TI map IP entity to AWSCloudTrail

Back


Id	f110287e-1358-490d-8147-ed804b328514
Rulename	TI map IP entity to AWSCloudTrail
Description	Identifies a match in AWSCloudTrail from any IP IOC from TI
Severity	Medium
Tactics	CommandAndControl
Techniques	T1071
Required data connectors	AWS MicrosoftDefenderThreatIntelligence ThreatIntelligence ThreatIntelligenceTaxii
Kind	Scheduled
Query frequency	1h
Query period	14d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AWSCloudTrail.yaml
Version	1.4.2
Arm template	f110287e-1358-490d-8147-ed804b328514.json

KQL

let dt_lookBack = 1h; // Look back 1 hour for AWSCloudTrail logs
let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators
// Fetch threat intelligence indicators related to IP addresses
let IP_Indicators = ThreatIntelligenceIndicator
  // Filter out indicators without relevant IP address fields
  | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)
  | where TimeGenerated >= ago(ioc_lookBack)
  // Select the IP entity based on availability of different IP fields
  | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)
  | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)
  | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)
  // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes
  | where ipv4_is_private(TI_ipEntity) == false and  TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127."
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
  | where Active == true and ExpirationDateTime > now();
// Perform a join between IP indicators and AWSCloudTrail logs to identify potential malicious activity
IP_Indicators
  // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation
  | join kind=innerunique (
      AWSCloudTrail
      | where TimeGenerated >= ago(dt_lookBack)
      | extend AWSCloudTrail_TimeGenerated = TimeGenerated // Rename time column for clarity
    )
    on $left.TI_ipEntity == $right.SourceIpAddress
  // Filter out logs that occurred after the expiration of the corresponding indicator
  | where AWSCloudTrail_TimeGenerated < ExpirationDateTime
  // Group the results by IndicatorId and SourceIpAddress, and keep the log entry with the latest timestamp
  | summarize AWSCloudTrail_TimeGenerated = arg_max(AWSCloudTrail_TimeGenerated, *) by IndicatorId, SourceIpAddress
  // Select the desired output fields
  | project AWSCloudTrail_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,
    TI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,
    NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type
  // Rename the timestamp field
  | extend timestamp = AWSCloudTrail_TimeGenerated

YAML

relevantTechniques:
- T1071
name: TI map IP entity to AWSCloudTrail
requiredDataConnectors:
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligence
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligenceTaxii
- dataTypes:
  - AWSCloudTrail
  connectorId: AWS
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: MicrosoftDefenderThreatIntelligence
entityMappings:
- fieldMappings:
  - identifier: ObjectGuid
    columnName: UserIdentityUserName
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: SourceIpAddress
  entityType: IP
- fieldMappings:
  - identifier: Url
    columnName: Url
  entityType: URL
triggerThreshold: 0
id: f110287e-1358-490d-8147-ed804b328514
tactics:
- CommandAndControl
version: 1.4.2
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AWSCloudTrail.yaml
queryPeriod: 14d
kind: Scheduled
queryFrequency: 1h
severity: Medium
description: |
    Identifies a match in AWSCloudTrail from any IP IOC from TI
query: |
  let dt_lookBack = 1h; // Look back 1 hour for AWSCloudTrail logs
  let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators
  // Fetch threat intelligence indicators related to IP addresses
  let IP_Indicators = ThreatIntelligenceIndicator
    // Filter out indicators without relevant IP address fields
    | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)
    | where TimeGenerated >= ago(ioc_lookBack)
    // Select the IP entity based on availability of different IP fields
    | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)
    | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)
    | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)
    // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes
    | where ipv4_is_private(TI_ipEntity) == false and  TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127."
    | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
    | where Active == true and ExpirationDateTime > now();
  // Perform a join between IP indicators and AWSCloudTrail logs to identify potential malicious activity
  IP_Indicators
    // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation
    | join kind=innerunique (
        AWSCloudTrail
        | where TimeGenerated >= ago(dt_lookBack)
        | extend AWSCloudTrail_TimeGenerated = TimeGenerated // Rename time column for clarity
      )
      on $left.TI_ipEntity == $right.SourceIpAddress
    // Filter out logs that occurred after the expiration of the corresponding indicator
    | where AWSCloudTrail_TimeGenerated < ExpirationDateTime
    // Group the results by IndicatorId and SourceIpAddress, and keep the log entry with the latest timestamp
    | summarize AWSCloudTrail_TimeGenerated = arg_max(AWSCloudTrail_TimeGenerated, *) by IndicatorId, SourceIpAddress
    // Select the desired output fields
    | project AWSCloudTrail_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,
      TI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,
      NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type
    // Rename the timestamp field
    | extend timestamp = AWSCloudTrail_TimeGenerated  
triggerOperator: gt

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f110287e-1358-490d-8147-ed804b328514')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f110287e-1358-490d-8147-ed804b328514')]",
      "properties": {
        "alertRuleTemplateName": "f110287e-1358-490d-8147-ed804b328514",
        "customDetails": null,
        "description": "Identifies a match in AWSCloudTrail from any IP IOC from TI\n",
        "displayName": "TI map IP entity to AWSCloudTrail",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "UserIdentityUserName",
                "identifier": "ObjectGuid"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIpAddress",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "Url",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AWSCloudTrail.yaml",
        "query": "let dt_lookBack = 1h; // Look back 1 hour for AWSCloudTrail logs\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n  // Filter out indicators without relevant IP address fields\n  | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n  | where TimeGenerated >= ago(ioc_lookBack)\n  // Select the IP entity based on availability of different IP fields\n  | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n  | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n  | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n  // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes\n  | where ipv4_is_private(TI_ipEntity) == false and  TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\"\n  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n  | where Active == true and ExpirationDateTime > now();\n// Perform a join between IP indicators and AWSCloudTrail logs to identify potential malicious activity\nIP_Indicators\n  // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n  | join kind=innerunique (\n      AWSCloudTrail\n      | where TimeGenerated >= ago(dt_lookBack)\n      | extend AWSCloudTrail_TimeGenerated = TimeGenerated // Rename time column for clarity\n    )\n    on $left.TI_ipEntity == $right.SourceIpAddress\n  // Filter out logs that occurred after the expiration of the corresponding indicator\n  | where AWSCloudTrail_TimeGenerated < ExpirationDateTime\n  // Group the results by IndicatorId and SourceIpAddress, and keep the log entry with the latest timestamp\n  | summarize AWSCloudTrail_TimeGenerated = arg_max(AWSCloudTrail_TimeGenerated, *) by IndicatorId, SourceIpAddress\n  // Select the desired output fields\n  | project AWSCloudTrail_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\n    TI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\n    NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n  // Rename the timestamp field\n  | extend timestamp = AWSCloudTrail_TimeGenerated\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "techniques": [
          "T1071"
        ],
        "templateVersion": "1.4.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}