detection.wiki

Detection rules › Kusto

TI map IP entity to Cloud App Events

Severity
medium
Time window
14d
Group by
IPAddress, Id, ObservableValue, TI_ipEntity
Source
github.com/Azure/Azure-Sentinel

'Identifies compromises and attacks and detect malicious activities in one's IP entity from TI'

MITRE ATT&CK coverage

TacticTechniques
Command & ControlT1071 Application Layer Protocol

Rule body kusto

id: 16a45aee-5e39-4d1b-b508-40f847c99353
name: TI map IP entity to Cloud App Events
description: |
   'Identifies compromises and attacks and detect malicious activities in one's IP entity from TI'
severity: Medium
requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - CloudAppEvents
  - connectorId: MicrosoftDefenderThreatIntelligence
    dataTypes:
      - ThreatIntelIndicators
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - CommandAndControl
relevantTechniques:
  - T1071
query: |
  let dt_lookBack = 1d;
  let ioc_lookBack = 14d; 
  let IP_Indicators = ThreatIntelIndicators
  //extract key part of kv pair
       | extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0)))
       | where IndicatorType in ("ipv4-addr", "ipv6-addr", "network-traffic")
       | extend NetworkSourceIP = toupper(ObservableValue)
       | extend TrafficLightProtocolLevel = tostring(parse_json(AdditionalFields).TLPLevel)
    | where TimeGenerated >= ago(ioc_lookBack)
    | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id, ObservableValue
    | where IsActive and (ValidUntil > now() or isempty(ValidUntil))
    | extend TI_ipEntity = iff(isnotempty(NetworkSourceIP), NetworkSourceIP, NetworkSourceIP)
    | extend TIipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity);
  //  | extend TIipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity);
  IP_Indicators
     | project-reorder *, Tags, TrafficLightProtocolLevel, NetworkSourceIP, Type, TI_ipEntity
    | join kind=innerunique (
    CloudAppEvents
      | where TimeGenerated >= ago(dt_lookBack)
      | extend CloudAppEvents_TimeGenerated = TimeGenerated) on $left.TI_ipEntity == $right.IPAddress
      | where CloudAppEvents_TimeGenerated < ValidUntil
      | summarize CloudAppEventsTimeGenerated = argmax(CloudAppEvents_TimeGenerated, *) by Id, IPAddress
      | extend
        Description = column_ifexists("max_CloudAppEvents_TimeGenerated_Description", ""),
        ActivityGroupNames = column_ifexists("max_CloudAppEvents_TimeGenerated_ActivityGroupNames", ""),
        ThreatType = column_ifexists("max_CloudAppEvents_TimeGenerated_ThreatType", ""),
        ExpirationDateTime = column_ifexists("max_CloudAppEvents_TimeGenerated_ExpirationDateTime", ""),
        ConfidenceScore = column_ifexists("max_CloudAppEvents_TimeGenerated_ConfidenceScore", ""),
        TI_ipEntity = column_ifexists("max_CloudAppEvents_TimeGenerated_TI_ipEntity", ""),
        NetworkDestinationIP = column_ifexists("max_CloudAppEvents_TimeGenerated_NetworkDestinationIP", ""),
        NetworkSourceIP = column_ifexists("max_CloudAppEvents_TimeGenerated_NetworkSourceIP", ""),
        EmailSourceIPAddress = column_ifexists("max_CloudAppEvents_TimeGenerated_EmailSourceIpAddress", "")
      | project CloudAppEventsTimeGenerated, Description, ActivityGroupNames, Id, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, NetworkDestinationIP, NetworkSourceIP, EmailSourceIPAddress
entityMappings:
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: TI_ipEntity
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: NetworkDestinationIP
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: NetworkSourceIP
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: EmailSourceIPAddress
version: 1.0.7
kind: Scheduled

Stages and Predicates

Parameters

let dt_lookBack = 1d;
let ioc_lookBack = 14d;

The stages below define let IP_Indicators (the rule's main pipeline source).

Stage 1: source

ThreatIntelIndicators

Stage 2: extend

| extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0)))

Stage 3: where

| where IndicatorType in ("ipv4-addr", "ipv6-addr", "network-traffic")

Stage 4: extend

| extend NetworkSourceIP = toupper(ObservableValue)

Stage 5: extend

| extend TrafficLightProtocolLevel = tostring(parse_json(AdditionalFields).TLPLevel)

Stage 6: where

| where TimeGenerated >= ago(ioc_lookBack)

Stage 7: summarize

| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id, ObservableValue

Stage 8: where

| where IsActive and (ValidUntil > now() or isempty(ValidUntil))

Stage 9: extend

| extend TI_ipEntity = iff(isnotempty(NetworkSourceIP), NetworkSourceIP, NetworkSourceIP)
TI_ipEntity =
ifisnotempty(NetworkSourceIP)NetworkSourceIP
elseNetworkSourceIP

Stage 10: extend

| extend TIipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)
TIipEntity =
ifisempty(TI_ipEntity) and isnotempty(NetworkSourceIP)NetworkSourceIP
elseTI_ipEntity

The stages below run on IP_Indicators (the outer pipeline).

Stage 11: project-reorder

IP_Indicators
| project-reorder *, Tags, TrafficLightProtocolLevel, NetworkSourceIP, Type, TI_ipEntity

Stage 12: join

| join kind=innerunique (
  CloudAppEvents
    | where TimeGenerated >= ago(dt_lookBack)
    | extend CloudAppEvents_TimeGenerated = TimeGenerated) on $left.TI_ipEntity == $right.IPAddress

Stage 13: where

| where CloudAppEvents_TimeGenerated < ValidUntil

Stage 14: summarize

| summarize CloudAppEventsTimeGenerated = argmax(CloudAppEvents_TimeGenerated, *) by Id, IPAddress

Stage 15: extend

| extend
      Description = column_ifexists("max_CloudAppEvents_TimeGenerated_Description", ""),
      ActivityGroupNames = column_ifexists("max_CloudAppEvents_TimeGenerated_ActivityGroupNames", ""),
      ThreatType = column_ifexists("max_CloudAppEvents_TimeGenerated_ThreatType", ""),
      ExpirationDateTime = column_ifexists("max_CloudAppEvents_TimeGenerated_ExpirationDateTime", ""),
      ConfidenceScore = column_ifexists("max_CloudAppEvents_TimeGenerated_ConfidenceScore", ""),
      TI_ipEntity = column_ifexists("max_CloudAppEvents_TimeGenerated_TI_ipEntity", ""),
      NetworkDestinationIP = column_ifexists("max_CloudAppEvents_TimeGenerated_NetworkDestinationIP", ""),
      NetworkSourceIP = column_ifexists("max_CloudAppEvents_TimeGenerated_NetworkSourceIP", ""),
      EmailSourceIPAddress = column_ifexists("max_CloudAppEvents_TimeGenerated_EmailSourceIpAddress", "")

Stage 16: project

| project CloudAppEventsTimeGenerated, Description, ActivityGroupNames, Id, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, NetworkDestinationIP, NetworkSourceIP, EmailSourceIPAddress

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CloudAppEvents_TimeGeneratedlt
  • ValidUntil transforms: cased corpus 3 (kusto 3)
IndicatorTypein
  • ipv4-addr transforms: cased
  • ipv6-addr transforms: cased
  • network-traffic transforms: cased
ValidUntilis_null
  • (no value, null check)

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

FieldSource
ActivityGroupNamesproject
CloudAppEventsTimeGeneratedproject
ConfidenceScoreproject
Descriptionproject
EmailSourceIPAddressproject
ExpirationDateTimeproject
Idproject
NetworkDestinationIPproject
NetworkSourceIPproject
TI_ipEntityproject
ThreatTypeproject