entity from TI'
name: Preview - TI map URL entity to Cloud App Events
relevantTechniques:
- T1071
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: ObjectGuid
    columnName: AccountObjectId
  - identifier: FullName
    columnName: userPrincipalName
  - identifier: DisplayName
    columnName: AccountDisplayName
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: Url
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPAddress
- entityType: CloudApplication
  fieldMappings:
  - identifier: Name
    columnName: Application
  - identifier: AppId
    columnName: ApplicationID
triggerThreshold: 0
severity: Medium
requiredDataConnectors:
- dataTypes:
  - CloudAppEvents
  connectorId: MicrosoftThreatProtection
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: MicrosoftDefenderThreatIntelligence
queryFrequency: 1h
queryPeriod: 14d
version: 1.0.3
kind: Scheduled
tactics:
- CommandAndControl
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e8ae92dd-1d41-4530-8be8-85c5014c7b47')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e8ae92dd-1d41-4530-8be8-85c5014c7b47')]",
      "properties": {
        "alertRuleTemplateName": "e8ae92dd-1d41-4530-8be8-85c5014c7b47",
        "customDetails": null,
        "description": "'Identifies compromises and attacks and detect malicious activities in one's URL entity from TI'\n",
        "displayName": "Preview - TI map URL entity to Cloud App Events",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountObjectId",
                "identifier": "ObjectGuid"
              },
              {
                "columnName": "userPrincipalName",
                "identifier": "FullName"
              },
              {
                "columnName": "AccountDisplayName",
                "identifier": "DisplayName"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "Url",
                "identifier": "Url"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPAddress",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "Application",
                "identifier": "Name"
              },
              {
                "columnName": "ApplicationID",
                "identifier": "AppId"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/URLEntity_CloudAppEvents.yaml",
        "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack)\n| where isnotempty(Url)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| join kind=innerunique (CloudAppEvents\n| where TimeGenerated >= ago(dt_lookBack)\n| extend Url = extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\", 1, tostring(ActivityObjects))\n| extend userPrincipalName = tostring(RawEventData.UserId)\n| extend TargetResourceDisplayName = tostring(ActivityObjects[0].displayName)\n| extend CloudApps_TimeGenerated = TimeGenerated) on Url\n| where CloudApps_TimeGenerated < ExpirationDateTime\n| summarize CloudApps_TimeGenerated = argmax(CloudApps_TimeGenerated, *) by IndicatorId, Url\n| extend Description = max_CloudApps_TimeGenerated_Description, ActivityGroupNames = max_CloudApps_TimeGenerated_ActivityGroupNames, ThreatType = max_CloudApps_TimeGenerated_ThreatType, ExpirationDateTime = max_CloudApps_TimeGenerated_ExpirationDateTime, ConfidenceScore = max_CloudApps_TimeGenerated_ConfidenceScore, IPAddress = max_CloudApps_TimeGenerated_IPAddress, AccountObjectId = max_CloudApps_TimeGenerated_AccountObjectId, AccountDisplayName = max_CloudApps_TimeGenerated_AccountDisplayName, ObjectName = max_CloudApps_TimeGenerated_ObjectName, Application= max_CloudApps_TimeGenerated_Application, ApplicationID = max_CloudApps_TimeGenerated_ApplicationId, userPrincipalName = max_CloudApps_TimeGenerated_userPrincipalName\n| project CloudApps_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, IPAddress, userPrincipalName, AccountObjectId, AccountDisplayName, ObjectName, Application, ApplicationID\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "techniques": [
          "T1071"
        ],
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}