id: 3b6bdb38-93c5-452f-ab3a-97a3d1320d16 name: TI Map URL Entity to SecurityAlert Data description: | 'This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in SecurityAlert data.' severity: Medium requiredDataConnectors: - connectorId: MicrosoftCloudAppSecurity dataTypes: - SecurityAlert - connectorId: AzureSecurityCenter dataTypes: - SecurityAlert - connectorId: ThreatIntelligence dataTypes: - ThreatIntelligenceIndicator - connectorId: ThreatIntelligenceTaxii dataTypes: - ThreatIntelligenceIndicator - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - ThreatIntelligenceIndicator queryFrequency: 1h queryPeriod: 14d triggerOperator: gt triggerThreshold: 0 tactics: - CommandAndControl relevantTechniques: - T1071 query: | let dt_lookBack = 1h; let ioc_lookBack = 14d; let URLRegex = "((https?|ftp|ldap|wss?|file):\\/\\/(([\\:\\%\\w\\_\\-]+(\\.|@))*((xn--)?[a-zA-Z0-9\\-]+\\.)+(xn--[a-z0-9]+|[A-Za-z]+)|\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{0,3})[.,:\\w@?^=%&\\/~+#-]*[\\w@?^=%&\\/~+#-])"; let SecurityEvents = materialize(SecurityAlert | where TimeGenerated >= ago(dt_lookBack) | extend MSTI = case(AlertName has "TI map" and VendorName == "Microsoft" and ProductName == 'Azure Sentinel', true, false) | where MSTI == false // Extract URL from JSON data | mv-expand parse_json(Entities) | where isnotempty(Entities.Url) or isnotempty(Entities.Urls) | extend Url = coalesce(Entities.Url, Entities.Urls) | mv-expand Url | extend Url = tolower(Url) // Extract hostname from JSON data for entity mapping | extend Compromised_Host = tostring(parse_json(ExtendedProperties).["Compromised Host"]) | extend Alert_TimeGenerated = TimeGenerated); let EventUrls = materialize(SecurityEvents | distinct Url | summarize make_list(Url)); ThreatIntelIndicators //extract key part of kv pair | extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0))) | where IndicatorType == "url" | extend Url = ObservableValue | where isnotempty(Url) | extend TrafficLightProtocolLevel = tostring(parse_json(AdditionalFields).TLPLevel) | where isnotempty(Url) | where TimeGenerated >= ago(ioc_lookBack) | where tolower(Url) in (EventUrls) | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id | where IsActive == true and ValidUntil > now() | extend Description = tostring(parse_json(Data).description) | where Description !contains_cs "State: inactive;" and Description !contains_cs "State: falsepos;" | project-reorder *, Tags, TrafficLightProtocolLevel, Url, Type // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated | join kind=innerunique (SecurityEvents) on Url | where Alert_TimeGenerated < ValidUntil | extend Description = tostring(parse_json(Data).description) | extend ActivityGroupNames = extract(@"ActivityGroup:(\S+)", 1, tostring(parse_json(Data).labels)) | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by Id, AlertName | project timestamp = Alert_TimeGenerated, ActivityGroupNames, Id, Type, ValidUntil, Confidence, AlertName, AlertSeverity, Description, Url, Compromised_Host entityMappings: - entityType: Host fieldMappings: - identifier: HostName columnName: Compromised_Host - entityType: URL fieldMappings: - identifier: Url columnName: Url version: 1.2.9 kind: Scheduled