id: f624417d-9e4e-462e-93e7-53ab7686a479 name: TI Map File Entity to Syslog Event description: | 'This query finds matches in Syslog Event data for known FileName Indicators of Compromise from Threat Intelligence sources. FileName matches may produce false positives, so use this for hunting rather than real-time detection.' description-detailed: | 'This query identifies any matches in the Syslog Event data that correspond to any known FileName Indicators of Compromise (IOC) from Threat Intelligence (TI) sources. Since file name matches may produce a significant amount of false positives, it is recommended to use this query for hunting purposes rather than for real-time detection.' requiredDataConnectors: - connectorId: Syslog dataTypes: - Syslog - connectorId: ThreatIntelligence dataTypes: - ThreatIntelligenceIndicator - connectorId: ThreatIntelligenceTaxii dataTypes: - ThreatIntelligenceIndicator - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - ThreatIntelligenceIndicator tactics: - Impact query: | let starttime = todatetime('{{StartTimeISO}}'); let endtime = todatetime('{{EndTimeISO}}'); let ioc_lookBack = 14d; ThreatIntelIndicators | where TimeGenerated >= ago(ioc_lookBack) and ValidUntil > now() | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id | where IsActive == true //extract key part of kv pair | extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0))) | where IndicatorType == "file" | extend FileName = ObservableValue | where isnotempty(FileName) | extend TI_ProcessEntity = tostring(split(FileName, ".")[-2]) // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated | join kind=innerunique ( Syslog | where TimeGenerated between(starttime..endtime) | where isnotempty(ProcessName) | extend Syslog_TimeGenerated = TimeGenerated ) on $left.TI_ProcessEntity == $right.ProcessName | where Syslog_TimeGenerated < ValidUntil | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated, *) by Id, ProcessName | extend Description = tostring(parse_json(Data).description) | extend ActivityGroupNames = extract(@"ActivityGroup:(\S+)", 1, tostring(parse_json(Data).labels)) | project Syslog_TimeGenerated, Description, ActivityGroupNames, Id, Type, ValidUntil, Confidence,//Url FileName, Computer, HostIP, SyslogMessage | extend timestamp = Syslog_TimeGenerated, HostName = split(Computer, '.', 0)[0], DnsDomain = strcat_array(array_slice(split(Computer, '.'), 1, -1), '.') | extend Host_0_HostName = HostName | extend Host_0_DnsDomain = DnsDomain | extend IP_0_Address = HostIP //| extend URL_0_Url = Url entityMappings: - entityType: Host fieldMappings: - identifier: HostName columnName: HostName - identifier: DnsDomain columnName: DnsDomain - entityType: IP fieldMappings: - identifier: Address columnName: HostIP - entityType: URL fieldMappings: - identifier: Url columnName: Url version: 1.0.3