Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

TI map Domain entity to PaloAlto

Back
Idec21493c-2684-4acd-9bc2-696dbad72426
RulenameTI map Domain entity to PaloAlto
DescriptionIdentifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI
SeverityMedium
TacticsImpact
Required data connectorsPaloAltoNetworks
ThreatIntelligence
ThreatIntelligenceTaxii
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_PaloAlto.yaml
Version1.3.0
Arm templateec21493c-2684-4acd-9bc2-696dbad72426.json
Deploy To Azure
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
let IoCList = externaldata(TimeGenerated:datetime,IoC:string,IoC_Type:string,ExpirationDateTime:datetime,Description:string,Action:string, ConfidenceScore:real, ThreatType:string, Active:string,Type:string, TrafficLightProtocolLevel:string, ActivityGroupNames:string)[@"https://raw.githubusercontent.com/microsoft/mstic/master/RapidReleaseTI/Indicators.csv"] with(format="csv", ignoreFirstRecord=True);
//Create a list of TLDs in our threat feed for later validation of extracted domains
let list_tlds = ThreatIntelligenceIndicator
| where TimeGenerated > ago(ioc_lookBack)
| where isnotempty(DomainName)
| extend DomainName = tolower(DomainName)
| extend parts = split(DomainName, '.')
| extend tld = parts[(array_length(parts)-1)]
| summarize count() by tostring(tld)
| summarize make_list(tld);
let Domain_Indicators = (union isfuzzy=true
(ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| where Active == true
// Picking up only IOC's that contain the entities we want
| where isnotempty(DomainName)
| extend TI_DomainEntity = DomainName
),
(IoCList
| where IoC_Type =~ 'domainname'
| where ExpirationDateTime > now()
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IoC
| where Active =~ 'True'
| extend TI_DomainEntity = IoC
| project-away  IoC_Type
)
);
Domain_Indicators
// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
| join kind=innerunique (
CommonSecurityLog
| extend IngestionTime = ingestion_time()
| where IngestionTime > ago(dt_lookBack)
| where DeviceVendor =~ 'Palo Alto Networks'
| where DeviceEventClassID =~ 'url'
//Uncomment the line below to only alert on allowed connections
//| where DeviceAction !~ "block-url"
//Extract domain from RequestURL, if not present extarct it from AdditionalExtentions
| extend PA_Url = columnifexists("RequestURL", "None")
| extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith "PanOS", extract("([^\"]+)", 1, tolower(AdditionalExtensions)), trim('"', PA_Url))
| extend PA_Url = iif(PA_Url !startswith "http://" and ApplicationProtocol !~ "ssl", strcat('http://', PA_Url), iif(PA_Url !startswith "https://" and ApplicationProtocol =~ "ssl", strcat('https://', PA_Url), PA_Url))
| extend Domain = trim(@"""",tostring(parse_url(PA_Url).Host))
| where isnotempty(Domain)
| extend Domain = tolower(Domain)
| extend parts = split(Domain, '.')
//Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on
| extend tld = parts[(array_length(parts)-1)]
//Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match
| where tld in~ (list_tlds)
| extend CommonSecurityLog_TimeGenerated = TimeGenerated
) on $left.TI_DomainEntity==$right.Domain
| where CommonSecurityLog_TimeGenerated < ExpirationDateTime
| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, Domain, IoC
| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, 
  DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod, Type, IoC, TI_DomainEntity
| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url
version: 1.3.0
queryFrequency: 1h
requiredDataConnectors:
- connectorId: PaloAltoNetworks
  dataTypes:
  - CommonSecurityLog
- connectorId: ThreatIntelligence
  dataTypes:
  - ThreatIntelligenceIndicator
- connectorId: ThreatIntelligenceTaxii
  dataTypes:
  - ThreatIntelligenceIndicator
entityMappings:
- fieldMappings:
  - columnName: HostCustomEntity
    identifier: FullName
  entityType: Host
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: URLCustomEntity
    identifier: Url
  entityType: URL
kind: Scheduled
queryPeriod: 14d
severity: Medium
query: |
  let dt_lookBack = 1h;
  let ioc_lookBack = 14d;
  let IoCList = externaldata(TimeGenerated:datetime,IoC:string,IoC_Type:string,ExpirationDateTime:datetime,Description:string,Action:string, ConfidenceScore:real, ThreatType:string, Active:string,Type:string, TrafficLightProtocolLevel:string, ActivityGroupNames:string)[@"https://raw.githubusercontent.com/microsoft/mstic/master/RapidReleaseTI/Indicators.csv"] with(format="csv", ignoreFirstRecord=True);
  //Create a list of TLDs in our threat feed for later validation of extracted domains
  let list_tlds = ThreatIntelligenceIndicator
  | where TimeGenerated > ago(ioc_lookBack)
  | where isnotempty(DomainName)
  | extend DomainName = tolower(DomainName)
  | extend parts = split(DomainName, '.')
  | extend tld = parts[(array_length(parts)-1)]
  | summarize count() by tostring(tld)
  | summarize make_list(tld);
  let Domain_Indicators = (union isfuzzy=true
  (ThreatIntelligenceIndicator
  | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
  | where Active == true
  // Picking up only IOC's that contain the entities we want
  | where isnotempty(DomainName)
  | extend TI_DomainEntity = DomainName
  ),
  (IoCList
  | where IoC_Type =~ 'domainname'
  | where ExpirationDateTime > now()
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IoC
  | where Active =~ 'True'
  | extend TI_DomainEntity = IoC
  | project-away  IoC_Type
  )
  );
  Domain_Indicators
  // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
  | join kind=innerunique (
  CommonSecurityLog
  | extend IngestionTime = ingestion_time()
  | where IngestionTime > ago(dt_lookBack)
  | where DeviceVendor =~ 'Palo Alto Networks'
  | where DeviceEventClassID =~ 'url'
  //Uncomment the line below to only alert on allowed connections
  //| where DeviceAction !~ "block-url"
  //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions
  | extend PA_Url = columnifexists("RequestURL", "None")
  | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith "PanOS", extract("([^\"]+)", 1, tolower(AdditionalExtensions)), trim('"', PA_Url))
  | extend PA_Url = iif(PA_Url !startswith "http://" and ApplicationProtocol !~ "ssl", strcat('http://', PA_Url), iif(PA_Url !startswith "https://" and ApplicationProtocol =~ "ssl", strcat('https://', PA_Url), PA_Url))
  | extend Domain = trim(@"""",tostring(parse_url(PA_Url).Host))
  | where isnotempty(Domain)
  | extend Domain = tolower(Domain)
  | extend parts = split(Domain, '.')
  //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on
  | extend tld = parts[(array_length(parts)-1)]
  //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match
  | where tld in~ (list_tlds)
  | extend CommonSecurityLog_TimeGenerated = TimeGenerated
  ) on $left.TI_DomainEntity==$right.Domain
  | where CommonSecurityLog_TimeGenerated < ExpirationDateTime
  | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, Domain, IoC
  | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, 
    DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod, Type, IoC, TI_DomainEntity
  | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url  
triggerOperator: gt
id: ec21493c-2684-4acd-9bc2-696dbad72426
description: |
    'Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI'
triggerThreshold: 0
name: TI map Domain entity to PaloAlto
tactics:
- Impact
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_PaloAlto.yaml
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ec21493c-2684-4acd-9bc2-696dbad72426')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ec21493c-2684-4acd-9bc2-696dbad72426')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "TI map Domain entity to PaloAlto",
        "description": "'Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet IoCList = externaldata(TimeGenerated:datetime,IoC:string,IoC_Type:string,ExpirationDateTime:datetime,Description:string,Action:string, ConfidenceScore:real, ThreatType:string, Active:string,Type:string, TrafficLightProtocolLevel:string, ActivityGroupNames:string)[@\"https://raw.githubusercontent.com/microsoft/mstic/master/RapidReleaseTI/Indicators.csv\"] with(format=\"csv\", ignoreFirstRecord=True);\n//Create a list of TLDs in our threat feed for later validation of extracted domains\nlet list_tlds = ThreatIntelligenceIndicator\n| where TimeGenerated > ago(ioc_lookBack)\n| where isnotempty(DomainName)\n| extend DomainName = tolower(DomainName)\n| extend parts = split(DomainName, '.')\n| extend tld = parts[(array_length(parts)-1)]\n| summarize count() by tostring(tld)\n| summarize make_list(tld);\nlet Domain_Indicators = (union isfuzzy=true\n(ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(DomainName)\n| extend TI_DomainEntity = DomainName\n),\n(IoCList\n| where IoC_Type =~ 'domainname'\n| where ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IoC\n| where Active =~ 'True'\n| extend TI_DomainEntity = IoC\n| project-away  IoC_Type\n)\n);\nDomain_Indicators\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\nCommonSecurityLog\n| extend IngestionTime = ingestion_time()\n| where IngestionTime > ago(dt_lookBack)\n| where DeviceVendor =~ 'Palo Alto Networks'\n| where DeviceEventClassID =~ 'url'\n//Uncomment the line below to only alert on allowed connections\n//| where DeviceAction !~ \"block-url\"\n//Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\n| extend PA_Url = columnifexists(\"RequestURL\", \"None\")\n| extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \"PanOS\", extract(\"([^\\\"]+)\", 1, tolower(AdditionalExtensions)), trim('\"', PA_Url))\n| extend PA_Url = iif(PA_Url !startswith \"http://\" and ApplicationProtocol !~ \"ssl\", strcat('http://', PA_Url), iif(PA_Url !startswith \"https://\" and ApplicationProtocol =~ \"ssl\", strcat('https://', PA_Url), PA_Url))\n| extend Domain = trim(@\"\"\"\",tostring(parse_url(PA_Url).Host))\n| where isnotempty(Domain)\n| extend Domain = tolower(Domain)\n| extend parts = split(Domain, '.')\n//Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\n| extend tld = parts[(array_length(parts)-1)]\n//Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\n| where tld in~ (list_tlds)\n| extend CommonSecurityLog_TimeGenerated = TimeGenerated\n) on $left.TI_DomainEntity==$right.Domain\n| where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, Domain, IoC\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, \n  DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod, Type, IoC, TI_DomainEntity\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "alertRuleTemplateName": "ec21493c-2684-4acd-9bc2-696dbad72426",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "HostCustomEntity"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IPCustomEntity"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "identifier": "Url",
                "columnName": "URLCustomEntity"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_PaloAlto.yaml",
        "templateVersion": "1.3.0"
      }
    }
  ]
}