id: 4b451ade-ed28-48e2-8fe7-60ae83ab2fa5 name: TI map Email entity to SecurityAlert description: | 'Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others' severity: Medium requiredDataConnectors: - connectorId: AzureSecurityCenter dataTypes: - SecurityAlert - connectorId: ThreatIntelligence dataTypes: - ThreatIntelligenceIndicator - connectorId: ThreatIntelligenceTaxii dataTypes: - ThreatIntelligenceIndicator - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - ThreatIntelligenceIndicator queryFrequency: 1h queryPeriod: 14d triggerOperator: gt triggerThreshold: 0 tactics: - InitialAccess relevantTechniques: - T1566 query: | let dt_lookBack = 1h; let ioc_lookBack = 14d; let emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$'; ThreatIntelIndicators //Filtering the table for Email related IOCs | extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0))) | where isnotempty(IndicatorType) and IndicatorType == "email-addr" | extend EmailSenderAddress = ObservableValue | extend EmailSourceDomain = substring(EmailSenderAddress, indexof(EmailSenderAddress, "@") + 1, strlen(EmailSenderAddress) - indexof(EmailSenderAddress, "@") - 1) | extend TrafficLightProtocolLevel = tostring(parse_json(AdditionalFields).TLPLevel) | extend IndicatorId = tostring(split(Id, "--")[2]) | extend Url = iff(ObservableKey == "url:value", ObservableValue, "") | where isnotempty(EmailSenderAddress) | where TimeGenerated >= ago(ioc_lookBack) | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id | where IsActive == true and ValidUntil > now() | project-reorder *, TrafficLightProtocolLevel, EmailSenderAddress, EmailSourceDomain, Type // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated | join kind=innerunique ( SecurityAlert | where TimeGenerated >= ago(dt_lookBack) | extend MSTI = case(AlertName has "TI map" and VendorName == "Microsoft" and ProductName == 'Azure Sentinel', true, false) | where MSTI == false // Converting Entities into dynamic data type and use mv-expand to unpack the array | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray // Parsing relevant entity column to filter type account and creating new column by combining account and UPNSuffix | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name), EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix) | where Entitytype =~ "account" | extend EntityEmail = tolower(strcat(EntityName, "@", EntityUPNSuffix)) | where EntityEmail matches regex emailregex | extend Alert_TimeGenerated = TimeGenerated ) on $left.EmailSenderAddress == $right.EntityEmail | where Alert_TimeGenerated < ValidUntil | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by Id, AlertName | extend Description = tostring(parse_json(Data).description) | extend ActivityGroupNames = extract(@"ActivityGroup:(\S+)", 1, tostring(parse_json(Data).labels)) | project Alert_TimeGenerated, Description, ActivityGroupNames, Id, ValidUntil, Confidence, EmailSenderAddress, EntityEmail, AlertName, AlertType, AlertSeverity, Entities, ProviderName, VendorName,Url//, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, | extend Name = tostring(split(EntityEmail, '@', 0)[0]), UPNSuffix = tostring(split(EntityEmail, '@', 1)[0]) | extend timestamp = Alert_TimeGenerated entityMappings: - entityType: Account fieldMappings: - identifier: FullName columnName: EntityEmail - identifier: Name columnName: Name - identifier: UPNSuffix columnName: UPNSuffix - entityType: URL fieldMappings: - identifier: Url columnName: Url version: 1.2.9 kind: Scheduled