From 37ca3dd6be03b20cab9447b9043f73d9f430b39b Mon Sep 17 00:00:00 2001 From: Niklas Logren Date: Fri, 1 Nov 2024 11:32:17 +0100 Subject: [PATCH] build: random changes to mainTemplate.json --- .../Recorded Future/Package/mainTemplate.json | 196 +++++++++--------- 1 file changed, 98 insertions(+), 98 deletions(-) diff --git a/Solutions/Recorded Future/Package/mainTemplate.json b/Solutions/Recorded Future/Package/mainTemplate.json index 0f623e93e59..2284eef8ba2 100644 --- a/Solutions/Recorded Future/Package/mainTemplate.json +++ b/Solutions/Recorded Future/Package/mainTemplate.json @@ -397,16 +397,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "HostNameDomain" + "columnName": "HostNameDomain", + "identifier": "DnsDomain" } ], "entityType": "Host" @@ -414,8 +414,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } ], "entityType": "IP" @@ -423,8 +423,8 @@ { "fieldMappings": [ { - "identifier": "DomainName", - "columnName": "DomainName" + "columnName": "DomainName", + "identifier": "DomainName" } ], "entityType": "DNS" @@ -536,8 +536,8 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "HostCustomEntity" + "columnName": "HostCustomEntity", + "identifier": "FullName" } ], "entityType": "Host" @@ -545,8 +545,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } ], "entityType": "IP" @@ -554,8 +554,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "URLCustomEntity" + "columnName": "URLCustomEntity", + "identifier": "Url" } ], "entityType": "URL" @@ -563,8 +563,8 @@ { "fieldMappings": [ { - "identifier": "DomainName", - "columnName": "domain" + "columnName": "domain", + "identifier": "DomainName" } ], "entityType": "DNS" @@ -676,16 +676,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "SourceUserName" + "columnName": "SourceUserName", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -693,16 +693,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "HostNameDomain" + "columnName": "HostNameDomain", + "identifier": "DnsDomain" } ], "entityType": "Host" @@ -710,8 +710,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "SourceIP" + "columnName": "SourceIP", + "identifier": "Address" } ], "entityType": "IP" @@ -719,8 +719,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } ], "entityType": "URL" @@ -823,8 +823,8 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Caller" + "columnName": "Caller", + "identifier": "FullName" } ], "entityType": "Account" @@ -832,8 +832,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "CallerIpAddress" + "columnName": "CallerIpAddress", + "identifier": "Address" } ], "entityType": "IP" @@ -841,8 +841,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } ], "entityType": "URL" @@ -850,8 +850,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "TI_ipEntity" + "columnName": "TI_ipEntity", + "identifier": "Address" } ], "entityType": "IP" @@ -960,16 +960,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "HostNameDomain" + "columnName": "HostNameDomain", + "identifier": "DnsDomain" } ], "entityType": "Host" @@ -977,8 +977,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } ], "entityType": "IP" @@ -986,8 +986,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } ], "entityType": "URL" @@ -995,8 +995,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "NetworkIP" + "columnName": "NetworkIP", + "identifier": "Address" } ], "entityType": "IP" @@ -1106,8 +1106,8 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "HostCustomEntity" + "columnName": "HostCustomEntity", + "identifier": "FullName" } ], "entityType": "Host" @@ -1115,8 +1115,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } ], "entityType": "IP" @@ -1124,8 +1124,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "URLCustomEntity" + "columnName": "URLCustomEntity", + "identifier": "Url" } ], "entityType": "URL" @@ -1232,12 +1232,12 @@ { "fieldMappings": [ { - "identifier": "Value", - "columnName": "Hash" + "columnName": "Hash", + "identifier": "Value" }, { - "identifier": "Algorithm", - "columnName": "HashType" + "columnName": "HashType", + "identifier": "Algorithm" } ], "entityType": "FileHash" @@ -1261,10 +1261,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { - "enabled": true, "reopenClosedIncident": false, - "matchingMethod": "AllEntities", - "lookbackDuration": "1h" + "enabled": true, + "lookbackDuration": "1h", + "matchingMethod": "AllEntities" }, "createIncident": true } @@ -1367,8 +1367,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "NetworkIP" + "columnName": "NetworkIP", + "identifier": "Address" } ], "entityType": "IP" @@ -1392,10 +1392,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { - "enabled": true, "reopenClosedIncident": false, - "matchingMethod": "AllEntities", - "lookbackDuration": "1h" + "enabled": true, + "lookbackDuration": "1h", + "matchingMethod": "AllEntities" }, "createIncident": true } @@ -1498,8 +1498,8 @@ { "fieldMappings": [ { - "identifier": "DomainName", - "columnName": "Domain" + "columnName": "Domain", + "identifier": "DomainName" } ], "entityType": "DNS" @@ -1523,10 +1523,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { - "enabled": true, "reopenClosedIncident": false, - "matchingMethod": "AllEntities", - "lookbackDuration": "1h" + "enabled": true, + "lookbackDuration": "1h", + "matchingMethod": "AllEntities" }, "createIncident": true } @@ -1630,8 +1630,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } ], "entityType": "URL" @@ -1652,10 +1652,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { - "enabled": true, "reopenClosedIncident": false, - "matchingMethod": "AllEntities", - "lookbackDuration": "1h" + "enabled": true, + "lookbackDuration": "1h", + "matchingMethod": "AllEntities" }, "createIncident": true } @@ -7093,19 +7093,19 @@ }, "created": { "type": "string", - "example": "2023-09-20T19:09:35.993568+05:30" + "example": "2023-09-20T15:39:35.993568+02:00" }, "modified": { "type": "string", - "example": "2023-09-20T19:09:35.993568+05:30" + "example": "2023-09-20T15:39:35.993568+02:00" }, "valid_from": { "type": "string", - "example": "2023-09-20T19:09:35.993568+05:30" + "example": "2023-09-20T15:39:35.993568+02:00" }, "valid_until": { "type": "string", - "example": "2023-09-20T20:09:35.993568+05:30" + "example": "2023-09-20T16:39:35.993568+02:00" }, "external_references": { "type": "array", @@ -7301,19 +7301,19 @@ }, "created": { "type": "string", - "example": "2023-09-20T19:09:35.993568+05:30" + "example": "2023-09-20T15:39:35.993568+02:00" }, "modified": { "type": "string", - "example": "2023-09-20T19:09:35.993568+05:30" + "example": "2023-09-20T15:39:35.993568+02:00" }, "valid_from": { "type": "string", - "example": "2023-09-20T19:09:35.993568+05:30" + "example": "2023-09-20T15:39:35.993568+02:00" }, "valid_until": { "type": "string", - "example": "2023-09-20T20:09:35.993568+05:30" + "example": "2023-09-20T16:39:35.993568+02:00" }, "external_references": { "type": "array", @@ -8856,7 +8856,7 @@ }, "properties": { "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Recorded Future Playbook Alerts\\n---\\n\\nWorkbook to display and analyze Recorded Future Playbook Alerts. This workbook visualize data that is retrived by the ```Recorded Future Playbook Alerts Importer``` Logic app. First run the Logic app once and then select the RecordedFuturePlaybookAlerts_CL table.\",\"style\":\"info\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"8e8c2f1a-d25d-49d1-a217-9831dbc4f919\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_picker\",\"label\":\"Time Picker\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":259200000}},{\"id\":\"f8d34a51-ba10-4241-abff-cb6c14b50a55\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"log_table\",\"label\":\"Playbook Alerts Log Table\",\"type\":2,\"description\":\"Run the Recorded Future Playbook Alert Importer Playbook first.\",\"isRequired\":true,\"query\":\"search *\\n| where $table endswith \\\"_CL\\\" \\n| distinct $table\\n\",\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"RecordedFuturePlaybookAlerts_CL\"},{\"id\":\"89279a9c-af9e-4734-8a98-21aa1f2fa545\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"categories\",\"label\":\"Category\",\"type\":2,\"description\":\"Filter categories you're looking at\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"{log_table}\\n| distinct rule_label_s\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_picker\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a0947450-1ebd-4dea-94d7-41a751c79237\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"status\",\"label\":\"Alert Status\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"{log_table}\\n| distinct status_s\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"25a82661-1700-43a6-ba7a-b3ae5d8fe7b9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"priority\",\"label\":\"Alert Priority\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"{log_table}\\n| distinct priority_s\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":172800000},\"timeContextFromParameter\":\"time_picker\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where rule_label_s in ({categories:value})\\n| where status_s in ({status:value}) \\n| where priority_s in ({priority:value})\\n| distinct id_s, rule_label_s, updated_date_t, priority_s\\n| summarize Alert=count() by bin(updated_date_t, 1h), priority_s\\n\",\"size\":0,\"title\":\"Playbook Alerts triggered over time\",\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"chartSettings\":{\"group\":\"priority_s\"}},\"customWidth\":\"50\",\"name\":\"query - 2 - Copy\",\"styleSettings\":{\"maxWidth\":\"70\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where rule_label_s in ({categories:value})\\n| where status_s in ({status:value}) \\n| where priority_s in ({priority:value})\\n| distinct id_s, rule_label_s, updated_date_t\\n| summarize alert_count = count() by rule_label_s\\n| project alert_count, Alert = rule_label_s\",\"size\":0,\"title\":\"Top Categories Triggered\",\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where rule_label_s in ({categories:value})\\n| where status_s in ({status:value}) \\n| where priority_s in ({priority:value})\\n| distinct updated_date_t, title_s, rule_label_s, status_s, priority_s, link_s, evidence_summary_s, targets_s, created_date_t, id_s\\n| project-rename Updated=updated_date_t, Title=title_s, Category=rule_label_s, Status=status_s, Priority=priority_s, Created=created_date_t, Targets=targets_s, [\\\"Evidence\\\"]=evidence_summary_s, [\\\"External Link\\\"]=link_s, ID=id_s\\n\\n\",\"size\":0,\"title\":\"Triggered Playbook Alerts\",\"noDataMessage\":\"No data in Playbook Alert custom log. Check that playbook/logic apps is running without errors and rules for playbook alerts is setup in Recorded Future Portal.\",\"timeContextFromParameter\":\"time_picker\",\"exportFieldName\":\"id_s\",\"exportParameterName\":\"exported_alert_id\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Title\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"Link\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Recorded Future\"}},{\"columnMatch\":\"ID\",\"formatter\":5}],\"sortBy\":[{\"itemKey\":\"Updated\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Updated\",\"sortOrder\":2}]},\"name\":\"query - 8\"}],\"fromTemplateId\":\"sentinel-RecordedFuturePlaybookAlertOverviewWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Recorded Future Playbook Alerts\\n---\\n\\nWorkbook to display and analyze Recorded Future Playbook Alerts. This workbook visualize data that is retrived by the ```Recorded Future Playbook Alerts Importer``` Logic app. First run the Logic app once and then select the RecordedFuturePlaybookAlerts_CL table.\",\"style\":\"info\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"8e8c2f1a-d25d-49d1-a217-9831dbc4f919\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_picker\",\"label\":\"Time Picker\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":259200000}},{\"id\":\"f8d34a51-ba10-4241-abff-cb6c14b50a55\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"log_table\",\"label\":\"Playbook Alerts Log Table\",\"type\":2,\"description\":\"Run the Recorded Future Playbook Alert Importer Playbook first.\",\"isRequired\":true,\"query\":\"search *\\n| where $table endswith \\\"_CL\\\" \\n| distinct $table\\n\",\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"RecordedFuturePlaybookAlerts_CL\"},{\"id\":\"89279a9c-af9e-4734-8a98-21aa1f2fa545\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"categories\",\"label\":\"Category\",\"type\":2,\"description\":\"Filter categories you're looking at\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"{log_table}\\n| distinct rule_label_s\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_picker\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a0947450-1ebd-4dea-94d7-41a751c79237\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"status\",\"label\":\"Alert Status\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"{log_table}\\n| distinct status_s\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"25a82661-1700-43a6-ba7a-b3ae5d8fe7b9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"priority\",\"label\":\"Alert Priority\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"{log_table}\\n| distinct priority_s\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":172800000},\"timeContextFromParameter\":\"time_picker\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where rule_label_s in ({categories:value})\\n| where status_s in ({status:value}) \\n| where priority_s in ({priority:value})\\n| distinct id_s, rule_label_s, updated_date_t, priority_s\\n| summarize Alert=count() by bin(updated_date_t, 1h), priority_s\\n\",\"size\":0,\"title\":\"Playbook Alerts triggered over time\",\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"chartSettings\":{\"group\":\"priority_s\"}},\"customWidth\":\"50\",\"name\":\"query - 2 - Copy\",\"styleSettings\":{\"maxWidth\":\"70\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where rule_label_s in ({categories:value})\\n| where status_s in ({status:value}) \\n| where priority_s in ({priority:value})\\n| distinct id_s, rule_label_s, updated_date_t\\n| summarize alert_count = count() by rule_label_s\\n| project alert_count, Alert = rule_label_s\",\"size\":0,\"title\":\"Top Categories Triggered\",\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where rule_label_s in ({categories:value})\\n| where status_s in ({status:value}) \\n| where priority_s in ({priority:value})\\n| distinct updated_date_t, title_s, rule_label_s, status_s, priority_s, link_s, evidence_summary_s, targets_s, created_date_t, id_s\\n| project-rename Updated=updated_date_t, Title=title_s, Category=rule_label_s, Status=status_s, Priority=priority_s, Created=created_date_t, Targets=targets_s, [\\\"Evidence\\\"]=evidence_summary_s, [\\\"External Link\\\"]=link_s, ID=id_s\\n\\n\",\"size\":0,\"title\":\"Triggered Playbook Alerts\",\"noDataMessage\":\"No data in Playbook Alert custom log. Check that playbook/logic apps is running without errors and rules for playbook alerts is setup in Recorded Future Portal.\",\"timeContextFromParameter\":\"time_picker\",\"exportFieldName\":\"id_s\",\"exportParameterName\":\"exported_alert_id\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Title\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"Link\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Recorded Future\"}},{\"columnMatch\":\"ID\",\"formatter\":5}],\"sortBy\":[{\"itemKey\":\"Updated\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Updated\",\"sortOrder\":2}]},\"name\":\"query - 8\"}],\"fromTemplateId\":\"sentinel-RecordedFuturePlaybookAlertOverviewWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -8940,7 +8940,7 @@ }, "properties": { "displayName": "[parameters('workbook2-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Recorded Future Alerts\\n---\\n\\nWorkbook to display and analyze Recorded Future Alerts. This workbook visualize data that is retrived by the ```Recorded Future Alerts Importer``` Logic app. First run the Logic app once and then select the RecordedFuturePortalAlerts_CL table.\",\"style\":\"info\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"8e8c2f1a-d25d-49d1-a217-9831dbc4f919\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_picker\",\"label\":\"Time Picker\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":86400000}},{\"id\":\"f8d34a51-ba10-4241-abff-cb6c14b50a55\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"log_table\",\"label\":\"Alerts Log Table\",\"type\":2,\"isRequired\":true,\"query\":\"search \\\"*\\\" | summarize count() by $table | sort by count_ desc | where $table endswith \\\"CL\\\" | project $table\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"RecordedFuturePortalAlerts_CL\"},{\"id\":\"89279a9c-af9e-4734-8a98-21aa1f2fa545\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"alert_rules\",\"label\":\"Alert Rules\",\"type\":2,\"description\":\"Filter alert rules you're looking at\",\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"{log_table}\\n| distinct RuleName_s\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where RuleName_s in ({alert_rules:value})\\n| distinct AlertID_s, RuleName_s, Triggered_t\\n| summarize alert_count = count() by RuleName_s\\n| project alert_count, Alert = RuleName_s\\n\",\"size\":0,\"title\":\"Top Rules Triggered\",\"noDataMessage\":\"There are no alerts within this time frame.\",\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where RuleName_s in ({alert_rules:value})\\n| distinct AlertID_s, RuleName_s, Triggered_t\\n| summarize Alert=count() by bin(Triggered_t, 1h)\\n\",\"size\":0,\"title\":\"Alerts triggered over time\",\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\"},\"customWidth\":\"50\",\"name\":\"query - 2 - Copy\",\"styleSettings\":{\"maxWidth\":\"70\"}},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"20edde78-9485-4056-8eca-6ef7cd86c8b5\",\"cellValue\":\"TAB\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Alert\",\"subTarget\":\"Reference\",\"preText\":\"Some thing\",\"postText\":\"Some thing\",\"style\":\"link\"}]},\"name\":\"links - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where RuleName_s in ({alert_rules:value})\\n//| where Documents_s != \\\"[]\\\"\\n//| distinct AlertID_s, AlertName_s, Documents_s, Entity_description_s, Entity_id_s, Entity_name_s, Entity_type_s, Risk_criticalityLabel_s, \\n//Risk_criticality_d, Risk_documents_s, Risk_evidence_s, RuleName_s, Trend_documents_s, Trend_name_s, Trend_strengthLabel_s, Trend_strength_d, Triggered_t\\n| distinct Triggered = Triggered_t, [\\\"Alert ID\\\"]=AlertID_s, [\\\"Alert Name\\\"]=AlertName_s, [\\\"Rule Name\\\"]=RuleName_s, [\\\"AI Summary\\\"]= AISummary_s, [\\\"Recorded Future Portal\\\"]= URL_s\\n\\n\\n\\n\",\"size\":0,\"timeContextFromParameter\":\"time_picker\",\"exportFieldName\":\"Alert ID\",\"exportParameterName\":\"Ref_AlertID\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Alert ID\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"AI Summary\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"Recorded Future Portal\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Recorded Future\"}}],\"sortBy\":[{\"itemKey\":\"Triggered\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Triggered\",\"sortOrder\":2}]},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where AlertID_s == \\\"{Ref_AlertID}\\\"\\n| project Fragment=Fragment_s, Source=Documents_source_name_s, Title=Documents_title_s, URL=Document_url_s, AlertName = RuleName_s, AlertID=AlertID_s, entities=parse_json(Entity_s)\\n| mv-apply with_itemindex=i entities on (\\n extend p = pack(strcat(\\\"Entity \\\", i+1), strcat(entities.type, \\\", \\\", entities.name, \\\", id:\\\", entities.id))\\n | summarize b = make_bag(p)\\n)\\n| evaluate bag_unpack(b)\\n| project-reorder Fragment, Source, Title, URL, Entity*\\n\\n\",\"size\":0,\"timeContextFromParameter\":\"time_picker\",\"exportedParameters\":[{\"fieldName\":\"Fragment\",\"parameterName\":\"FragmentRef\",\"parameterType\":1},{\"fieldName\":\"Title\",\"parameterName\":\"TitleRef\",\"parameterType\":1}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Fragment\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true},\"tooltipFormat\":{\"tooltip\":\"{0}\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Reference\"},\"name\":\"Reference View\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**Document Title**\\r\\n{TitleRef}\"},\"name\":\"text - 3\"},{\"type\":1,\"content\":{\"json\":\"**Fragment**\\r\\n{FragmentRef}\\r\\n\\r\\n\\r\\n\"},\"showPin\":false,\"name\":\"Fragment\"}]},\"name\":\"group - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Reference\"},\"name\":\"Reference Alerts\"}],\"fromTemplateId\":\"sentinel-RecordedFutureAlertOverviewWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Recorded Future Alerts\\n---\\n\\nWorkbook to display and analyze Recorded Future Alerts. This workbook visualize data that is retrived by the ```Recorded Future Alerts Importer``` Logic app. First run the Logic app once and then select the RecordedFuturePortalAlerts_CL table.\",\"style\":\"info\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"8e8c2f1a-d25d-49d1-a217-9831dbc4f919\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_picker\",\"label\":\"Time Picker\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":86400000}},{\"id\":\"f8d34a51-ba10-4241-abff-cb6c14b50a55\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"log_table\",\"label\":\"Alerts Log Table\",\"type\":2,\"isRequired\":true,\"query\":\"search \\\"*\\\" | summarize count() by $table | sort by count_ desc | where $table endswith \\\"CL\\\" | project $table\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"RecordedFuturePortalAlerts_CL\"},{\"id\":\"89279a9c-af9e-4734-8a98-21aa1f2fa545\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"alert_rules\",\"label\":\"Alert Rules\",\"type\":2,\"description\":\"Filter alert rules you're looking at\",\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"{log_table}\\n| distinct RuleName_s\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where RuleName_s in ({alert_rules:value})\\n| distinct AlertID_s, RuleName_s, Triggered_t\\n| summarize alert_count = count() by RuleName_s\\n| project alert_count, Alert = RuleName_s\\n\",\"size\":0,\"title\":\"Top Rules Triggered\",\"noDataMessage\":\"There are no alerts within this time frame.\",\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where RuleName_s in ({alert_rules:value})\\n| distinct AlertID_s, RuleName_s, Triggered_t\\n| summarize Alert=count() by bin(Triggered_t, 1h)\\n\",\"size\":0,\"title\":\"Alerts triggered over time\",\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\"},\"customWidth\":\"50\",\"name\":\"query - 2 - Copy\",\"styleSettings\":{\"maxWidth\":\"70\"}},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"20edde78-9485-4056-8eca-6ef7cd86c8b5\",\"cellValue\":\"TAB\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Alert\",\"subTarget\":\"Reference\",\"preText\":\"Some thing\",\"postText\":\"Some thing\",\"style\":\"link\"}]},\"name\":\"links - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where RuleName_s in ({alert_rules:value})\\n//| where Documents_s != \\\"[]\\\"\\n//| distinct AlertID_s, AlertName_s, Documents_s, Entity_description_s, Entity_id_s, Entity_name_s, Entity_type_s, Risk_criticalityLabel_s, \\n//Risk_criticality_d, Risk_documents_s, Risk_evidence_s, RuleName_s, Trend_documents_s, Trend_name_s, Trend_strengthLabel_s, Trend_strength_d, Triggered_t\\n| distinct Triggered = Triggered_t, [\\\"Alert ID\\\"]=AlertID_s, [\\\"Alert Name\\\"]=AlertName_s, [\\\"Rule Name\\\"]=RuleName_s, [\\\"AI Summary\\\"]= AISummary_s, [\\\"Recorded Future Portal\\\"]= URL_s\\n\\n\\n\\n\",\"size\":0,\"timeContextFromParameter\":\"time_picker\",\"exportFieldName\":\"Alert ID\",\"exportParameterName\":\"Ref_AlertID\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Alert ID\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"AI Summary\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"Recorded Future Portal\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Recorded Future\"}}],\"sortBy\":[{\"itemKey\":\"Triggered\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Triggered\",\"sortOrder\":2}]},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where AlertID_s == \\\"{Ref_AlertID}\\\"\\n| project Fragment=Fragment_s, Source=Documents_source_name_s, Title=Documents_title_s, URL=Document_url_s, AlertName = RuleName_s, AlertID=AlertID_s, entities=parse_json(Entity_s)\\n| mv-apply with_itemindex=i entities on (\\n extend p = pack(strcat(\\\"Entity \\\", i+1), strcat(entities.type, \\\", \\\", entities.name, \\\", id:\\\", entities.id))\\n | summarize b = make_bag(p)\\n)\\n| evaluate bag_unpack(b)\\n| project-reorder Fragment, Source, Title, URL, Entity*\\n\\n\",\"size\":0,\"timeContextFromParameter\":\"time_picker\",\"exportedParameters\":[{\"fieldName\":\"Fragment\",\"parameterName\":\"FragmentRef\",\"parameterType\":1},{\"fieldName\":\"Title\",\"parameterName\":\"TitleRef\",\"parameterType\":1}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Fragment\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true},\"tooltipFormat\":{\"tooltip\":\"{0}\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Reference\"},\"name\":\"Reference View\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**Document Title**\\r\\n{TitleRef}\"},\"name\":\"text - 3\"},{\"type\":1,\"content\":{\"json\":\"**Fragment**\\r\\n{FragmentRef}\\r\\n\\r\\n\\r\\n\"},\"showPin\":false,\"name\":\"Fragment\"}]},\"name\":\"group - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Reference\"},\"name\":\"Reference Alerts\"}],\"fromTemplateId\":\"sentinel-RecordedFutureAlertOverviewWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -9024,7 +9024,7 @@ }, "properties": { "displayName": "[parameters('workbook3-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"d7ccc5ca-c8ec-458f-ab0d-564a7ef1d217\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Guide\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"No\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Guide: Domain Correlation \\n\\nRecorded Future’s Domain Correlation Workbook helps you detect malicious domains within your environment by correlating your logs with Recorded Future Domain Risk Lists.\\n\\n### How to Correlate Domains\\n\\nTo correlate domains, follow the steps below:\\n\\n1. In the **Domain Logs Table** dropdown, select a log table that contains domain logs.\\n\\t* If a particular log table is not listed in the dropdown, ensure it is enabled in your environment.\\n2. In the **Log field with domains** dropdown, select the log field that holds the domains to be correlated.\\n\\t* The workbook can correlate domains in the format: `domainName.net`.\\n3. Select a Recorded Future Domain Risk List for correlation.\\n4. If necessary, adjust the values in the **Logs from** and **Data from** dropdowns to match your requirements.\\n5. Done\\n\\n---\\n\\n#### Log table with examples of correlatable log fields\\n\\n| Table \\t | Field |\\n| ----------- \\t | ----------- |\\n| DNSEvents | Name |\\n| _Im_Dns \\t | DnsQuery |\",\"style\":\"info\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 15\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Domains (from logs)\"},\"customWidth\":\"50\",\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"### Recorded Future Risk List\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b91b8b5b-10cf-4106-99e2-793eb0d72dce\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Domain_Logs_Time_Range\",\"label\":\"Logs from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":604800000}},{\"id\":\"3300ad41-acbc-4ebd-900a-c6ab250b7c73\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Domain_Logs_Table\",\"label\":\"Domain Logs Table\",\"type\":2,\"description\":\"Log Table to correlate Domains Against\",\"isRequired\":true,\"query\":\"search \\\"*\\\" \\n| where TimeGenerated {Domain_Logs_Time_Range:query}\\n| summarize count() by $table \\n| sort by count_ desc \\n| where $table != \\\"ThreatIntelligenceIndicator\\\" \\n| project $table\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Squid_Proxy_URL_CL\"},{\"id\":\"f4f77ada-b97c-4a82-9421-20a58fb7ce26\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Domain_Logs_Field\",\"label\":\"Log Field with Domains\",\"type\":2,\"description\":\"Select the field containing the Domain Name that you want to correlate against\",\"isRequired\":true,\"query\":\"{Domain_Logs_Table:value}\\n| getschema\\n| where DataType == \\\"System.String\\\"\\n| project ColumnName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Domain_s\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"95e78560-1e69-437c-8226-7b0f8c4dc199\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Threat_Intelligence_Time_Range\",\"label\":\"Data from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":604800000}},{\"id\":\"e7c7e2ea-f5b3-4505-b64c-b18ca8561168\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RF_Risk_list\",\"label\":\"Risk List\",\"type\":2,\"description\":\"Which Domain Risk List do you want to correlate against\",\"isRequired\":true,\"query\":\"ThreatIntelligenceIndicator\\n| where isnotempty(DomainName)\\n| where Description contains \\\"Recorded Future\\\"\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| summarize count() by Description\\n| project output = strcat('\\\"', Description, '\\\"')\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"\\\"Recorded Future - DOMAIN - Default RiskList\\\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 1\"}],\"exportParameters\":true},\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected Domains Per Day\\n\\nThe chart displays the number of correlation detections per day between domain logs and Recorded Future's domain Risk lists.\",\"style\":\"info\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\n| where Description == {RF_Risk_list:value}\\n| where isnotempty(DomainName)\\n| where isnotempty(Tags)\\n| extend parts = split(DomainName, '.')\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Active == true\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\n| where Description == {RF_Risk_list:value}\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(DomainName)\\n| where isnotempty(Tags)\\n| join (\\n {Domain_Logs_Table:value}\\n | where TimeGenerated {Domain_Logs_Time_Range:query}\\n //Extract Domain patterns from syslog message\\n | where isnotempty({Domain_Logs_Field:value})\\n | extend parts = split({Domain_Logs_Field:value}, '.')\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed Domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.{Domain_Logs_Field:value}\\n| summarize Correlation_Matches=count() by bin(DNS_TimeGenerated, 1d)\\n| render barchart\",\"size\":0,\"title\":\"Detected Domains Per Day\",\"noDataMessage\":\"No detected domains\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"100\",\"name\":\"query - 1\"}]},\"customWidth\":\"100\",\"name\":\"group - 14\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected Domains\\n\\nThe Detected Domains table lists domains from the correlated logs that have been matched with Recorded Future Domain Risk Lists.\\n\\n**Table Columns**\\n\\n* **Risk Score:** The Recorded Future Risk Score for the domain (IOC), ranging from 1 to 99, with 99 being the highest level of severity.\\n* **Domain:** The detected domain.\\n* **Detected:** The time when the log was correlated with a Risk List.\\n* **Log Created:** The time when the log event itself was created.\\n* **Threat Classification:** The type of threat associated with the domain (IOC).\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let list_tlds = ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\r\\n| where Description == {RF_Risk_list:value}\\r\\n| where isnotempty(DomainName)\\r\\n| where isnotempty(Tags)\\r\\n| extend parts = split(DomainName, '.')\\r\\n| extend tld = parts[(array_length(parts)-1)]\\r\\n| summarize count() by tostring(tld)\\r\\n| summarize make_list(tld);\\r\\nThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Active == true\\r\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\r\\n| where Description == {RF_Risk_list:value}\\r\\n// Picking up only IOC's that contain the entities we want\\r\\n| where isnotempty(DomainName)\\r\\n| join (\\r\\n {Domain_Logs_Table:value}\\r\\n | where TimeGenerated {Domain_Logs_Time_Range:query}\\r\\n //Extract Domain patterns from syslog message\\r\\n | where isnotempty({Domain_Logs_Field:value})\\r\\n | extend parts = split({Domain_Logs_Field:value}, '.')\\r\\n //Split out the TLD\\r\\n | extend tld = parts[(array_length(parts)-1)]\\r\\n //Validate parsed Domain by checking if the TLD is in the list of TLDs in our threat feed\\r\\n | where tld in~ (list_tlds)\\r\\n | extend DNS_TimeGenerated = TimeGenerated\\r\\n) on $left.DomainName==$right.{Domain_Logs_Field:value}\\r\\n| project [\\\"Risk Score\\\"]=ConfidenceScore, Domain=DomainName, Detected=format_datetime(TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Log Created\\\"]=format_datetime(DNS_TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Threat Classification\\\"]=ThreatType\\r\\n| summarize [\\\"Log Created\\\"]=max([\\\"Log Created\\\"]) by Domain, [\\\"Risk Score\\\"], Detected, [\\\"Threat Classification\\\"]\\r\\n| project [\\\"Risk Score\\\"], Domain, Detected, [\\\"Log Created\\\"], [\\\"Threat Classification\\\"]\\r\\n| sort by [\\\"Risk Score\\\"] desc\",\"size\":0,\"title\":\"Detected Domains\",\"noDataMessage\":\"No detected domains\",\"exportFieldName\":\"Domain\",\"exportParameterName\":\"MaliciousDomainMatch\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Risk\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"90\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"65\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"25\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}}]}},\"customWidth\":\"70\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let list_tlds = ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\r\\n| where Description == {RF_Risk_list:value}\\r\\n| where isnotempty(DomainName)\\r\\n| where isnotempty(Tags)\\r\\n| extend parts = split(DomainName, '.')\\r\\n| extend tld = parts[(array_length(parts)-1)]\\r\\n| summarize count() by tostring(tld)\\r\\n| summarize make_list(tld);\\r\\nThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Active == true\\r\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\r\\n| where Description == {RF_Risk_list:value}\\r\\n// Picking up only IOC's that contain the entities we want\\r\\n| where isnotempty(DomainName)\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {Domain_Logs_Table:value}\\r\\n | where TimeGenerated {Domain_Logs_Time_Range:query}\\r\\n //Extract Domain patterns from syslog message\\r\\n | where isnotempty({Domain_Logs_Field:value})\\r\\n | extend parts = split({Domain_Logs_Field:value}, '.')\\r\\n //Split out the TLD\\r\\n | extend tld = parts[(array_length(parts)-1)]\\r\\n //Validate parsed Domain by checking if the TLD is in the list of TLDs in our threat feed\\r\\n | where tld in~ (list_tlds)\\r\\n | extend DNS_TimeGenerated = TimeGenerated\\r\\n) on $left.DomainName==$right.{Domain_Logs_Field:value}\\r\\n| project Risk=ConfidenceScore, DomainName, ThreatType, Tags\\r\\n| extend Evidence=parse_json(Tags)[0]\\r\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\r\\n| extend Rule=Evidence['Rule']\\r\\n| summarize count() by tostring(Rule)\\r\\n| sort by count_ desc\\r\\n\\r\\n\",\"size\":0,\"title\":\"Top Triggered Risk Rules\",\"noDataMessage\":\"No triggered Risk Rules\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"30\",\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"### Detected Domains: Evidence Details\\n\\nTo view evidence details, click a row (domain) in the Detected Domains table.\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains {RF_Risk_list:value}\\n| where DomainName == \\\"{MaliciousDomainMatch}\\\"\\n| where isnotempty(Tags)\\n//| where ExpirationDateTime > now()\\n| extend Evidence=parse_json(Tags)[0]\\n| take 1\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\n| project Rules = Evidence['Rule'], Criticality = Evidence['Criticality'], Evidence_String = Evidence['EvidenceString'] \\n| sort by toint(Criticality) desc\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Evidence_String\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"70%\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"MaliciousDomainMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 3\"},{\"type\":1,\"content\":{\"json\":\"\\n### Source data from {Domain_Logs_Table:value}\\nTo view source data of correlated domain, click a row (domain) in the Detected Domains table.\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{Domain_Logs_Table:value}\\n| where TimeGenerated {Domain_Logs_Time_Range:query}\\n| where {Domain_Logs_Field:value} == \\\"{MaliciousDomainMatch}\\\"\\n\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousDomainMatch\",\"comparison\":\"isNotEqualTo\",\"value\":\"\"},\"name\":\"query - 1\"}]},\"name\":\"group - 8\"}],\"styleSettings\":{\"paddingStyle\":\"wide\"},\"fromTemplateId\":\"sentinel-RecordedFutureDomainCorrelationWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"d7ccc5ca-c8ec-458f-ab0d-564a7ef1d217\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Guide\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"No\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Guide: Domain Correlation \\n\\nRecorded Future’s Domain Correlation Workbook helps you detect malicious domains within your environment by correlating your logs with Recorded Future Domain Risk Lists.\\n\\n### How to Correlate Domains\\n\\nTo correlate domains, follow the steps below:\\n\\n1. In the **Domain Logs Table** dropdown, select a log table that contains domain logs.\\n\\t* If a particular log table is not listed in the dropdown, ensure it is enabled in your environment.\\n2. In the **Log field with domains** dropdown, select the log field that holds the domains to be correlated.\\n\\t* The workbook can correlate domains in the format: `domainName.net`.\\n3. Select a Recorded Future Domain Risk List for correlation.\\n4. If necessary, adjust the values in the **Logs from** and **Data from** dropdowns to match your requirements.\\n5. Done\\n\\n---\\n\\n#### Log table with examples of correlatable log fields\\n\\n| Table \\t | Field |\\n| ----------- \\t | ----------- |\\n| DNSEvents | Name |\\n| _Im_Dns \\t | DnsQuery |\",\"style\":\"info\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 15\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Domains (from logs)\"},\"customWidth\":\"50\",\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"### Recorded Future Risk List\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b91b8b5b-10cf-4106-99e2-793eb0d72dce\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Domain_Logs_Time_Range\",\"label\":\"Logs from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":604800000}},{\"id\":\"3300ad41-acbc-4ebd-900a-c6ab250b7c73\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Domain_Logs_Table\",\"label\":\"Domain Logs Table\",\"type\":2,\"description\":\"Log Table to correlate Domains Against\",\"isRequired\":true,\"query\":\"search \\\"*\\\" \\n| where TimeGenerated {Domain_Logs_Time_Range:query}\\n| summarize count() by $table \\n| sort by count_ desc \\n| where $table != \\\"ThreatIntelligenceIndicator\\\" \\n| project $table\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Squid_Proxy_URL_CL\"},{\"id\":\"f4f77ada-b97c-4a82-9421-20a58fb7ce26\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Domain_Logs_Field\",\"label\":\"Log Field with Domains\",\"type\":2,\"description\":\"Select the field containing the Domain Name that you want to correlate against\",\"isRequired\":true,\"query\":\"{Domain_Logs_Table:value}\\n| getschema\\n| where DataType == \\\"System.String\\\"\\n| project ColumnName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Domain_s\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"95e78560-1e69-437c-8226-7b0f8c4dc199\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Threat_Intelligence_Time_Range\",\"label\":\"Data from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":604800000}},{\"id\":\"e7c7e2ea-f5b3-4505-b64c-b18ca8561168\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RF_Risk_list\",\"label\":\"Risk List\",\"type\":2,\"description\":\"Which Domain Risk List do you want to correlate against\",\"isRequired\":true,\"query\":\"ThreatIntelligenceIndicator\\n| where isnotempty(DomainName)\\n| where Description contains \\\"Recorded Future\\\"\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| summarize count() by Description\\n| project output = strcat('\\\"', Description, '\\\"')\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"\\\"Recorded Future - DOMAIN - Default RiskList\\\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 1\"}],\"exportParameters\":true},\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected Domains Per Day\\n\\nThe chart displays the number of correlation detections per day between domain logs and Recorded Future's domain Risk lists.\",\"style\":\"info\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\n| where Description == {RF_Risk_list:value}\\n| where isnotempty(DomainName)\\n| where isnotempty(Tags)\\n| extend parts = split(DomainName, '.')\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Active == true\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\n| where Description == {RF_Risk_list:value}\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(DomainName)\\n| where isnotempty(Tags)\\n| join (\\n {Domain_Logs_Table:value}\\n | where TimeGenerated {Domain_Logs_Time_Range:query}\\n //Extract Domain patterns from syslog message\\n | where isnotempty({Domain_Logs_Field:value})\\n | extend parts = split({Domain_Logs_Field:value}, '.')\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed Domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.{Domain_Logs_Field:value}\\n| summarize Correlation_Matches=count() by bin(DNS_TimeGenerated, 1d)\\n| render barchart\",\"size\":0,\"title\":\"Detected Domains Per Day\",\"noDataMessage\":\"No detected domains\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"100\",\"name\":\"query - 1\"}]},\"customWidth\":\"100\",\"name\":\"group - 14\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected Domains\\n\\nThe Detected Domains table lists domains from the correlated logs that have been matched with Recorded Future Domain Risk Lists.\\n\\n**Table Columns**\\n\\n* **Risk Score:** The Recorded Future Risk Score for the domain (IOC), ranging from 1 to 99, with 99 being the highest level of severity.\\n* **Domain:** The detected domain.\\n* **Detected:** The time when the log was correlated with a Risk List.\\n* **Log Created:** The time when the log event itself was created.\\n* **Threat Classification:** The type of threat associated with the domain (IOC).\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let list_tlds = ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\r\\n| where Description == {RF_Risk_list:value}\\r\\n| where isnotempty(DomainName)\\r\\n| where isnotempty(Tags)\\r\\n| extend parts = split(DomainName, '.')\\r\\n| extend tld = parts[(array_length(parts)-1)]\\r\\n| summarize count() by tostring(tld)\\r\\n| summarize make_list(tld);\\r\\nThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Active == true\\r\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\r\\n| where Description == {RF_Risk_list:value}\\r\\n// Picking up only IOC's that contain the entities we want\\r\\n| where isnotempty(DomainName)\\r\\n| join (\\r\\n {Domain_Logs_Table:value}\\r\\n | where TimeGenerated {Domain_Logs_Time_Range:query}\\r\\n //Extract Domain patterns from syslog message\\r\\n | where isnotempty({Domain_Logs_Field:value})\\r\\n | extend parts = split({Domain_Logs_Field:value}, '.')\\r\\n //Split out the TLD\\r\\n | extend tld = parts[(array_length(parts)-1)]\\r\\n //Validate parsed Domain by checking if the TLD is in the list of TLDs in our threat feed\\r\\n | where tld in~ (list_tlds)\\r\\n | extend DNS_TimeGenerated = TimeGenerated\\r\\n) on $left.DomainName==$right.{Domain_Logs_Field:value}\\r\\n| project [\\\"Risk Score\\\"]=ConfidenceScore, Domain=DomainName, Detected=format_datetime(TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Log Created\\\"]=format_datetime(DNS_TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Threat Classification\\\"]=ThreatType\\r\\n| summarize [\\\"Log Created\\\"]=max([\\\"Log Created\\\"]) by Domain, [\\\"Risk Score\\\"], Detected, [\\\"Threat Classification\\\"]\\r\\n| project [\\\"Risk Score\\\"], Domain, Detected, [\\\"Log Created\\\"], [\\\"Threat Classification\\\"]\\r\\n| sort by [\\\"Risk Score\\\"] desc\",\"size\":0,\"title\":\"Detected Domains\",\"noDataMessage\":\"No detected domains\",\"exportFieldName\":\"Domain\",\"exportParameterName\":\"MaliciousDomainMatch\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Risk\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"90\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"65\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"25\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}}]}},\"customWidth\":\"70\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let list_tlds = ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\r\\n| where Description == {RF_Risk_list:value}\\r\\n| where isnotempty(DomainName)\\r\\n| where isnotempty(Tags)\\r\\n| extend parts = split(DomainName, '.')\\r\\n| extend tld = parts[(array_length(parts)-1)]\\r\\n| summarize count() by tostring(tld)\\r\\n| summarize make_list(tld);\\r\\nThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Active == true\\r\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\r\\n| where Description == {RF_Risk_list:value}\\r\\n// Picking up only IOC's that contain the entities we want\\r\\n| where isnotempty(DomainName)\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {Domain_Logs_Table:value}\\r\\n | where TimeGenerated {Domain_Logs_Time_Range:query}\\r\\n //Extract Domain patterns from syslog message\\r\\n | where isnotempty({Domain_Logs_Field:value})\\r\\n | extend parts = split({Domain_Logs_Field:value}, '.')\\r\\n //Split out the TLD\\r\\n | extend tld = parts[(array_length(parts)-1)]\\r\\n //Validate parsed Domain by checking if the TLD is in the list of TLDs in our threat feed\\r\\n | where tld in~ (list_tlds)\\r\\n | extend DNS_TimeGenerated = TimeGenerated\\r\\n) on $left.DomainName==$right.{Domain_Logs_Field:value}\\r\\n| project Risk=ConfidenceScore, DomainName, ThreatType, Tags\\r\\n| extend Evidence=parse_json(Tags)[0]\\r\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\r\\n| extend Rule=Evidence['Rule']\\r\\n| summarize count() by tostring(Rule)\\r\\n| sort by count_ desc\\r\\n\\r\\n\",\"size\":0,\"title\":\"Top Triggered Risk Rules\",\"noDataMessage\":\"No triggered Risk Rules\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"30\",\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"### Detected Domains: Evidence Details\\n\\nTo view evidence details, click a row (domain) in the Detected Domains table.\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains {RF_Risk_list:value}\\n| where DomainName == \\\"{MaliciousDomainMatch}\\\"\\n| where isnotempty(Tags)\\n//| where ExpirationDateTime > now()\\n| extend Evidence=parse_json(Tags)[0]\\n| take 1\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\n| project Rules = Evidence['Rule'], Criticality = Evidence['Criticality'], Evidence_String = Evidence['EvidenceString'] \\n| sort by toint(Criticality) desc\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Evidence_String\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"70%\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"MaliciousDomainMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 3\"},{\"type\":1,\"content\":{\"json\":\"\\n### Source data from {Domain_Logs_Table:value}\\nTo view source data of correlated domain, click a row (domain) in the Detected Domains table.\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{Domain_Logs_Table:value}\\n| where TimeGenerated {Domain_Logs_Time_Range:query}\\n| where {Domain_Logs_Field:value} == \\\"{MaliciousDomainMatch}\\\"\\n\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousDomainMatch\",\"comparison\":\"isNotEqualTo\",\"value\":\"\"},\"name\":\"query - 1\"}]},\"name\":\"group - 8\"}],\"styleSettings\":{\"paddingStyle\":\"wide\"},\"fromTemplateId\":\"sentinel-RecordedFutureDomainCorrelationWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -9108,7 +9108,7 @@ }, "properties": { "displayName": "[parameters('workbook4-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"d7ccc5ca-c8ec-458f-ab0d-564a7ef1d217\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"🔎 Guide\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"No\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Guide: Hash Correlation \\n\\nRecorded Future’s Hash Correlation Workbook helps you detect malicious hashes within your environment by correlating your logs with Recorded Future Hash Risk Lists.\\n\\n### How to Correlate hashs\\n\\nTo correlate hashes, follow the steps below:\\n\\n1. In the **Hash Logs Table** dropdown, select a log table that contains hash logs.\\n\\t* If a particular log table is not listed in the dropdown, ensure it is enabled in your environment.\\n2. In the **Log field with hashes** dropdown, select the log field that holds the hashs to be correlated.\\n\\t* The workbook can correlate hashes in the format: `b0a0c7ae387c00161f4cc26405600b1a`.\\n3. Select a Recorded Future Hash Risk List for correlation.\\n4. If necessary, adjust the values in the **Logs from** and **Data from** dropdowns to match your requirements.\\n5. Done\\n\\n---\\n\\n#### Log table with examples of correlatable log fields\\n| Table \\t \\t| Field |\\n| ----------- \\t \\t| ----------- |\\n| CommonSecurityLog | FileHash |\\n| SecurityEvent \\t| FileHash |\",\"style\":\"info\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 15\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Hashes (from logs)\"},\"customWidth\":\"50\",\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"### Recorded Future Risk List\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b91b8b5b-10cf-4106-99e2-793eb0d72dce\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Hash_Logs_Time_Range\",\"label\":\"Logs from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"3300ad41-acbc-4ebd-900a-c6ab250b7c73\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Hash_Logs_Table\",\"label\":\"Hash Logs Table\",\"type\":2,\"description\":\"Log Table to correlate Domains Against\",\"isRequired\":true,\"query\":\"search \\\"*\\\" \\n| where TimeGenerated {Hash_Logs_Time_Range:query}\\n| summarize count() by $table | sort by count_ desc | where $table != \\\"ThreatIntelligenceIndicator\\\" | project $table\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"EndpointProtection_HASH_CL\"},{\"id\":\"f4f77ada-b97c-4a82-9421-20a58fb7ce26\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Hash_Logs_Field\",\"label\":\"Log Field with Hashes\",\"type\":2,\"description\":\"Select the field containing the Domain Name that you want to correlate against\",\"isRequired\":true,\"query\":\"{Hash_Logs_Table:value}\\n| getschema\\n| where DataType == \\\"System.String\\\"\\n| project ColumnName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Hash_s\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"95e78560-1e69-437c-8226-7b0f8c4dc199\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Threat_Intelligence_Time_Range\",\"label\":\"Data from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":1209600000}},{\"id\":\"e7c7e2ea-f5b3-4505-b64c-b18ca8561168\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RF_Risk_list\",\"label\":\"Risk List\",\"type\":2,\"description\":\"Which Domain Risk List do you want to correlate against\",\"isRequired\":true,\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where isnotempty(FileHashValue)\\n| where Description contains \\\"Recorded Future\\\"\\n| summarize count() by Description\\n| project output = strcat('\\\"', Description, '\\\"')\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"\\\"Recorded Future - HASH - Observed in Underground Virus Testing Sites\\\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 1\"}],\"exportParameters\":true},\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected Domains Per Day\\n\\nThe chart displays the number of correlation detections per day between domain logs and Recorded Future's domain Risk lists.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query} \\r\\n| where Description == {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| extend FileHashValue = tolower(FileHashValue)\\r\\n| join (\\r\\n {Hash_Logs_Table:value}\\r\\n | where TimeGenerated {Hash_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend Hash_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.FileHashValue == $right.{Hash_Logs_Field:value}\\r\\n| summarize Correlation_Matches=count() by bin(Hash_TimeGenerated, 1d)\\r\\n| render barchart\",\"size\":0,\"title\":\"Detected File Hashes Per Day\",\"noDataMessage\":\"No detected hashes\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\"}]},\"name\":\"group - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected Hashs\\n\\nThe Detected Hashs table lists hashs from the correlated logs that have been matched with Recorded Future Hash Risk Lists.\\n\\n**Table Columns**\\n\\n* **Risk Score:** The Recorded Future Risk Score for the Hashe (IOC), ranging from 1 to 99, with 99 being the highest level of severity.\\n* **Hash:** The detected hash.\\n* **Detected:** The time when the log was correlated with a Risk List.\\n* **Log Created:** The time when the log event itself was created.\\n* **Threat Classification:** The type of threat associated with the hash (IOC).\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| extend FileHashValue = tolower(FileHashValue)\\r\\n| join (\\r\\n {Hash_Logs_Table:value}\\r\\n | where TimeGenerated {Hash_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend Hash_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.FileHashValue == $right.{Hash_Logs_Field:value}\\r\\n| project [\\\"Risk Score\\\"]=ConfidenceScore, Hash=FileHashValue, Detected = format_datetime(TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Log Created\\\"] = format_datetime(Hash_TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Threat Classification\\\"]=ThreatType\\r\\n| summarize [\\\"Log Created\\\"]=max([\\\"Log Created\\\"]) by Hash, [\\\"Risk Score\\\"], Detected, [\\\"Threat Classification\\\"]\\r\\n| project [\\\"Risk Score\\\"], Hash, Detected, [\\\"Log Created\\\"], [\\\"Threat Classification\\\"]\\r\\n| sort by [\\\"Risk Score\\\"] desc\\r\\n\",\"size\":0,\"title\":\"Detected Hashes\",\"noDataMessage\":\"No detected hashes\",\"exportedParameters\":[{\"fieldName\":\"Hash\",\"parameterName\":\"MaliciousHashMatch\",\"parameterType\":5}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Risk\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"90\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"65\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"25\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}}]}},\"customWidth\":\"70\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| extend FileHashValue = tolower(FileHashValue)\\r\\n| join (\\r\\n {Hash_Logs_Table:value}\\r\\n | where TimeGenerated {Hash_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend Hash_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.FileHashValue == $right.{Hash_Logs_Field:value}\\r\\n| project Risk=ConfidenceScore, FileHashValue, ThreatType, Tags\\r\\n| extend Evidence=parse_json(Tags)[0]\\r\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\r\\n| extend Rule=Evidence['Rule']\\r\\n| summarize count() by tostring(Rule)\\r\\n| sort by count_ desc\\r\\n\\r\\n\",\"size\":0,\"title\":\"Top Triggered Risk Rules\",\"noDataMessage\":\"No triggered Risk Rules\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"30\",\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"### Detected Hashes: Evidence Details\\n\\nTo view evidence details, click a row (hash) in the Detected Hashes table.\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains {RF_Risk_list:value}\\n| extend FileHashValue = tolower(FileHashValue)\\n| where FileHashValue == \\\"{MaliciousHashMatch}\\\"\\n| where isnotempty(Tags)\\n//| where ExpirationDateTime > now()\\n| extend Evidence=parse_json(Tags)[0]\\n| take 1\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\n| project Rules = Evidence['Rule'], Criticality = Evidence['Criticality'], Evidence_String = Evidence['EvidenceString']\\n| sort by toint(Criticality) desc\",\"size\":1,\"noDataMessage\":\"No evidence details to show\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousHashMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\"},{\"type\":1,\"content\":{\"json\":\"\\n### Source data from {Hash_Logs_Table:value}\\n\\nTo view source data of correlated hash, click a row (hash) in the Detected Hashes table.\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{Hash_Logs_Table:value}\\n| where TimeGenerated {Hash_Logs_Time_Range:query}\\n| where {Hash_Logs_Field:value} == \\\"{MaliciousHashMatch}\\\"\\n\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousHashMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 6\"}]},\"name\":\"group - 8\"}],\"styleSettings\":{\"paddingStyle\":\"wide\"},\"fromTemplateId\":\"sentinel-RecordedFutureHashCorrelationWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"d7ccc5ca-c8ec-458f-ab0d-564a7ef1d217\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"🔎 Guide\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"No\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Guide: Hash Correlation \\n\\nRecorded Future’s Hash Correlation Workbook helps you detect malicious hashes within your environment by correlating your logs with Recorded Future Hash Risk Lists.\\n\\n### How to Correlate hashs\\n\\nTo correlate hashes, follow the steps below:\\n\\n1. In the **Hash Logs Table** dropdown, select a log table that contains hash logs.\\n\\t* If a particular log table is not listed in the dropdown, ensure it is enabled in your environment.\\n2. In the **Log field with hashes** dropdown, select the log field that holds the hashs to be correlated.\\n\\t* The workbook can correlate hashes in the format: `b0a0c7ae387c00161f4cc26405600b1a`.\\n3. Select a Recorded Future Hash Risk List for correlation.\\n4. If necessary, adjust the values in the **Logs from** and **Data from** dropdowns to match your requirements.\\n5. Done\\n\\n---\\n\\n#### Log table with examples of correlatable log fields\\n| Table \\t \\t| Field |\\n| ----------- \\t \\t| ----------- |\\n| CommonSecurityLog | FileHash |\\n| SecurityEvent \\t| FileHash |\",\"style\":\"info\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 15\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Hashes (from logs)\"},\"customWidth\":\"50\",\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"### Recorded Future Risk List\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b91b8b5b-10cf-4106-99e2-793eb0d72dce\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Hash_Logs_Time_Range\",\"label\":\"Logs from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"3300ad41-acbc-4ebd-900a-c6ab250b7c73\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Hash_Logs_Table\",\"label\":\"Hash Logs Table\",\"type\":2,\"description\":\"Log Table to correlate Domains Against\",\"isRequired\":true,\"query\":\"search \\\"*\\\" \\n| where TimeGenerated {Hash_Logs_Time_Range:query}\\n| summarize count() by $table | sort by count_ desc | where $table != \\\"ThreatIntelligenceIndicator\\\" | project $table\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"EndpointProtection_HASH_CL\"},{\"id\":\"f4f77ada-b97c-4a82-9421-20a58fb7ce26\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Hash_Logs_Field\",\"label\":\"Log Field with Hashes\",\"type\":2,\"description\":\"Select the field containing the Domain Name that you want to correlate against\",\"isRequired\":true,\"query\":\"{Hash_Logs_Table:value}\\n| getschema\\n| where DataType == \\\"System.String\\\"\\n| project ColumnName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Hash_s\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"95e78560-1e69-437c-8226-7b0f8c4dc199\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Threat_Intelligence_Time_Range\",\"label\":\"Data from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":1209600000}},{\"id\":\"e7c7e2ea-f5b3-4505-b64c-b18ca8561168\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RF_Risk_list\",\"label\":\"Risk List\",\"type\":2,\"description\":\"Which Domain Risk List do you want to correlate against\",\"isRequired\":true,\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where isnotempty(FileHashValue)\\n| where Description contains \\\"Recorded Future\\\"\\n| summarize count() by Description\\n| project output = strcat('\\\"', Description, '\\\"')\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"\\\"Recorded Future - HASH - Observed in Underground Virus Testing Sites\\\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 1\"}],\"exportParameters\":true},\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected Domains Per Day\\n\\nThe chart displays the number of correlation detections per day between domain logs and Recorded Future's domain Risk lists.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query} \\r\\n| where Description == {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| extend FileHashValue = tolower(FileHashValue)\\r\\n| join (\\r\\n {Hash_Logs_Table:value}\\r\\n | where TimeGenerated {Hash_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend Hash_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.FileHashValue == $right.{Hash_Logs_Field:value}\\r\\n| summarize Correlation_Matches=count() by bin(Hash_TimeGenerated, 1d)\\r\\n| render barchart\",\"size\":0,\"title\":\"Detected File Hashes Per Day\",\"noDataMessage\":\"No detected hashes\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\"}]},\"name\":\"group - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected Hashs\\n\\nThe Detected Hashs table lists hashs from the correlated logs that have been matched with Recorded Future Hash Risk Lists.\\n\\n**Table Columns**\\n\\n* **Risk Score:** The Recorded Future Risk Score for the Hashe (IOC), ranging from 1 to 99, with 99 being the highest level of severity.\\n* **Hash:** The detected hash.\\n* **Detected:** The time when the log was correlated with a Risk List.\\n* **Log Created:** The time when the log event itself was created.\\n* **Threat Classification:** The type of threat associated with the hash (IOC).\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| extend FileHashValue = tolower(FileHashValue)\\r\\n| join (\\r\\n {Hash_Logs_Table:value}\\r\\n | where TimeGenerated {Hash_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend Hash_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.FileHashValue == $right.{Hash_Logs_Field:value}\\r\\n| project [\\\"Risk Score\\\"]=ConfidenceScore, Hash=FileHashValue, Detected = format_datetime(TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Log Created\\\"] = format_datetime(Hash_TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Threat Classification\\\"]=ThreatType\\r\\n| summarize [\\\"Log Created\\\"]=max([\\\"Log Created\\\"]) by Hash, [\\\"Risk Score\\\"], Detected, [\\\"Threat Classification\\\"]\\r\\n| project [\\\"Risk Score\\\"], Hash, Detected, [\\\"Log Created\\\"], [\\\"Threat Classification\\\"]\\r\\n| sort by [\\\"Risk Score\\\"] desc\\r\\n\",\"size\":0,\"title\":\"Detected Hashes\",\"noDataMessage\":\"No detected hashes\",\"exportedParameters\":[{\"fieldName\":\"Hash\",\"parameterName\":\"MaliciousHashMatch\",\"parameterType\":5}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Risk\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"90\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"65\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"25\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}}]}},\"customWidth\":\"70\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| extend FileHashValue = tolower(FileHashValue)\\r\\n| join (\\r\\n {Hash_Logs_Table:value}\\r\\n | where TimeGenerated {Hash_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend Hash_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.FileHashValue == $right.{Hash_Logs_Field:value}\\r\\n| project Risk=ConfidenceScore, FileHashValue, ThreatType, Tags\\r\\n| extend Evidence=parse_json(Tags)[0]\\r\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\r\\n| extend Rule=Evidence['Rule']\\r\\n| summarize count() by tostring(Rule)\\r\\n| sort by count_ desc\\r\\n\\r\\n\",\"size\":0,\"title\":\"Top Triggered Risk Rules\",\"noDataMessage\":\"No triggered Risk Rules\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"30\",\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"### Detected Hashes: Evidence Details\\n\\nTo view evidence details, click a row (hash) in the Detected Hashes table.\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains {RF_Risk_list:value}\\n| extend FileHashValue = tolower(FileHashValue)\\n| where FileHashValue == \\\"{MaliciousHashMatch}\\\"\\n| where isnotempty(Tags)\\n//| where ExpirationDateTime > now()\\n| extend Evidence=parse_json(Tags)[0]\\n| take 1\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\n| project Rules = Evidence['Rule'], Criticality = Evidence['Criticality'], Evidence_String = Evidence['EvidenceString']\\n| sort by toint(Criticality) desc\",\"size\":1,\"noDataMessage\":\"No evidence details to show\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousHashMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\"},{\"type\":1,\"content\":{\"json\":\"\\n### Source data from {Hash_Logs_Table:value}\\n\\nTo view source data of correlated hash, click a row (hash) in the Detected Hashes table.\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{Hash_Logs_Table:value}\\n| where TimeGenerated {Hash_Logs_Time_Range:query}\\n| where {Hash_Logs_Field:value} == \\\"{MaliciousHashMatch}\\\"\\n\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousHashMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 6\"}]},\"name\":\"group - 8\"}],\"styleSettings\":{\"paddingStyle\":\"wide\"},\"fromTemplateId\":\"sentinel-RecordedFutureHashCorrelationWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -9192,7 +9192,7 @@ }, "properties": { "displayName": "[parameters('workbook5-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"041885bf-2e2c-42ae-ad35-2e12272b4dc4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Guide\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\"},\"jsonData\":\"[\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"No\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 6\"},{\"type\":1,\"content\":{\"json\":\"### Guide: IP Correlation \\n\\nRecorded Future’s IP Correlation Workbook helps you detect malicious IPs within your environment by correlating your logs with Recorded Future IP Risk Lists.\\n\\n### How to Correlate IPs\\n\\nTo correlate IPs, follow the steps below:\\n\\n1. In the **IP Logs Table** dropdown, select a log table that contains IP logs.\\n\\t* If a particular log table is not listed in the dropdown, ensure it is enabled in your environment.\\n2. In the **Log field with IPs** dropdown, select the log field that holds the IPs to be correlated.\\n\\t* The workbook can correlate IPs in the format: `5.56.61.62`.\\n3. Select a Recorded Future IP Risk List for correlation.\\n4. If necessary, adjust the values in the **Logs from** and **Data from** dropdowns to match your requirements.\\n5. Done\\n\\n---\\n\\n#### Log table with examples of correlatable log fields\\n\\n\\n| Table | Field | Table | Field |\\n|------------------------------|--------------------|---------------------------------|-----------|\\n| AzureActivity | CallerIpAddress | VMConnection | RemoteIp |\\n| AzureDiagnostics | CallerIPAddress | W3CIISLog | cIP |\\n| AWSCloudTrail | SourceIpAddress | _Im_NetworkSession | SrcIpAddr |\\n| AppServiceHTTPLogs | CIp | _Im_NetworkSession | DstIpAddr |\\n| AzureDiagnostics | client_ip_s | _Im_WebSession | SrcIpAddr |\\n| CommonSecurityLog | SourceIpAddress | SigninLogs | IPAddress |\\n| CommonSecurityLog | DestinationIP | AADNonInteractiveUserSignInLogs | IPAddress |\\n| DuoSecurityAuthentication_CL | access_device_ip_s | | |\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### IP (from logs)\"},\"customWidth\":\"50\",\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"### Recorded Future Risk List\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b91b8b5b-10cf-4106-99e2-793eb0d72dce\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IP_Logs_Time_Range\",\"label\":\"Logs from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":7776000000}},{\"id\":\"3300ad41-acbc-4ebd-900a-c6ab250b7c73\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IP_Logs_Table\",\"label\":\"IP Logs Table\",\"type\":2,\"description\":\"Log Table to correlate IPs Against\",\"isRequired\":true,\"query\":\"search * \\n| where TimeGenerated {IP_Logs_Time_Range:query}\\n| summarize count() by $table \\n| sort by count_ desc \\n| where $table != \\\"ThreatIntelligenceIndicator\\\" \\n| project $table\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"NetScreen_Firewall_CL\"},{\"id\":\"f4f77ada-b97c-4a82-9421-20a58fb7ce26\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IP_Logs_Field\",\"label\":\"Log Field with IPs\",\"type\":2,\"description\":\"Select the field containing the IP that you want to correlate against\",\"isRequired\":true,\"query\":\"{IP_Logs_Table:value}\\n| where TimeGenerated {IP_Logs_Time_Range:query}\\n| getschema\\n| where DataType == \\\"System.String\\\"\\n| project ColumnName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Dst_IPv4_s\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"95e78560-1e69-437c-8226-7b0f8c4dc199\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Threat_Intelligence_Time_Range\",\"label\":\"Data from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":5184000000}},{\"id\":\"e7c7e2ea-f5b3-4505-b64c-b18ca8561168\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RF_Risk_list\",\"label\":\"Risk List\",\"type\":2,\"description\":\"Which IP Risk List do you want to correlate against\",\"isRequired\":true,\"query\":\"ThreatIntelligenceIndicator\\n| where isnotempty(NetworkIP)\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains \\\"Recorded Future\\\"\\n//| summarize count() by Description\\n| distinct Description\\n| project output = strcat('\\\"', Description, '\\\"')\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"\\\"Recorded Future - IP - Actively Communicating C&C Server\\\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 1\"}],\"exportParameters\":true},\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected IPs Per Day\\n\\nThe chart displays the number of correlation detections per day between IP logs and Recorded Future's IP Risk lists.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {IP_Logs_Table:value}\\r\\n | where TimeGenerated {IP_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend IP_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.NetworkIP == $right.{IP_Logs_Field:value}\\r\\n| summarize Correlation_Matches=count() by bin(IP_TimeGenerated, 1d)\\r\\n| render barchart\",\"size\":0,\"title\":\"Detected IPs Per Day\",\"noDataMessage\":\"No detected IPs\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\"}]},\"name\":\"group - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected IPs\\n\\nThe Detected IPs table lists IPs from the correlated logs that have been matched with Recorded Future IP Risk Lists.\\n\\n**Table Columns**\\n\\n* **Risk Score:** The Recorded Future Risk Score for the IP (IOC), ranging from 1 to 99, with 99 being the highest level of severity.\\n* **IP:** The detected IP.\\n* **Detected:** The time when the log was correlated with a Risk List.\\n* **Log Created:** The time when the log event itself was created.\\n* **Threat Classification:** The type of threat associated with the IP (IOC).\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {IP_Logs_Table:value}\\r\\n | where TimeGenerated {IP_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend IP_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.NetworkIP == $right.{IP_Logs_Field:value}\\r\\n| project [\\\"Risk Score\\\"]=ConfidenceScore, IP=NetworkIP, Detected=format_datetime(TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Log Created\\\"]=format_datetime(IP_TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Threat Classification\\\"]=ThreatType\\r\\n| summarize [\\\"Log Created\\\"]=max([\\\"Log Created\\\"]) by IP, [\\\"Risk Score\\\"], Detected, [\\\"Threat Classification\\\"]\\r\\n| project [\\\"Risk Score\\\"], IP, Detected, [\\\"Log Created\\\"], [\\\"Threat Classification\\\"]\\r\\n| sort by [\\\"Risk Score\\\"] desc\",\"size\":0,\"title\":\"Detected IPs\",\"noDataMessage\":\"No detected IPs\",\"exportedParameters\":[{\"fieldName\":\"IP\",\"parameterName\":\"MaliciousIPMatch\",\"parameterType\":5}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Risk\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"90\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"65\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"25\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AdditionalInformation\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"100%\"}}],\"sortBy\":[{\"itemKey\":\"$gen_thresholds_Risk_0\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_Risk_0\",\"sortOrder\":2}]},\"customWidth\":\"70\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {IP_Logs_Table:value}\\r\\n | where TimeGenerated {IP_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend IP_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.NetworkIP == $right.{IP_Logs_Field:value}\\r\\n| project Risk=ConfidenceScore, NetworkIP, ThreatType, Tags\\r\\n| extend Evidence=parse_json(Tags)[0]\\r\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\r\\n| extend Rule=Evidence['Rule']\\r\\n| summarize count() by tostring(Rule)\\r\\n| sort by count_ desc\",\"size\":0,\"title\":\"Top Triggered Risk Rules\",\"noDataMessage\":\"No triggered Risk Rules\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}}]}},\"customWidth\":\"30\",\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"### Detected IPs: Evidence Details\\n\\nTo view evidence details, click a row (IP) in the Detected IPs table.\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains {RF_Risk_list:value}\\n| where NetworkIP == \\\"{MaliciousIPMatch}\\\"\\n| where isnotempty(Tags)\\n//| where ExpirationDateTime > now()\\n| extend Evidence=parse_json(Tags)[0]\\n| take 1\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\n| project Rules = Evidence['Rule'], Criticality = Evidence['Criticality'], Evidence_String = Evidence['EvidenceString']\\n| sort by toint(Criticality) desc\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Evidence_String\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"100%\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"MaliciousIPMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\"},{\"type\":1,\"content\":{\"json\":\"\\n### Source data from {IP_Logs_Table:value}\\nTo view source data of correlated IP, click a row (IP) in the Detected IPs table.\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{IP_Logs_Table:value}\\n| where TimeGenerated {IP_Logs_Time_Range:query}\\n| where {IP_Logs_Field:value} == \\\"{MaliciousIPMatch}\\\"\\n\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousIPMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 9\"}]},\"name\":\"group - 11\"}],\"styleSettings\":{\"paddingStyle\":\"wide\"},\"fromTemplateId\":\"sentinel-RecordedFutureIPCorrelationWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"041885bf-2e2c-42ae-ad35-2e12272b4dc4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Guide\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\"},\"jsonData\":\"[\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"No\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 6\"},{\"type\":1,\"content\":{\"json\":\"### Guide: IP Correlation \\n\\nRecorded Future’s IP Correlation Workbook helps you detect malicious IPs within your environment by correlating your logs with Recorded Future IP Risk Lists.\\n\\n### How to Correlate IPs\\n\\nTo correlate IPs, follow the steps below:\\n\\n1. In the **IP Logs Table** dropdown, select a log table that contains IP logs.\\n\\t* If a particular log table is not listed in the dropdown, ensure it is enabled in your environment.\\n2. In the **Log field with IPs** dropdown, select the log field that holds the IPs to be correlated.\\n\\t* The workbook can correlate IPs in the format: `5.56.61.62`.\\n3. Select a Recorded Future IP Risk List for correlation.\\n4. If necessary, adjust the values in the **Logs from** and **Data from** dropdowns to match your requirements.\\n5. Done\\n\\n---\\n\\n#### Log table with examples of correlatable log fields\\n\\n\\n| Table | Field | Table | Field |\\n|------------------------------|--------------------|---------------------------------|-----------|\\n| AzureActivity | CallerIpAddress | VMConnection | RemoteIp |\\n| AzureDiagnostics | CallerIPAddress | W3CIISLog | cIP |\\n| AWSCloudTrail | SourceIpAddress | _Im_NetworkSession | SrcIpAddr |\\n| AppServiceHTTPLogs | CIp | _Im_NetworkSession | DstIpAddr |\\n| AzureDiagnostics | client_ip_s | _Im_WebSession | SrcIpAddr |\\n| CommonSecurityLog | SourceIpAddress | SigninLogs | IPAddress |\\n| CommonSecurityLog | DestinationIP | AADNonInteractiveUserSignInLogs | IPAddress |\\n| DuoSecurityAuthentication_CL | access_device_ip_s | | |\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### IP (from logs)\"},\"customWidth\":\"50\",\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"### Recorded Future Risk List\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b91b8b5b-10cf-4106-99e2-793eb0d72dce\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IP_Logs_Time_Range\",\"label\":\"Logs from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":7776000000}},{\"id\":\"3300ad41-acbc-4ebd-900a-c6ab250b7c73\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IP_Logs_Table\",\"label\":\"IP Logs Table\",\"type\":2,\"description\":\"Log Table to correlate IPs Against\",\"isRequired\":true,\"query\":\"search * \\n| where TimeGenerated {IP_Logs_Time_Range:query}\\n| summarize count() by $table \\n| sort by count_ desc \\n| where $table != \\\"ThreatIntelligenceIndicator\\\" \\n| project $table\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"NetScreen_Firewall_CL\"},{\"id\":\"f4f77ada-b97c-4a82-9421-20a58fb7ce26\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IP_Logs_Field\",\"label\":\"Log Field with IPs\",\"type\":2,\"description\":\"Select the field containing the IP that you want to correlate against\",\"isRequired\":true,\"query\":\"{IP_Logs_Table:value}\\n| where TimeGenerated {IP_Logs_Time_Range:query}\\n| getschema\\n| where DataType == \\\"System.String\\\"\\n| project ColumnName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Dst_IPv4_s\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"95e78560-1e69-437c-8226-7b0f8c4dc199\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Threat_Intelligence_Time_Range\",\"label\":\"Data from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":5184000000}},{\"id\":\"e7c7e2ea-f5b3-4505-b64c-b18ca8561168\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RF_Risk_list\",\"label\":\"Risk List\",\"type\":2,\"description\":\"Which IP Risk List do you want to correlate against\",\"isRequired\":true,\"query\":\"ThreatIntelligenceIndicator\\n| where isnotempty(NetworkIP)\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains \\\"Recorded Future\\\"\\n//| summarize count() by Description\\n| distinct Description\\n| project output = strcat('\\\"', Description, '\\\"')\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"\\\"Recorded Future - IP - Actively Communicating C&C Server\\\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 1\"}],\"exportParameters\":true},\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected IPs Per Day\\n\\nThe chart displays the number of correlation detections per day between IP logs and Recorded Future's IP Risk lists.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {IP_Logs_Table:value}\\r\\n | where TimeGenerated {IP_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend IP_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.NetworkIP == $right.{IP_Logs_Field:value}\\r\\n| summarize Correlation_Matches=count() by bin(IP_TimeGenerated, 1d)\\r\\n| render barchart\",\"size\":0,\"title\":\"Detected IPs Per Day\",\"noDataMessage\":\"No detected IPs\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\"}]},\"name\":\"group - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected IPs\\n\\nThe Detected IPs table lists IPs from the correlated logs that have been matched with Recorded Future IP Risk Lists.\\n\\n**Table Columns**\\n\\n* **Risk Score:** The Recorded Future Risk Score for the IP (IOC), ranging from 1 to 99, with 99 being the highest level of severity.\\n* **IP:** The detected IP.\\n* **Detected:** The time when the log was correlated with a Risk List.\\n* **Log Created:** The time when the log event itself was created.\\n* **Threat Classification:** The type of threat associated with the IP (IOC).\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {IP_Logs_Table:value}\\r\\n | where TimeGenerated {IP_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend IP_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.NetworkIP == $right.{IP_Logs_Field:value}\\r\\n| project [\\\"Risk Score\\\"]=ConfidenceScore, IP=NetworkIP, Detected=format_datetime(TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Log Created\\\"]=format_datetime(IP_TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Threat Classification\\\"]=ThreatType\\r\\n| summarize [\\\"Log Created\\\"]=max([\\\"Log Created\\\"]) by IP, [\\\"Risk Score\\\"], Detected, [\\\"Threat Classification\\\"]\\r\\n| project [\\\"Risk Score\\\"], IP, Detected, [\\\"Log Created\\\"], [\\\"Threat Classification\\\"]\\r\\n| sort by [\\\"Risk Score\\\"] desc\",\"size\":0,\"title\":\"Detected IPs\",\"noDataMessage\":\"No detected IPs\",\"exportedParameters\":[{\"fieldName\":\"IP\",\"parameterName\":\"MaliciousIPMatch\",\"parameterType\":5}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Risk\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"90\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"65\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"25\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AdditionalInformation\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"100%\"}}],\"sortBy\":[{\"itemKey\":\"$gen_thresholds_Risk_0\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_Risk_0\",\"sortOrder\":2}]},\"customWidth\":\"70\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {IP_Logs_Table:value}\\r\\n | where TimeGenerated {IP_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend IP_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.NetworkIP == $right.{IP_Logs_Field:value}\\r\\n| project Risk=ConfidenceScore, NetworkIP, ThreatType, Tags\\r\\n| extend Evidence=parse_json(Tags)[0]\\r\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\r\\n| extend Rule=Evidence['Rule']\\r\\n| summarize count() by tostring(Rule)\\r\\n| sort by count_ desc\",\"size\":0,\"title\":\"Top Triggered Risk Rules\",\"noDataMessage\":\"No triggered Risk Rules\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}}]}},\"customWidth\":\"30\",\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"### Detected IPs: Evidence Details\\n\\nTo view evidence details, click a row (IP) in the Detected IPs table.\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains {RF_Risk_list:value}\\n| where NetworkIP == \\\"{MaliciousIPMatch}\\\"\\n| where isnotempty(Tags)\\n//| where ExpirationDateTime > now()\\n| extend Evidence=parse_json(Tags)[0]\\n| take 1\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\n| project Rules = Evidence['Rule'], Criticality = Evidence['Criticality'], Evidence_String = Evidence['EvidenceString']\\n| sort by toint(Criticality) desc\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Evidence_String\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"100%\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"MaliciousIPMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\"},{\"type\":1,\"content\":{\"json\":\"\\n### Source data from {IP_Logs_Table:value}\\nTo view source data of correlated IP, click a row (IP) in the Detected IPs table.\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{IP_Logs_Table:value}\\n| where TimeGenerated {IP_Logs_Time_Range:query}\\n| where {IP_Logs_Field:value} == \\\"{MaliciousIPMatch}\\\"\\n\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousIPMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 9\"}]},\"name\":\"group - 11\"}],\"styleSettings\":{\"paddingStyle\":\"wide\"},\"fromTemplateId\":\"sentinel-RecordedFutureIPCorrelationWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -9276,7 +9276,7 @@ }, "properties": { "displayName": "[parameters('workbook6-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"d7ccc5ca-c8ec-458f-ab0d-564a7ef1d217\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Guide\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"No\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":1,\"content\":{\"json\":\"### Guide: URL Correlation \\n\\nRecorded Future’s URL Correlation Workbook helps you detect malicious URLs within your environment by correlating your logs with Recorded Future URL Risk Lists.\\n\\n### How to Correlate URLs\\n\\nTo correlate URLs, follow the steps below:\\n\\n1. In the **URL Logs Table** dropdown, select a log table that contains URL logs.\\n\\t* If a particular log table is not listed in the dropdown, ensure it is enabled in your environment.\\n2. In the **Log field with URLs** dropdown, select the log field that holds the URLs to be correlated.\\n\\t* The workbook can correlate URLs in the format: `https://testurl.here.net`.\\n3. Select a Recorded Future URL Risk List for correlation.\\n4. If necessary, adjust the values in the **Logs from** and **Data from** dropdowns to match your requirements.\\n5. Done\\n\\n---\\n\\n#### Log table with examples of correlatable log fields\\n\\n| Table | Field |\\n|-------------------|------------|\\n| CommonSecurityLog | RequestURL |\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### URL (from logs)\"},\"customWidth\":\"50\",\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"### Recorded Future Risk List\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b91b8b5b-10cf-4106-99e2-793eb0d72dce\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"URL_Logs_Time_Range\",\"label\":\"Logs from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":7776000000}},{\"id\":\"3300ad41-acbc-4ebd-900a-c6ab250b7c73\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"URL_Logs_Table\",\"label\":\"URL Logs Table\",\"type\":2,\"description\":\"Log Table to correlate URLs Against\",\"isRequired\":true,\"query\":\"search \\\"*\\\" \\n| where TimeGenerated {URL_Logs_Time_Range:query}\\n| summarize count() by $table | sort by count_ desc | where $table != \\\"ThreatIntelligenceIndicator\\\" | project $table\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Squid_Proxy_URL_CL\"},{\"id\":\"f4f77ada-b97c-4a82-9421-20a58fb7ce26\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"URL_Logs_Field\",\"label\":\"Log Field with URLs\",\"type\":2,\"description\":\"Select the field containing the URL that you want to correlate against\",\"isRequired\":true,\"query\":\"{URL_Logs_Table:value}\\n| getschema\\n| where DataType == \\\"System.String\\\"\\n| project ColumnName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"URL_s\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"95e78560-1e69-437c-8226-7b0f8c4dc199\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Threat_Intelligence_Time_Range\",\"label\":\"Data from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":7776000000}},{\"id\":\"e7c7e2ea-f5b3-4505-b64c-b18ca8561168\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RF_Risk_list\",\"label\":\"Risk List\",\"type\":2,\"description\":\"Which Domain Risk List do you want to correlate against\",\"isRequired\":true,\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where isnotempty(Url)\\n| where Description contains \\\"Recorded Future\\\"\\n| summarize count() by Description\\n| project output = strcat('\\\"', Description, '\\\"')\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"\\\"Recorded Future - URL - Recently Reported by Insikt Group\\\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 1\"}],\"exportParameters\":true},\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected URLs Per Day\\n\\nThe chart displays the number of correlation detections per day between URL logs and Recorded Future's URL Risk lists.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {URL_Logs_Table:value}\\r\\n | where TimeGenerated {URL_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend URL_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.Url == $right.{URL_Logs_Field:value}\\r\\n| summarize Correlation_Matches=count() by bin(URL_TimeGenerated, 1d)\\r\\n| render barchart\",\"size\":0,\"title\":\"Detected URLs Per Day\",\"noDataMessage\":\"No detected URLs\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\"}]},\"name\":\"group - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected URLs\\n\\nThe Detected URLs table lists URLs from the correlated logs that have been matched with Recorded Future URL Risk Lists.\\n\\n**Table Columns**\\n\\n* **Risk Score:** The Recorded Future Risk Score for the URL (IOC), ranging from 1 to 99, with 99 being the highest level of severity.\\n* **URL:** The detected URL.\\n* **Detected:** The time when the log was correlated with a Risk List.\\n* **Log Created:** The time when the log event itself was created.\\n* **Threat Classification:** The type of threat associated with the URL (IOC).\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {URL_Logs_Table:value}\\r\\n | where TimeGenerated {URL_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend IP_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.Url == $right.{URL_Logs_Field:value}\\r\\n| project [\\\"Risk Score\\\"]=ConfidenceScore, URL=Url, Detected = format_datetime(TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Log Created\\\"] = IP_TimeGenerated, [\\\"Threat Classification\\\"]=ThreatType\\r\\n| summarize [\\\"Log Created\\\"]=max([\\\"Log Created\\\"]) by URL, [\\\"Risk Score\\\"], Detected, [\\\"Threat Classification\\\"]\\r\\n| project [\\\"Risk Score\\\"], URL, Detected, [\\\"Log Created\\\"], [\\\"Threat Classification\\\"]\\r\\n| sort by [\\\"Risk Score\\\"] desc\\r\\n\",\"size\":0,\"title\":\"Detected URLs\",\"noDataMessage\":\"No detected URLs\",\"exportFieldName\":\"URL\",\"exportParameterName\":\"MaliciousURLMatch\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Risk\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"90\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"65\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"25\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}}]}},\"customWidth\":\"70\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {URL_Logs_Table:value}\\r\\n | where TimeGenerated {URL_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend URL_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.Url == $right.{URL_Logs_Field:value}\\r\\n| project Risk=ConfidenceScore, Url, ThreatType, Tags\\r\\n| extend Evidence=parse_json(Tags)[0]\\r\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\r\\n| extend Rule=Evidence['Rule']\\r\\n| summarize count() by tostring(Rule)\\r\\n| sort by count_ desc\\r\\n\\r\\n\",\"size\":0,\"title\":\"Top Triggered Risk Rules\",\"noDataMessage\":\"No triggered Risk Rules\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}}]}},\"customWidth\":\"30\",\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"### Detected URLs: Evidence Details\\n\\nTo view evidence details, click a row (URL) in the Detected URLs table.\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains {RF_Risk_list}\\n| where Url == \\\"{MaliciousURLMatch}\\\"\\n| where isnotempty(Tags)\\n//| where ExpirationDateTime > now()\\n| extend Evidence=parse_json(Tags)[0]\\n| take 1\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\n| project Rules = Evidence['Rule'], Criticality = Evidence['Criticality'], Evidence_String = Evidence['EvidenceString']\\n| sort by toint(Criticality) desc\",\"size\":1,\"noDataMessage\":\"ExpirationDateTime\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousURLMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\"},{\"type\":1,\"content\":{\"json\":\"\\n### Source data from {URL_Logs_Table:value}\\nTo view source data of correlated URL, click a row (URL) in the Detected URLs table.\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{URL_Logs_Table:value}\\n| where TimeGenerated {URL_Logs_Time_Range:query}\\n| where {URL_Logs_Field:value} == \\\"{MaliciousURLMatch}\\\"\\n\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousURLMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 6\"}]},\"name\":\"group - 10\"}],\"styleSettings\":{\"paddingStyle\":\"wide\"},\"fromTemplateId\":\"sentinel-RecordedFutureURLCorrelationWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"d7ccc5ca-c8ec-458f-ab0d-564a7ef1d217\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Guide\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"No\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":1,\"content\":{\"json\":\"### Guide: URL Correlation \\n\\nRecorded Future’s URL Correlation Workbook helps you detect malicious URLs within your environment by correlating your logs with Recorded Future URL Risk Lists.\\n\\n### How to Correlate URLs\\n\\nTo correlate URLs, follow the steps below:\\n\\n1. In the **URL Logs Table** dropdown, select a log table that contains URL logs.\\n\\t* If a particular log table is not listed in the dropdown, ensure it is enabled in your environment.\\n2. In the **Log field with URLs** dropdown, select the log field that holds the URLs to be correlated.\\n\\t* The workbook can correlate URLs in the format: `https://testurl.here.net`.\\n3. Select a Recorded Future URL Risk List for correlation.\\n4. If necessary, adjust the values in the **Logs from** and **Data from** dropdowns to match your requirements.\\n5. Done\\n\\n---\\n\\n#### Log table with examples of correlatable log fields\\n\\n| Table | Field |\\n|-------------------|------------|\\n| CommonSecurityLog | RequestURL |\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### URL (from logs)\"},\"customWidth\":\"50\",\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"### Recorded Future Risk List\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b91b8b5b-10cf-4106-99e2-793eb0d72dce\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"URL_Logs_Time_Range\",\"label\":\"Logs from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":7776000000}},{\"id\":\"3300ad41-acbc-4ebd-900a-c6ab250b7c73\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"URL_Logs_Table\",\"label\":\"URL Logs Table\",\"type\":2,\"description\":\"Log Table to correlate URLs Against\",\"isRequired\":true,\"query\":\"search \\\"*\\\" \\n| where TimeGenerated {URL_Logs_Time_Range:query}\\n| summarize count() by $table | sort by count_ desc | where $table != \\\"ThreatIntelligenceIndicator\\\" | project $table\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Squid_Proxy_URL_CL\"},{\"id\":\"f4f77ada-b97c-4a82-9421-20a58fb7ce26\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"URL_Logs_Field\",\"label\":\"Log Field with URLs\",\"type\":2,\"description\":\"Select the field containing the URL that you want to correlate against\",\"isRequired\":true,\"query\":\"{URL_Logs_Table:value}\\n| getschema\\n| where DataType == \\\"System.String\\\"\\n| project ColumnName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"URL_s\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"95e78560-1e69-437c-8226-7b0f8c4dc199\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Threat_Intelligence_Time_Range\",\"label\":\"Data from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":7776000000}},{\"id\":\"e7c7e2ea-f5b3-4505-b64c-b18ca8561168\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RF_Risk_list\",\"label\":\"Risk List\",\"type\":2,\"description\":\"Which Domain Risk List do you want to correlate against\",\"isRequired\":true,\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where isnotempty(Url)\\n| where Description contains \\\"Recorded Future\\\"\\n| summarize count() by Description\\n| project output = strcat('\\\"', Description, '\\\"')\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"\\\"Recorded Future - URL - Recently Reported by Insikt Group\\\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 1\"}],\"exportParameters\":true},\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected URLs Per Day\\n\\nThe chart displays the number of correlation detections per day between URL logs and Recorded Future's URL Risk lists.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {URL_Logs_Table:value}\\r\\n | where TimeGenerated {URL_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend URL_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.Url == $right.{URL_Logs_Field:value}\\r\\n| summarize Correlation_Matches=count() by bin(URL_TimeGenerated, 1d)\\r\\n| render barchart\",\"size\":0,\"title\":\"Detected URLs Per Day\",\"noDataMessage\":\"No detected URLs\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\"}]},\"name\":\"group - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected URLs\\n\\nThe Detected URLs table lists URLs from the correlated logs that have been matched with Recorded Future URL Risk Lists.\\n\\n**Table Columns**\\n\\n* **Risk Score:** The Recorded Future Risk Score for the URL (IOC), ranging from 1 to 99, with 99 being the highest level of severity.\\n* **URL:** The detected URL.\\n* **Detected:** The time when the log was correlated with a Risk List.\\n* **Log Created:** The time when the log event itself was created.\\n* **Threat Classification:** The type of threat associated with the URL (IOC).\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {URL_Logs_Table:value}\\r\\n | where TimeGenerated {URL_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend IP_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.Url == $right.{URL_Logs_Field:value}\\r\\n| project [\\\"Risk Score\\\"]=ConfidenceScore, URL=Url, Detected = format_datetime(TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Log Created\\\"] = IP_TimeGenerated, [\\\"Threat Classification\\\"]=ThreatType\\r\\n| summarize [\\\"Log Created\\\"]=max([\\\"Log Created\\\"]) by URL, [\\\"Risk Score\\\"], Detected, [\\\"Threat Classification\\\"]\\r\\n| project [\\\"Risk Score\\\"], URL, Detected, [\\\"Log Created\\\"], [\\\"Threat Classification\\\"]\\r\\n| sort by [\\\"Risk Score\\\"] desc\\r\\n\",\"size\":0,\"title\":\"Detected URLs\",\"noDataMessage\":\"No detected URLs\",\"exportFieldName\":\"URL\",\"exportParameterName\":\"MaliciousURLMatch\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Risk\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"90\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"65\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"25\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}}]}},\"customWidth\":\"70\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {URL_Logs_Table:value}\\r\\n | where TimeGenerated {URL_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend URL_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.Url == $right.{URL_Logs_Field:value}\\r\\n| project Risk=ConfidenceScore, Url, ThreatType, Tags\\r\\n| extend Evidence=parse_json(Tags)[0]\\r\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\r\\n| extend Rule=Evidence['Rule']\\r\\n| summarize count() by tostring(Rule)\\r\\n| sort by count_ desc\\r\\n\\r\\n\",\"size\":0,\"title\":\"Top Triggered Risk Rules\",\"noDataMessage\":\"No triggered Risk Rules\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}}]}},\"customWidth\":\"30\",\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"### Detected URLs: Evidence Details\\n\\nTo view evidence details, click a row (URL) in the Detected URLs table.\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains {RF_Risk_list}\\n| where Url == \\\"{MaliciousURLMatch}\\\"\\n| where isnotempty(Tags)\\n//| where ExpirationDateTime > now()\\n| extend Evidence=parse_json(Tags)[0]\\n| take 1\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\n| project Rules = Evidence['Rule'], Criticality = Evidence['Criticality'], Evidence_String = Evidence['EvidenceString']\\n| sort by toint(Criticality) desc\",\"size\":1,\"noDataMessage\":\"ExpirationDateTime\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousURLMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\"},{\"type\":1,\"content\":{\"json\":\"\\n### Source data from {URL_Logs_Table:value}\\nTo view source data of correlated URL, click a row (URL) in the Detected URLs table.\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{URL_Logs_Table:value}\\n| where TimeGenerated {URL_Logs_Time_Range:query}\\n| where {URL_Logs_Field:value} == \\\"{MaliciousURLMatch}\\\"\\n\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousURLMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 6\"}]},\"name\":\"group - 10\"}],\"styleSettings\":{\"paddingStyle\":\"wide\"},\"fromTemplateId\":\"sentinel-RecordedFutureURLCorrelationWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -9360,7 +9360,7 @@ }, "properties": { "displayName": "[parameters('workbook7-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"92c84cb2-9b9a-498f-9b18-a3a11f70618a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"description\":\"Time range for incident created and indicator import.\",\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":86400000}},{\"id\":\"29f50496-9072-4438-8ac5-7a0cf4cd7307\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"label\":\"Threat Actor Category\",\"type\":2,\"query\":\"RecordedFutureThreatMap_CL\\r\\n| distinct categories_s\\r\\n| mv-expand parse_json(categories_s)\\r\\n| distinct id = tostring(categories_s.id), name = tostring(categories_s.name)\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"2d4f8b54-8321-4c37-9c78-79c3787a9d02\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Watchlist\",\"label\":\"Recorded Future Watchlist\",\"type\":2,\"query\":\"RecordedFutureThreatMap_CL\\r\\n| distinct log_entries_s\\r\\n| mv-expand parse_json(log_entries_s)\\r\\n| where isnotempty(log_entries_s.watchlist)\\r\\n| distinct id = tostring(log_entries_s.watchlist.id), name = tostring(log_entries_s.watchlist.name)\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 5\"},{\"type\":1,\"content\":{\"json\":\"

Threat Actor Map

\\n\\nThis workbook shows Threat Actors imported from [Recorded Future](https://app.recordedfuture.com/portal/threat), their intent towards your company, and their opportunity. \\n\\nIntent (y-axis) - The threat actor has presented previous interest (expressed or manifested) against elements that are relevant to an organization (e.g., industry, peers, third parties, executives, brand, internet-facing assets). \\n\\nOpportunity (x-axis) - A correlation between the threat actor's capabilities and an organization’s vulnerabilities. The capability is a threat actor's ability to perform certain activities or cyber attacks, (i.e., their \\\"sophistication\\\"); vulnerabilities include an organization's exposures, gaps, or technology-related vulnerabilities. \\n\\nData is fetched from Recorded Future thru the playbook ```RecordedFuture-ThreatMap-lmporter```.\\n\\n\\n\",\"style\":\"info\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMap_CL\\n| where TimeGenerated {TimeRange:query}\\n| where categories_s has_any('{Category}') \\n| where log_entries_s has_any('{Watchlist}') \\n| extend combine= intent_d+opportunity_d\\n| project TimeGenerated, id_s, name_s, intent_d, opportunity_d, combine\\n| summarize MaxTimeGenerated = max(TimeGenerated) by id_s, name_s, intent_d, opportunity_d, combine\\n| order by combine desc \\n| project MaxTimeGenerated, id_s, name_s, intent_d, opportunity_d\\n| take 100\\n\",\"size\":0,\"title\":\"Threat Actor Map\",\"noDataMessage\":\"No data found\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"scatterchart\",\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"id_s\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"intent_d\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"xAxis\":\"opportunity_d\",\"yAxis\":[\"intent_d\"],\"group\":\"name_s\",\"createOtherGroup\":0,\"showMetrics\":false,\"showLegend\":true,\"xSettings\":{\"min\":0,\"max\":99},\"ySettings\":{\"min\":0,\"max\":99}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"intent_d\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"intent_d\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"intent_d\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 0 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMap_CL\\n| where TimeGenerated {TimeRange:query}\\n| where categories_s has_any('{Category}') \\n| where log_entries_s has_any('{Watchlist}') \\n| extend combine= intent_d+opportunity_d\\n| project TimeGenerated, id_s, name_s, intent_d, opportunity_d, combine\\n| summarize MaxTimeGenerated = max(TimeGenerated) by id_s, name_s, intent_d, opportunity_d,combine\\n| order by combine desc \\n| project Name=name_s, Intent=intent_d, Opportunity=opportunity_d, id_s\\n\",\"size\":0,\"title\":\"Threat Actors\",\"exportFieldName\":\"id_s\",\"exportParameterName\":\"ThreatActor\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"id_s\",\"formatter\":5}]}},\"customWidth\":\"50\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMap_CL\\n| where TimeGenerated {TimeRange:query}\\n| where id_s == \\\"{ThreatActor}\\\"\\n| take 1\\n| mv-expand categoriesArray= parse_json(categories_s)\\n| mv-expand watchlistArray = parse_json(log_entries_s)\\n| summarize [\\\"Threat Actor Categories\\\"] = make_list(categoriesArray.name), WatchLists= make_list_with_nulls(watchlistArray.watchlist.name) by Link=strcat(\\\"https://app.recordedfuture.com/live/sc/entity/\\\",id_s), Name=name_s, Id=id_s, Aliases=array_strcat(parse_json(alias_s),',')\",\"size\":4,\"title\":\"Actor Details\",\"noDataMessage\":\"Please select a threat actor in the Threat Actors table to display details.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Link\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"External Link\"}},{\"columnMatch\":\"Id\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkLabel\":\"Open Generic Details\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"Threat Actor Categories\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"150ch\"}},{\"columnMatch\":\"https://app.recordedfuture.com/live/sc/entity/{Id}\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"\"}},{\"columnMatch\":\"Categories\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"150ch\"}},{\"columnMatch\":\"id_s\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkLabel\":\"Open Generic Details\",\"linkIsContextBlade\":true}}],\"labelSettings\":[{\"columnId\":\"Link\",\"label\":\"Recorded Future\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Id\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Intent\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where ExpirationDateTime > now()\\r\\n| where Description contains(\\\"{ThreatActor}\\\")\\r\\n| summarize Indicators=count(Description) by Description \",\"size\":0,\"title\":\"Active Indicators for Hunting\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Description\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Indicators\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Indicators\",\"sortOrderField\":2,\"size\":\"auto\"},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Description\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Indicators\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where TimeGenerated {TimeRange:query}\\r\\n| where Title contains \\\"{ThreatActor}\\\"\\r\\n| summarize CreateTime = max(CreatedTime) by IncidentUrl, Title,Description \",\"size\":0,\"title\":\"Incidents created\",\"noDataMessage\":\"No incidents found, but try different time range to display incidents future back in time.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Open Incident\"}}]}},\"customWidth\":\"50\",\"name\":\"query - 8\"},{\"type\":1,\"content\":{\"json\":\"To generate incidents using imported indicators. Create analytic rules that correlates data from infrastructure logs with recorded future hunting indicators. Install and modify the provided analytic rule templates to match your environent. \\r\\n```\\r\\nRecorded Future - Threat Hunting - Domain - All Actors\\r\\nRecorded Future - Threat Hunting - IP - All Actors\\r\\nRecorded Future - Threat Hunting - Hash - All Actors\\r\\nRecorded Future - Threat Hunting - Url - All Actors\\r\\n```\\r\\nInstall and configure Recorded Future Incident Enrichment Playbook to get additional information when incidents are created ```RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash```\\r\\n\",\"style\":\"info\"},\"name\":\"text - 7\"}],\"styleSettings\":{\"paddingStyle\":\"none\",\"spacingStyle\":\"none\"},\"fromTemplateId\":\"sentinel-RecordedFutureThreatActorHuntingWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"92c84cb2-9b9a-498f-9b18-a3a11f70618a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"description\":\"Time range for incident created and indicator import.\",\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":86400000}},{\"id\":\"29f50496-9072-4438-8ac5-7a0cf4cd7307\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"label\":\"Threat Actor Category\",\"type\":2,\"query\":\"RecordedFutureThreatMap_CL\\r\\n| distinct categories_s\\r\\n| mv-expand parse_json(categories_s)\\r\\n| distinct id = tostring(categories_s.id), name = tostring(categories_s.name)\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"2d4f8b54-8321-4c37-9c78-79c3787a9d02\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Watchlist\",\"label\":\"Recorded Future Watchlist\",\"type\":2,\"query\":\"RecordedFutureThreatMap_CL\\r\\n| distinct log_entries_s\\r\\n| mv-expand parse_json(log_entries_s)\\r\\n| where isnotempty(log_entries_s.watchlist)\\r\\n| distinct id = tostring(log_entries_s.watchlist.id), name = tostring(log_entries_s.watchlist.name)\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 5\"},{\"type\":1,\"content\":{\"json\":\"

Threat Actor Map

\\n\\nThis workbook shows Threat Actors imported from [Recorded Future](https://app.recordedfuture.com/portal/threat), their intent towards your company, and their opportunity. \\n\\nIntent (y-axis) - The threat actor has presented previous interest (expressed or manifested) against elements that are relevant to an organization (e.g., industry, peers, third parties, executives, brand, internet-facing assets). \\n\\nOpportunity (x-axis) - A correlation between the threat actor's capabilities and an organization’s vulnerabilities. The capability is a threat actor's ability to perform certain activities or cyber attacks, (i.e., their \\\"sophistication\\\"); vulnerabilities include an organization's exposures, gaps, or technology-related vulnerabilities. \\n\\nData is fetched from Recorded Future thru the playbook ```RecordedFuture-ThreatMap-lmporter```.\\n\\n\\n\",\"style\":\"info\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMap_CL\\n| where TimeGenerated {TimeRange:query}\\n| where categories_s has_any('{Category}') \\n| where log_entries_s has_any('{Watchlist}') \\n| extend combine= intent_d+opportunity_d\\n| project TimeGenerated, id_s, name_s, intent_d, opportunity_d, combine\\n| summarize MaxTimeGenerated = max(TimeGenerated) by id_s, name_s, intent_d, opportunity_d, combine\\n| order by combine desc \\n| project MaxTimeGenerated, id_s, name_s, intent_d, opportunity_d\\n| take 100\\n\",\"size\":0,\"title\":\"Threat Actor Map\",\"noDataMessage\":\"No data found\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"scatterchart\",\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"id_s\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"intent_d\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"xAxis\":\"opportunity_d\",\"yAxis\":[\"intent_d\"],\"group\":\"name_s\",\"createOtherGroup\":0,\"showMetrics\":false,\"showLegend\":true,\"xSettings\":{\"min\":0,\"max\":99},\"ySettings\":{\"min\":0,\"max\":99}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"intent_d\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"intent_d\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"intent_d\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 0 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMap_CL\\n| where TimeGenerated {TimeRange:query}\\n| where categories_s has_any('{Category}') \\n| where log_entries_s has_any('{Watchlist}') \\n| extend combine= intent_d+opportunity_d\\n| project TimeGenerated, id_s, name_s, intent_d, opportunity_d, combine\\n| summarize MaxTimeGenerated = max(TimeGenerated) by id_s, name_s, intent_d, opportunity_d,combine\\n| order by combine desc \\n| project Name=name_s, Intent=intent_d, Opportunity=opportunity_d, id_s\\n\",\"size\":0,\"title\":\"Threat Actors\",\"exportFieldName\":\"id_s\",\"exportParameterName\":\"ThreatActor\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"id_s\",\"formatter\":5}]}},\"customWidth\":\"50\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMap_CL\\n| where TimeGenerated {TimeRange:query}\\n| where id_s == \\\"{ThreatActor}\\\"\\n| take 1\\n| mv-expand categoriesArray= parse_json(categories_s)\\n| mv-expand watchlistArray = parse_json(log_entries_s)\\n| summarize [\\\"Threat Actor Categories\\\"] = make_list(categoriesArray.name), WatchLists= make_list_with_nulls(watchlistArray.watchlist.name) by Link=strcat(\\\"https://app.recordedfuture.com/live/sc/entity/\\\",id_s), Name=name_s, Id=id_s, Aliases=array_strcat(parse_json(alias_s),',')\",\"size\":4,\"title\":\"Actor Details\",\"noDataMessage\":\"Please select a threat actor in the Threat Actors table to display details.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Link\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"External Link\"}},{\"columnMatch\":\"Id\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkLabel\":\"Open Generic Details\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"Threat Actor Categories\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"150ch\"}},{\"columnMatch\":\"https://app.recordedfuture.com/live/sc/entity/{Id}\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"\"}},{\"columnMatch\":\"Categories\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"150ch\"}},{\"columnMatch\":\"id_s\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkLabel\":\"Open Generic Details\",\"linkIsContextBlade\":true}}],\"labelSettings\":[{\"columnId\":\"Link\",\"label\":\"Recorded Future\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Id\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Intent\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where ExpirationDateTime > now()\\r\\n| where Description contains(\\\"{ThreatActor}\\\")\\r\\n| summarize Indicators=count(Description) by Description \",\"size\":0,\"title\":\"Active Indicators for Hunting\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Description\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Indicators\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Indicators\",\"sortOrderField\":2,\"size\":\"auto\"},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Description\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Indicators\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where TimeGenerated {TimeRange:query}\\r\\n| where Title contains \\\"{ThreatActor}\\\"\\r\\n| summarize CreateTime = max(CreatedTime) by IncidentUrl, Title,Description \",\"size\":0,\"title\":\"Incidents created\",\"noDataMessage\":\"No incidents found, but try different time range to display incidents future back in time.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Open Incident\"}}]}},\"customWidth\":\"50\",\"name\":\"query - 8\"},{\"type\":1,\"content\":{\"json\":\"To generate incidents using imported indicators. Create analytic rules that correlates data from infrastructure logs with recorded future hunting indicators. Install and modify the provided analytic rule templates to match your environent. \\r\\n```\\r\\nRecorded Future - Threat Hunting - Domain - All Actors\\r\\nRecorded Future - Threat Hunting - IP - All Actors\\r\\nRecorded Future - Threat Hunting - Hash - All Actors\\r\\nRecorded Future - Threat Hunting - Url - All Actors\\r\\n```\\r\\nInstall and configure Recorded Future Incident Enrichment Playbook to get additional information when incidents are created ```RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash```\\r\\n\",\"style\":\"info\"},\"name\":\"text - 7\"}],\"styleSettings\":{\"paddingStyle\":\"none\",\"spacingStyle\":\"none\"},\"fromTemplateId\":\"sentinel-RecordedFutureThreatActorHuntingWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -9444,7 +9444,7 @@ }, "properties": { "displayName": "[parameters('workbook8-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"92c84cb2-9b9a-498f-9b18-a3a11f70618a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"description\":\"Time range for incident created and indicator import.\",\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":86400000}},{\"id\":\"29f50496-9072-4438-8ac5-7a0cf4cd7307\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"label\":\"Threat Malware Category\",\"type\":2,\"query\":\"RecordedFutureThreatMapMalware_CL\\r\\n| distinct categories_s\\r\\n| mv-expand parse_json(categories_s)\\r\\n| distinct id = tostring(categories_s.id), name = tostring(categories_s.name)\\r\\n\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"2d4f8b54-8321-4c37-9c78-79c3787a9d02\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Watchlist\",\"label\":\"Recorded Future Watchlist\",\"type\":2,\"query\":\"RecordedFutureThreatMapMalware_CL\\r\\n| distinct log_entries_s\\r\\n| mv-expand parse_json(log_entries_s)\\r\\n| where isnotempty(log_entries_s.watchlist)\\r\\n| distinct id = tostring(log_entries_s.watchlist.id), name = tostring(log_entries_s.watchlist.name)\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 5\"},{\"type\":1,\"content\":{\"json\":\"

Malware Threat Map

\\n\\nThis workbook shows Threat Malware imported from [Recorded Future](https://app.recordedfuture.com/portal/threat).\\n

Prevalence (y-axis) - The malware has been reported as related to elements that are part of an organization context (e.g. industry, peers, third parties, brand, IPs & Domains). \\n

\\n

\\nOpportunity (x-axis) - A correlation between the malware related capabilities and an organization’s vulnerabilities. Vulnerabilities include an organization's exposures, gaps, or technology-related vulnerabilities.

\\nData is fetched from Recorded Future thru the playbook **RecordedFuture-ThreatMapMalware-Importer**.\\n\\n\\n\",\"style\":\"info\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMapMalware_CL\\n| where TimeGenerated {TimeRange:query}\\n| where categories_s has_any('{Category}')\\n| where log_entries_s has_any('{Watchlist}')\\n| project TimeGenerated, id_s, name_s, prevalence_d, opportunity_d, combine = prevalence_d + opportunity_d\\n| order by combine desc \\n| summarize MaxTimeGenerated = max(TimeGenerated) by id_s, name_s, prevalence_d, opportunity_d\\n| take 100\\n| project MaxTimeGenerated, id_s, name_s, prevalence_d, opportunity_d\",\"size\":0,\"title\":\"Threat Malware Map\",\"noDataMessage\":\"No data found\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"scatterchart\",\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"id_s\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"intent_d\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"xAxis\":\"opportunity_d\",\"yAxis\":[\"prevalence_d\"],\"group\":\"name_s\",\"createOtherGroup\":0,\"showMetrics\":false,\"showLegend\":true,\"xSettings\":{\"min\":0,\"max\":99},\"ySettings\":{\"min\":0,\"max\":99}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"intent_d\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"intent_d\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"intent_d\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 0 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMapMalware_CL \\n| where TimeGenerated {TimeRange:query}\\n| where categories_s has_any('{Category}')\\n| where log_entries_s has_any('{Watchlist}')\\n| extend combine= prevalence_d+opportunity_d\\n| summarize MaxTimeGenerated = max(TimeGenerated) by id_s, name_s, prevalence_d, opportunity_d,combine\\n| project Name=name_s, Prevalence=prevalence_d, Opportunity=opportunity_d, id_s, combine\\n| order by combine desc \\n\",\"size\":0,\"title\":\"Threat Malware\",\"exportFieldName\":\"id_s\",\"exportParameterName\":\"ThreatMalware\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"id_s\",\"formatter\":5},{\"columnMatch\":\"combine\",\"formatter\":5}]}},\"customWidth\":\"50\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMapMalware_CL\\n| where TimeGenerated {TimeRange:query}\\n| where id_s == \\\"{ThreatMalware}\\\"\\n| take 1\\n| mv-expand watchlistArray = parse_json(log_entries_s)\\n| mv-expand categoriesArray= parse_json(categories_s)\\n| summarize [\\\"Threat Malware Categories\\\"] = make_set(categoriesArray.name), WatchLists= make_set(watchlistArray.watchlist.name) by Link=strcat(\\\"https://app.recordedfuture.com/live/sc/entity/\\\",id_s), Name=name_s, Id=id_s, Aliases=array_strcat(parse_json(alias_s),',')\",\"size\":4,\"title\":\"Malware Details\",\"noDataMessage\":\"Please select a threat malware in the Threat Malware table to display details.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Link\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"External Link\"}},{\"columnMatch\":\"Id\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkLabel\":\"Open Generic Details\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"Threat Malware Categories\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"150ch\"}},{\"columnMatch\":\"https://app.recordedfuture.com/live/sc/entity/{Id}\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"\"}},{\"columnMatch\":\"Categories\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"150ch\"}},{\"columnMatch\":\"id_s\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkLabel\":\"Open Generic Details\",\"linkIsContextBlade\":true}}],\"labelSettings\":[{\"columnId\":\"Link\",\"label\":\"Recorded Future\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Id\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Intent\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where ExpirationDateTime > now()\\r\\n| where Description contains(\\\"{ThreatMalware}\\\")\\r\\n| summarize Indicators=count(Description) by Description \",\"size\":0,\"title\":\"Active Indicators for Hunting\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Description\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Indicators\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Indicators\",\"sortOrderField\":2,\"size\":\"auto\"},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Description\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Indicators\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where TimeGenerated {TimeRange:query}\\r\\n| where Title contains \\\"{ThreatMalware}\\\"\\r\\n| summarize CreateTime = max(CreatedTime) by IncidentUrl, Title,Description \",\"size\":0,\"title\":\"Incidents created\",\"noDataMessage\":\"No incidents found, but try different time range to display incidents future back in time.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Open Incident\"}}]}},\"customWidth\":\"50\",\"name\":\"query - 8\"},{\"type\":1,\"content\":{\"json\":\"To generate incidents using imported indicators. Create analytic rules that correlates data from infrastructure logs with recorded future hunting indicators. Install and modify the provided analytic rule templates to match your environent. \\r\\n```\\r\\nRecorded Future - Threat Hunting - Domain - All Malware\\r\\nRecorded Future - Threat Hunting - IP - All Malware\\r\\nRecorded Future - Threat Hunting - Hash - All Malware\\r\\nRecorded Future - Threat Hunting - Url - All Malware\\r\\n```\\r\\nInstall and configure Recorded Future Incident Enrichment Playbook to get additional information when incidents are created ```RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash```\\r\\n\",\"style\":\"info\"},\"name\":\"text - 7\"}],\"styleSettings\":{\"paddingStyle\":\"none\",\"spacingStyle\":\"none\"},\"fromTemplateId\":\"sentinel-RecordedFutureThreatActorHuntingWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"92c84cb2-9b9a-498f-9b18-a3a11f70618a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"description\":\"Time range for incident created and indicator import.\",\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":86400000}},{\"id\":\"29f50496-9072-4438-8ac5-7a0cf4cd7307\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"label\":\"Threat Malware Category\",\"type\":2,\"query\":\"RecordedFutureThreatMapMalware_CL\\r\\n| distinct categories_s\\r\\n| mv-expand parse_json(categories_s)\\r\\n| distinct id = tostring(categories_s.id), name = tostring(categories_s.name)\\r\\n\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"2d4f8b54-8321-4c37-9c78-79c3787a9d02\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Watchlist\",\"label\":\"Recorded Future Watchlist\",\"type\":2,\"query\":\"RecordedFutureThreatMapMalware_CL\\r\\n| distinct log_entries_s\\r\\n| mv-expand parse_json(log_entries_s)\\r\\n| where isnotempty(log_entries_s.watchlist)\\r\\n| distinct id = tostring(log_entries_s.watchlist.id), name = tostring(log_entries_s.watchlist.name)\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 5\"},{\"type\":1,\"content\":{\"json\":\"

Malware Threat Map

\\n\\nThis workbook shows Threat Malware imported from [Recorded Future](https://app.recordedfuture.com/portal/threat).\\n

Prevalence (y-axis) - The malware has been reported as related to elements that are part of an organization context (e.g. industry, peers, third parties, brand, IPs & Domains). \\n

\\n

\\nOpportunity (x-axis) - A correlation between the malware related capabilities and an organization’s vulnerabilities. Vulnerabilities include an organization's exposures, gaps, or technology-related vulnerabilities.

\\nData is fetched from Recorded Future thru the playbook **RecordedFuture-ThreatMapMalware-Importer**.\\n\\n\\n\",\"style\":\"info\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMapMalware_CL\\n| where TimeGenerated {TimeRange:query}\\n| where categories_s has_any('{Category}')\\n| where log_entries_s has_any('{Watchlist}')\\n| project TimeGenerated, id_s, name_s, prevalence_d, opportunity_d, combine = prevalence_d + opportunity_d\\n| order by combine desc \\n| summarize MaxTimeGenerated = max(TimeGenerated) by id_s, name_s, prevalence_d, opportunity_d\\n| take 100\\n| project MaxTimeGenerated, id_s, name_s, prevalence_d, opportunity_d\",\"size\":0,\"title\":\"Threat Malware Map\",\"noDataMessage\":\"No data found\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"scatterchart\",\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"id_s\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"intent_d\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"xAxis\":\"opportunity_d\",\"yAxis\":[\"prevalence_d\"],\"group\":\"name_s\",\"createOtherGroup\":0,\"showMetrics\":false,\"showLegend\":true,\"xSettings\":{\"min\":0,\"max\":99},\"ySettings\":{\"min\":0,\"max\":99}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"intent_d\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"intent_d\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"intent_d\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 0 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMapMalware_CL \\n| where TimeGenerated {TimeRange:query}\\n| where categories_s has_any('{Category}')\\n| where log_entries_s has_any('{Watchlist}')\\n| extend combine= prevalence_d+opportunity_d\\n| summarize MaxTimeGenerated = max(TimeGenerated) by id_s, name_s, prevalence_d, opportunity_d,combine\\n| project Name=name_s, Prevalence=prevalence_d, Opportunity=opportunity_d, id_s, combine\\n| order by combine desc \\n\",\"size\":0,\"title\":\"Threat Malware\",\"exportFieldName\":\"id_s\",\"exportParameterName\":\"ThreatMalware\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"id_s\",\"formatter\":5},{\"columnMatch\":\"combine\",\"formatter\":5}]}},\"customWidth\":\"50\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMapMalware_CL\\n| where TimeGenerated {TimeRange:query}\\n| where id_s == \\\"{ThreatMalware}\\\"\\n| take 1\\n| mv-expand watchlistArray = parse_json(log_entries_s)\\n| mv-expand categoriesArray= parse_json(categories_s)\\n| summarize [\\\"Threat Malware Categories\\\"] = make_set(categoriesArray.name), WatchLists= make_set(watchlistArray.watchlist.name) by Link=strcat(\\\"https://app.recordedfuture.com/live/sc/entity/\\\",id_s), Name=name_s, Id=id_s, Aliases=array_strcat(parse_json(alias_s),',')\",\"size\":4,\"title\":\"Malware Details\",\"noDataMessage\":\"Please select a threat malware in the Threat Malware table to display details.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Link\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"External Link\"}},{\"columnMatch\":\"Id\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkLabel\":\"Open Generic Details\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"Threat Malware Categories\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"150ch\"}},{\"columnMatch\":\"https://app.recordedfuture.com/live/sc/entity/{Id}\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"\"}},{\"columnMatch\":\"Categories\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"150ch\"}},{\"columnMatch\":\"id_s\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkLabel\":\"Open Generic Details\",\"linkIsContextBlade\":true}}],\"labelSettings\":[{\"columnId\":\"Link\",\"label\":\"Recorded Future\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Id\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Intent\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where ExpirationDateTime > now()\\r\\n| where Description contains(\\\"{ThreatMalware}\\\")\\r\\n| summarize Indicators=count(Description) by Description \",\"size\":0,\"title\":\"Active Indicators for Hunting\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Description\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Indicators\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Indicators\",\"sortOrderField\":2,\"size\":\"auto\"},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Description\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Indicators\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where TimeGenerated {TimeRange:query}\\r\\n| where Title contains \\\"{ThreatMalware}\\\"\\r\\n| summarize CreateTime = max(CreatedTime) by IncidentUrl, Title,Description \",\"size\":0,\"title\":\"Incidents created\",\"noDataMessage\":\"No incidents found, but try different time range to display incidents future back in time.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Open Incident\"}}]}},\"customWidth\":\"50\",\"name\":\"query - 8\"},{\"type\":1,\"content\":{\"json\":\"To generate incidents using imported indicators. Create analytic rules that correlates data from infrastructure logs with recorded future hunting indicators. Install and modify the provided analytic rule templates to match your environent. \\r\\n```\\r\\nRecorded Future - Threat Hunting - Domain - All Malware\\r\\nRecorded Future - Threat Hunting - IP - All Malware\\r\\nRecorded Future - Threat Hunting - Hash - All Malware\\r\\nRecorded Future - Threat Hunting - Url - All Malware\\r\\n```\\r\\nInstall and configure Recorded Future Incident Enrichment Playbook to get additional information when incidents are created ```RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash```\\r\\n\",\"style\":\"info\"},\"name\":\"text - 7\"}],\"styleSettings\":{\"paddingStyle\":\"none\",\"spacingStyle\":\"none\"},\"fromTemplateId\":\"sentinel-RecordedFutureThreatActorHuntingWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel"