Multiple Domain Entity Security Alert

// This query assumes a feed of threat indicators is ingested/synchronized periodically, and each synchronization ingests new indicators and only old indicators that have been modified. // Active threat indicators in Sentinel are renovated as ThreatIntelligenceIndicator events every ~12 days. let query_frequency = 1h; let query_period = 14d; let query_wait = 0h; let table_query_lookback = 14d; let _TIBenignProperty = _GetWatchlist('ID-TIBenignProperty') | where Notes has_any ("[SourceDomain]", "[DestinationDomain]") | project IndicatorId, BenignProperty ; let _TIExcludedSources = toscalar( _GetWatchlist('Activity-ExpectedSignificantActivity') | where Activity == "ThreatIndicatorSource" | summarize make_list(Auxiliar) ); let _ExcludedAlerts = _GetWatchlist('AlertName-MonitoredDetections') | where Notes has "[ExcludedTIAlerts]" | project ProductName, AlertName, AnalyticsId = tostring(AnalyticsId) ; let _DomainRegex = toscalar( _GetWatchlist('RegEx-SingleRegularExpressions') | where UseCase == "Threat Intelligence Indicator Domain" | project RegEx ); let _TITableMatch = (table_start: datetime, table_end: datetime, only_new_ti: boolean, ti_start: datetime = datetime(null)) { // Scheduled Analytics rules have a query period limit of 14d let _Indicators =// materialize( ThreatIntelligenceIndicator | where TimeGenerated > ago(query_period) // Take the earliest TimeGenerated and the latest column info | summarize hint.strategy=shuffle minTimeGenerated = min(TimeGenerated), arg_max(TimeGenerated, Active, Description, ActivityGroupNames, IndicatorId, ThreatType, DomainName, Url, ExpirationDateTime, ConfidenceScore, AdditionalInformation, ExternalIndicatorId) by IndicatorId // Remove inactive or expired indicators | where not(not(Active) or ExpirationDateTime < now()) // Pick indicators that contain the desired entity type | where isnotempty(DomainName) | extend Domain = tolower(DomainName) // Remove indicators from specific sources | where not(AdditionalInformation has_any (_TIExcludedSources)) // Remove excluded indicators with benign properties | join kind=leftanti _TIBenignProperty on IndicatorId, $left.Domain == $right.BenignProperty // Deduplicate indicators by Domain column, equivalent to using join kind=innerunique afterwards | summarize hint.strategy=shuffle minTimeGenerated = min(minTimeGenerated), take_any(*) by Domain // If we want only new indicators, remove indicators received previously | where not(only_new_ti and minTimeGenerated < ti_start) //) ; //let _IndicatorsLength = toscalar(_Indicators | summarize count()); //let _IndicatorsPrefilter = toscalar( // _Indicators // | extend AuxiliarField = tostring(split(Domain, ".")[-1]) // | summarize make_set_if(AuxiliarField, isnotempty(AuxiliarField)) //); //let _IndicatorsPrefilterLength = array_length(_IndicatorsPrefilter); let _TableEvents = SecurityAlert | where TimeGenerated between (table_start .. table_end) // Remove TI map alerts | extend MSTI = (VendorName == "Microsoft" and ProductName == 'Azure Sentinel' and (ProviderName == "Threat Intelligence Alerts" or AlertName has "TI map")) | where MSTI == false //or MSTI == true // Remove excluded alerts | extend AnalyticsId = iff(ProductName == "Azure Sentinel", tostring(split(AlertType, "_")[-1]), AlertType) | join kind=leftanti _ExcludedAlerts on ProductName, AlertName, AnalyticsId // Filter events that may contain indicators | where isnotempty(Entities) //| where not(_IndicatorsPrefilterLength < 10000 and not(Entities has_any (_IndicatorsPrefilter))) // valid TLD ~1500 , "has_any" limit 10000 | extend Domains = todynamic(dynamic_to_json(extract_all(_DomainRegex, dynamic([1]), Entities))) | mv-expand Domain = Domains | extend Domain = tolower(tostring(Domain[0])) | where isnotempty(Domain) | summarize hint.strategy=shuffle take_any(*) by OriginalDomain = Domain //| where not(_IndicatorsPrefilterLength < 10000 and not(tostring(split(OriginalDomain, ".")[-1]) in (_IndicatorsPrefilter))) | extend SplitLevelDomains = split(OriginalDomain, ".") | mv-expand Level = range(0, array_length(SplitLevelDomains) - 2) to typeof(int) | extend Domain = strcat_array(array_slice(SplitLevelDomains, Level, -1), ".") //| where not(_IndicatorsLength < 1000000 and not(Domain in (toscalar(_Indicators | summarize make_list(Domain))))) // "in" limit 1.000.000 // Extract one entity of each type of multiple possible | mv-apply EntitiesDynamic = todynamic(Entities) on ( summarize Alert_Account = take_anyif(strcat(tostring(EntitiesDynamic.Name), iff(isnotempty(tostring(EntitiesDynamic.UPNSuffix)), "@", ""), tostring(EntitiesDynamic.UPNSuffix)), EntitiesDynamic.Type == "account" and not(EntitiesDynamic.IsValid == "false")), Alert_HostName = take_anyif(tostring(EntitiesDynamic.HostName), EntitiesDynamic.Type == "host"), Alert_IPAddress = take_anyif(tostring(EntitiesDynamic.Address), EntitiesDynamic.Type == "ip") ) | project-rename Alert_Description = Description | project-rename SecurityAlert_TimeGenerated = TimeGenerated ; _Indicators | join kind=inner hint.strategy=shuffle _TableEvents on Domain // Take only a single event by key columns //| summarize hint.strategy=shuffle take_any(*) by Domain, AlertName | project SecurityAlert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, DomainName, Url, ExpirationDateTime, ConfidenceScore, AdditionalInformation, AlertName, AlertSeverity, Entities, ProviderName, ProductName, VendorName, AnalyticsId, Alert_Description, Alert_Account, Alert_IPAddress, Alert_HostName, CompromisedEntity }; union// isfuzzy=true // Match current table events all indicators available _TITableMatch(ago(query_frequency + query_wait), ago(query_wait), false), // Match past table events new indicators since last query execution _TITableMatch(ago(table_query_lookback + query_wait), ago(query_frequency + query_wait), true, ago(query_frequency)) | summarize arg_max(SecurityAlert_TimeGenerated, *) by IndicatorId, AlertName | extend timestamp = SecurityAlert_TimeGenerated, AccountCustomEntity = Alert_Account, IPCustomEntity = Alert_IPAddress, HostCustomEntity = Alert_HostName, URLCustomEntity = Url

Explanation

This query is used to match threat indicators with security alert events in Azure Sentinel. The query assumes that a feed of threat indicators is periodically ingested and synchronized. It sets some variables for the query frequency, period, and wait time.

The query then retrieves various watchlists and sets them as variables. These watchlists include benign properties, excluded sources, excluded alerts, and regular expressions for threat intelligence indicators.

The main part of the query is the _TITableMatch function, which matches the threat indicators with the security alert events. It filters the threat indicators based on their active status, expiration date, domain name, excluded sources, and benign properties. It also removes duplicate indicators and filters out previously received indicators if only new indicators are desired.

The function then matches the filtered threat indicators with the security alert events. It removes TI map alerts and excluded alerts, and filters events that may contain indicators. It extracts domains from the events and matches them with the threat indicators. It also extracts entities of different types from the events.

Finally, the function joins the threat indicators with the matched security alert events and selects the latest event for each indicator and alert name. It also renames some columns and adds custom entities for account, IP address, host name, and URL.

The results of the _TITableMatch function are then unioned together to get the final result, which includes the matched indicators and security alert events. The result is summarized by indicator ID and alert name, and additional columns are added for timestamp and custom entities.

Details

Jose Sebastián Canós

Released: February 6, 2023

Tables

ThreatIntelligenceIndicatorSecurityAlert_GetWatchlist

Keywords

ThreatIntelligenceIndicator,Sentinel,_GetWatchlist,ID-TIBenignProperty,SourceDomain,DestinationDomain,_TIExcludedSources,Activity-ExpectedSignificantActivity,ThreatIndicatorSource,_ExcludedAlerts,AlertName-MonitoredDetections,ExcludedTIAlerts,RegEx-SingleRegularExpressions,ThreatIntelligenceIndicatorDomain,_DomainRegex,_TITableMatch,table_start,table_end,only_new_ti,ti_start,ThreatIntelligenceIndicator,TimeGenerated,Active,Description,ActivityGroupNames,IndicatorId,ThreatType,DomainName,Url,ExpirationDateTime,ConfidenceScore,AdditionalInformation,ExternalIndicatorId,Domain,AdditionalInformation,_TIBenignProperty,BenignProperty,Domain,_Indicators,minTimeGenerated,minTimeGenerated,Active,Description,ActivityGroupNames,IndicatorId,ThreatType,DomainName,Url,ExpirationDateTime,ConfidenceScore,AdditionalInformation,ExternalIndicatorId,only_new_ti,ti_start,_TableEvents,SecurityAlert,TimeGenerated,table_start,table_end,VendorName,ProductName,ProviderName,ThreatIntelligenceAlerts,AlertName,MSTI,Entities,_ExcludedAlerts,AlertType,Domains,OriginalDomain,SplitLevelDomains,Level,Domain,_Indicators,Domain,Alert_Account,Alert_HostName,Alert_IPAddress,EntitiesDynamic,Alert_Description,SecurityAlert_TimeGenerated,_Indicators,Domain,AlertName,SecurityAlert_TimeGenerated,Description,ActivityGroupNames,IndicatorId,ThreatType,DomainName,Url,ExpirationDateTime,ConfidenceScore,AdditionalInformation,AlertName,AlertSeverity,Entities,ProviderName,ProductName,VendorName,AnalyticsId,Alert_Description,Alert_Account,Alert_IPAddress,Alert_HostName,CompromisedEntity,timestamp,AccountCustomEntity,IPCustomEntity,HostCustomEntity,URLCustomEntity.

Operators

letwhereprojecthas_anytoscalarsummarizemake_listjoinkind=leftantiextendisnotemptynothasbyisnotemptyisnotemptytake_anytake_anyifproject-renamemv-expandstrcat_arrayarray_slicemv-applyunionagoarg_maxtimestampAccountCustomEntityIPCustomEntityHostCustomEntityURLCustomEntity

KQL Search