id: 2474343c-9135-42ec-9c40-a1bace43da5c name: TI Map IP Entity to DeviceNetworkEvents description: | 'Identifies a match in DeviceNetworkEvents Event data from any IP Indicator from TI.' severity: Medium requiredDataConnectors: - connectorId: MicrosoftThreatProtection dataTypes: - DeviceNetworkEvents - connectorId: ThreatIntelligence dataTypes: - ThreatIntelligenceIndicator - connectorId: ThreatIntelligenceTaxii dataTypes: - ThreatIntelligenceIndicator - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - ThreatIntelligenceIndicator queryFrequency: 1h queryPeriod: 14d triggerOperator: gt triggerThreshold: 0 tactics: - CommandAndControl relevantTechniques: - T1071 query: | let dt_lookBack = 1h; let ioc_lookBack = 14d; let DeviceNetworkEvents_ = DeviceNetworkEvents | where isnotempty(RemoteIP) | where TimeGenerated > ago(dt_lookBack) | where ActionType !has "ConnectionFailed" | extend isPrivate = ipv4_is_private(RemoteIP) | where isPrivate != true; let IPs = DeviceNetworkEvents_ | distinct RemoteIP | summarize make_list(RemoteIP); ThreatIntelIndicators //extract key part of kv pair | extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0))) | where isnotempty(IndicatorType) and IndicatorType == "ipv4-addr" | extend NetworkSourceIP = toupper(ObservableValue) | extend TrafficLightProtocolLevel = tostring(parse_json(AdditionalFields).TLPLevel) | where isnotempty(NetworkSourceIP) | where TimeGenerated >= ago(ioc_lookBack) | extend TI_ipEntity = NetworkSourceIP | where TI_ipEntity in (IPs) | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id | where IsActive == true and ValidUntil > now() | extend Description = tostring(parse_json(Data).description) | where Description !contains_cs "State: inactive;" and Description !contains_cs "State: falsepos;" | join kind=innerunique (DeviceNetworkEvents_) on $left.TI_ipEntity == $right.RemoteIP | summarize TimeGenerated = arg_max(TimeGenerated, *) by Id, TI_ipEntity, DeviceName | extend timestamp = TimeGenerated, Name = tostring(split(InitiatingProcessAccountUpn, '@', 0)[0]), UPNSuffix = tostring(split(InitiatingProcessAccountUpn, '@', 1)[0]) | project-reorder *, Tags, TrafficLightProtocolLevel, NetworkSourceIP, Type, TI_ipEntity entityMappings: - entityType: Account fieldMappings: - identifier: Name columnName: Name - identifier: UPNSuffix columnName: UPNSuffix - entityType: IP fieldMappings: - identifier: Address columnName: TI_ipEntity - entityType: URL fieldMappings: - identifier: Url columnName: RemoteUrl - entityType: Host fieldMappings: - identifier: HostName columnName: DeviceName version: 1.0.2 kind: Scheduled