Detection rules › Kusto
TI map Domain entity to EmailUrlInfo
'Identifies a match in EmailUrlInfo table from any Domain IOC from TI.'
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1566 Phishing |
Rule body kusto
id: 87cc75df-d7b2-44f1-b064-ee924edfc879
name: TI map Domain entity to EmailUrlInfo
description: |
'Identifies a match in EmailUrlInfo table from any Domain IOC from TI.'
severity: Medium
requiredDataConnectors:
- connectorId: Office365
dataTypes:
- EmailUrlInfo
- connectorId: ThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
- connectorId: ThreatIntelligenceTaxii
dataTypes:
- ThreatIntelligenceIndicator
- connectorId: MicrosoftDefenderThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let dt_lookBack = 1h; // Define the lookback period for email data as 1 hour
let ioc_lookBack = 14d; // Define the lookback period for threat intelligence data as 14 days
let EmailUrlInfo_ = EmailUrlInfo
| where isnotempty(Url) or isnotempty(UrlDomain) // Filter for non-empty URLs or URL domains
| where TimeGenerated >= ago(dt_lookBack) // Filter for records within the lookback period
| extend Url = tolower(Url), UrlDomain = tolower(UrlDomain) // Convert URLs and domains to lowercase
| extend EmailUrlInfo_TimeGenerated = TimeGenerated; // Create a new column for the time generated
let EmailEvents_ = EmailEvents
| where TimeGenerated >= ago(dt_lookBack); // Filter email events within the lookback period
let TI_Urls = ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack) // Filter threat intelligence indicators within the lookback period
| where isnotempty(Url) // Filter for non-empty URLs
| extend Url = tolower(Url) // Convert URLs to lowercase
| join kind=innerunique (EmailUrlInfo_) on Url // Join with email URL info on URL
| where Active == true and ExpirationDateTime > now() // Filter for active indicators that haven't expired
| where EmailUrlInfo_TimeGenerated < ExpirationDateTime // Ensure email info was generated before the indicator expired
| summarize EmailUrlInfo_TimeGenerated = arg_max(EmailUrlInfo_TimeGenerated, *) by IndicatorId, Url // Get the latest email info for each indicator
| project EmailUrlInfo_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, UrlLocation, NetworkMessageId; // Select relevant columns
let TI_Domains = ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack) // Filter threat intelligence indicators within the lookback period
| where isnotempty(DomainName) // Filter for non-empty domain names
| extend DomainName = tolower(DomainName) // Convert domain names to lowercase
| join kind=innerunique (EmailUrlInfo_) on $left.DomainName == $right.UrlDomain // Join with email URL info on domain name
| where Active == true and ExpirationDateTime > now() // Filter for active indicators that haven't expired
| where EmailUrlInfo_TimeGenerated < ExpirationDateTime // Ensure email info was generated before the indicator expired
| summarize EmailUrlInfo_TimeGenerated = arg_max(EmailUrlInfo_TimeGenerated, *) by IndicatorId, UrlDomain // Get the latest email info for each indicator
| project EmailUrlInfo_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, UrlDomain, UrlLocation, NetworkMessageId; // Select relevant columns
union TI_Urls, TI_Domains // Combine URL and domain threat intelligence data
| extend timestamp = EmailUrlInfo_TimeGenerated // Add a timestamp column
| join kind=inner (EmailEvents_) on NetworkMessageId // Join with email events on network message ID
| where DeliveryAction !has "Blocked" // Filter out blocked delivery actions
| extend Name = tostring(split(RecipientEmailAddress, '@', 0)[0]), UPNSuffix = tostring(split(RecipientEmailAddress, '@', 1)[0]); // Extract name and UPN suffix from recipient email address
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: RecipientEmailAddress
- identifier: Name
columnName: Name
- identifier: UPNSuffix
columnName: UPNSuffix
- entityType: URL
fieldMappings:
- identifier: Url
columnName: Url
version: 1.0.3
kind: Scheduled
Stages and Predicates
Parameters
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
Let binding: EmailUrlInfo_
let EmailUrlInfo_ = EmailUrlInfo
| where isnotempty(Url) or isnotempty(UrlDomain)
| where TimeGenerated >= ago(dt_lookBack)
| extend Url = tolower(Url), UrlDomain = tolower(UrlDomain)
| extend EmailUrlInfo_TimeGenerated = TimeGenerated;
Derived from dt_lookBack.
Let binding: EmailEvents_
let EmailEvents_ = EmailEvents
| where TimeGenerated >= ago(dt_lookBack);
Derived from dt_lookBack.
Let binding: TI_Urls
let TI_Urls = ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack)
| where isnotempty(Url)
| extend Url = tolower(Url)
| join kind=innerunique (EmailUrlInfo_) on Url
| where Active == true and ExpirationDateTime > now()
| where EmailUrlInfo_TimeGenerated < ExpirationDateTime
| summarize EmailUrlInfo_TimeGenerated = arg_max(EmailUrlInfo_TimeGenerated, *) by IndicatorId, Url
| project EmailUrlInfo_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, UrlLocation, NetworkMessageId;
Derived from ioc_lookBack, EmailUrlInfo_.
Let binding: TI_Domains
let TI_Domains = ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack)
| where isnotempty(DomainName)
| extend DomainName = tolower(DomainName)
| join kind=innerunique (EmailUrlInfo_) on $left.DomainName == $right.UrlDomain
| where Active == true and ExpirationDateTime > now()
| where EmailUrlInfo_TimeGenerated < ExpirationDateTime
| summarize EmailUrlInfo_TimeGenerated = arg_max(EmailUrlInfo_TimeGenerated, *) by IndicatorId, UrlDomain
| project EmailUrlInfo_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, UrlDomain, UrlLocation, NetworkMessageId;
Derived from ioc_lookBack, EmailUrlInfo_.
union (2 sources)
Each leg below queries one source; the rule matches if any leg does. Sources: TI_Urls, TI_Domains
Leg 1: TI_Urls
Leg 2: TI_Domains
Applied to the combined result
| extend timestamp = EmailUrlInfo_TimeGenerated | join kind=inner (EmailEvents_) on NetworkMessageId | where DeliveryAction !has "Blocked" | extend Name = tostring(split(RecipientEmailAddress, '@', 0)[0]), UPNSuffix = tostring(split(RecipientEmailAddress, '@', 1)[0]);
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
DeliveryAction | match | Blocked |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Active | eq |
|
DomainName | is_not_null | |
EmailUrlInfo_TimeGenerated | lt |
|
Url | is_not_null | |
UrlDomain | is_not_null |
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
ActivityGroupNames | project |
ConfidenceScore | project |
Description | project |
EmailUrlInfo_TimeGenerated | project |
ExpirationDateTime | project |
IndicatorId | project |
NetworkMessageId | project |
ThreatType | project |
UrlDomain | project |
UrlLocation | project |
timestamp | extend |
Name | extend |
UPNSuffix | extend |