Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Lumen TI IPAddress in DeviceEvents

Lumen TI IPAddress in DeviceEvents

Back
Idfa566691-42a2-4136-6a8b-ffa3ea510000
RulenameLumen TI IPAddress in DeviceEvents
DescriptionThis query maps Lumen IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in DeviceEvents.
SeverityMedium
TacticsCommandAndControl
TechniquesT1071
Required data connectorsLumenThreatFeedConnector
MicrosoftThreatProtection
ThreatIntelligenceUploadIndicatorsAPI
KindScheduled
Query frequency4h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lumen Defender Threat Feed/Analytic Rules/Lumen_IPEntity_DeviceEvents.yaml
Version1.0.0
Arm templatefa566691-42a2-4136-6a8b-ffa3ea510000.json
Deploy To Azure
let dt_lookBack = 1d;  // Data lookback for DeviceEvents
let ioc_lookBack = 14d; // TI lookback
let IP_Indicators = ThreatIntelIndicators
  | where TimeGenerated >= ago(ioc_lookBack)
  | where IsActive == true and ValidUntil > now()
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
  | where SourceSystem == 'Lumen'
  | where ObservableKey == 'ipv4-addr:value'
  | extend TI_ipEntity = ObservableValue
  | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith 'fe80' and TI_ipEntity !startswith '::' and TI_ipEntity !startswith '127.';
IP_Indicators
| join kind=innerunique (
    DeviceEvents
    | where TimeGenerated >= ago(dt_lookBack)
    | extend DE_ipEntity = RemoteIP
    | extend DeviceEvents_TimeGenerated = TimeGenerated
  ) on $left.TI_ipEntity == $right.DE_ipEntity
| where DeviceEvents_TimeGenerated < ValidUntil
| summarize arg_max(DeviceEvents_TimeGenerated, *), StartTime = min(DeviceEvents_TimeGenerated), EndTime = max(DeviceEvents_TimeGenerated) by Id, DE_ipEntity
| project timestamp = EndTime, StartTime, EndTime, DeviceName, RemoteIP, ActionType, ReportId, Id, Tags, ValidUntil, Confidence, TI_ipEntity, DE_ipEntity, Type

queryFrequency: 4h
description: |
    This query maps Lumen IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in DeviceEvents.
queryPeriod: 14d
name: Lumen TI IPAddress in DeviceEvents
severity: Medium
tactics:
- CommandAndControl
query: |
  let dt_lookBack = 1d;  // Data lookback for DeviceEvents
  let ioc_lookBack = 14d; // TI lookback
  let IP_Indicators = ThreatIntelIndicators
    | where TimeGenerated >= ago(ioc_lookBack)
    | where IsActive == true and ValidUntil > now()
    | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
    | where SourceSystem == 'Lumen'
    | where ObservableKey == 'ipv4-addr:value'
    | extend TI_ipEntity = ObservableValue
    | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith 'fe80' and TI_ipEntity !startswith '::' and TI_ipEntity !startswith '127.';
  IP_Indicators
  | join kind=innerunique (
      DeviceEvents
      | where TimeGenerated >= ago(dt_lookBack)
      | extend DE_ipEntity = RemoteIP
      | extend DeviceEvents_TimeGenerated = TimeGenerated
    ) on $left.TI_ipEntity == $right.DE_ipEntity
  | where DeviceEvents_TimeGenerated < ValidUntil
  | summarize arg_max(DeviceEvents_TimeGenerated, *), StartTime = min(DeviceEvents_TimeGenerated), EndTime = max(DeviceEvents_TimeGenerated) by Id, DE_ipEntity
  | project timestamp = EndTime, StartTime, EndTime, DeviceName, RemoteIP, ActionType, ReportId, Id, Tags, ValidUntil, Confidence, TI_ipEntity, DE_ipEntity, Type  
id: fa566691-42a2-4136-6a8b-ffa3ea510000
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lumen Defender Threat Feed/Analytic Rules/Lumen_IPEntity_DeviceEvents.yaml
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: DE_ipEntity
suppressionDuration: 5h
triggerThreshold: 0
requiredDataConnectors:
- connectorId: LumenThreatFeedConnector
  dataTypes:
  - ThreatIntelligenceIndicator
- connectorId: ThreatIntelligenceUploadIndicatorsAPI
  dataTypes:
  - ThreatIntelligenceIndicator
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceEvents
version: 1.0.0
suppressionEnabled: true
triggerOperator: gt
displayName: Lumen TI IPAddress in DeviceEvents
kind: Scheduled
relevantTechniques:
- T1071

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fa566691-42a2-4136-6a8b-ffa3ea510000')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fa566691-42a2-4136-6a8b-ffa3ea510000')]",
      "properties": {
        "alertRuleTemplateName": "fa566691-42a2-4136-6a8b-ffa3ea510000",
        "customDetails": null,
        "description": "This query maps Lumen IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in DeviceEvents.\n",
        "displayName": "Lumen TI IPAddress in DeviceEvents",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "DE_ipEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lumen Defender Threat Feed/Analytic Rules/Lumen_IPEntity_DeviceEvents.yaml",
        "query": "let dt_lookBack = 1d;  // Data lookback for DeviceEvents\nlet ioc_lookBack = 14d; // TI lookback\nlet IP_Indicators = ThreatIntelIndicators\n  | where TimeGenerated >= ago(ioc_lookBack)\n  | where IsActive == true and ValidUntil > now()\n  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id\n  | where SourceSystem == 'Lumen'\n  | where ObservableKey == 'ipv4-addr:value'\n  | extend TI_ipEntity = ObservableValue\n  | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith 'fe80' and TI_ipEntity !startswith '::' and TI_ipEntity !startswith '127.';\nIP_Indicators\n| join kind=innerunique (\n    DeviceEvents\n    | where TimeGenerated >= ago(dt_lookBack)\n    | extend DE_ipEntity = RemoteIP\n    | extend DeviceEvents_TimeGenerated = TimeGenerated\n  ) on $left.TI_ipEntity == $right.DE_ipEntity\n| where DeviceEvents_TimeGenerated < ValidUntil\n| summarize arg_max(DeviceEvents_TimeGenerated, *), StartTime = min(DeviceEvents_TimeGenerated), EndTime = max(DeviceEvents_TimeGenerated) by Id, DE_ipEntity\n| project timestamp = EndTime, StartTime, EndTime, DeviceName, RemoteIP, ActionType, ReportId, Id, Tags, ValidUntil, Confidence, TI_ipEntity, DE_ipEntity, Type\n",
        "queryFrequency": "PT4H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": true,
        "tactics": [
          "CommandAndControl"
        ],
        "techniques": [
          "T1071"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}