Azure · mmelndezlujn · Oct 10, 2023 · Oct 17, 2023 · Oct 18, 2023 · Oct 30, 2023
@@ -20,18 +20,45 @@ relevantTechniques:
   - T1008
 query: |
   let lookback=1h;
-  let threshold = 2;
-  let errors = dynamic(['NXDOMAIN', 'SERVFAIL', 'REFUSED']);
-  _Im_Dns(starttime=ago(lookback))
-    | where EventResultDetails has_any (errors)
-    | summarize SrcIPs = make_set(SrcIpAddr, 100) by DnsQuery, bin(TimeGenerated, 10min)
-    | where array_length(SrcIPs) >= threshold
-    | extend TotalIPs = array_length(SrcIPs),IPCountthreshold = threshold
+  let threshold = 2; 
+  let errors = dynamic(['NXDOMAIN', 'SERVFAIL', 'REFUSED']); 
+  _Im_Dns(starttime=ago(lookback)) 
+    | where EventResultDetails has_any (errors) 
+    | summarize SrcIPs = make_set(SrcIpAddr, 100), Dvcs = make_set(Dvc, 100), ResourceIds = make_set(_ResourceId, 100) by DnsQuery, bin(TimeGenerated, 10min) 
+    | where array_length(SrcIPs) >= threshold 
+    | extend TotalIPs = array_length(SrcIPs),IPCountthreshold = threshold 
+    | extend DomainName = strcat(split(DnsQuery, ".")[1], ".", split(DnsQuery, ".")[2])  
+    | mv-expand SrcIPs  
+    | extend SrcIP = tostring(SrcIPs)  
+    | mv-expand Dvcs  
+    | extend Dvc = tostring(Dvcs) 
+    | mv-expand ResourceIds  
+    | extend ResourceId = tostring(ResourceIds)
+    | extend Dvc = strcat(split(Dvc, ".")[0])  
+    | summarize Start=min(TimeGenerated), End=max(TimeGenerated) by SrcIP, Dvc, ResourceId, DnsQuery, DomainName
 entityMappings:
   - entityType: DNS
     fieldMappings:
       - identifier: DomainName
         columnName: DnsQuery
+  - entityType: IP 
+    fieldMappings: 
+      - identifier: Address 
+        columnName: SrcIP 
+  - entityType: AzureResource 
+    fieldMappings: 
+      - identifier: ResourceId 
+        columnName: ResourceId 
+  - entityType: Url 
+    fieldMappings: 
+      - identifier: Url 
+        columnName: DnsQuery 
+  - entityType: Host 
+    fieldMappings: 
+      - identifier: HostName 
+        columnName: Dvc 
+      - identifier: DnsDomain 
+        columnName: DomainName 
 eventGroupingSettings:
   aggregationKind: AlertPerResult
 customDetails:
@@ -41,5 +68,5 @@ customDetails:
 alertDetailsOverride:
   alertDisplayNameFormat: "[Static threshold] Multiple errors for the same DNS query has been detected - '{{DnsQuery}}'"
   alertDescriptionFormat: "Multiple errors were detected on different clients for the same DNS query. These unsuccessful responses can be an indication of C2 communication. \n\nThreshold for total clients reporting errors: '{{IPCountthreshold}}'\n\nCurrent count of clients reporting errors for this DNS query: '{{TotalIPs}}'\n\nClients requesting this DNSQuery include:\n\n'{{SrcIPs}}'"
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled
@@ -41,10 +41,16 @@ query: |
       | summarize make_list(tld);
   // Retrieve threat intelligence indicators within the specified time range
   let Domain_Indicators =
-      ThreatIntelligenceIndicator
+      ThreatIntelligenceIndicator 
       | where TimeGenerated >= ago(ioc_lookBack)
       | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
       | where Active == true and ExpirationDateTime > now()
+      // Filtering out rows where the Confidence Score is less than 50 as they would not have an Alert Priority label. 
+      | where ConfidenceScore > 50
+      // Determine AlertPriority based on ConfidenceScore
+      | extend AlertPriority = case(ConfidenceScore > 82, "High",
+                                    ConfidenceScore > 74, "Medium",
+                                    "Low")    
       // Filter indicators that have a non-empty domain name
       | where isnotempty(DomainName)
       | extend TI_DomainEntity = DomainName;
@@ -88,5 +94,7 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: PA_Url
-version: 1.4.0
+alertDetailsOverride:
+  alertSeverityColumnName: AlertPriority
+version: 1.5.0
 kind: Scheduled
@@ -31,6 +31,12 @@ query: |
     | where TimeGenerated >= ago(ioc_lookBack)
     | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
     | where Active == true and ExpirationDateTime > now()
+    // Filtering out rows where the Confidence Score is less than 50 as they would not have an Alert Priority label. 
+    | where ConfidenceScore > 50
+    // Determine AlertPriority based on ConfidenceScore
+    | extend AlertPriority = case(ConfidenceScore > 82, "High",
+                                  ConfidenceScore > 74, "Medium",
+                                  "Low")    
     // Filter out indicators without domain names
     | where isnotempty(DomainName)
     | extend TI_DomainEntity = DomainName;
@@ -81,5 +87,7 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: Url
-version: 1.4.0
+alertDetailsOverride:
+  alertSeverityColumnName: AlertPriority
+version: 1.5.0
 kind: Scheduled
@@ -41,6 +41,12 @@ query: |
       ThreatIntelligenceIndicator
       | where TimeGenerated >= ago(ioc_lookBack)
       | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+      // Filtering out rows where the Confidence Score is less than 50 as they would not have an Alert Priority label. 
+      | where ConfidenceScore > 50
+      // Determine AlertPriority based on ConfidenceScore
+      | extend AlertPriority = case(ConfidenceScore > 82, "High",
+                                    ConfidenceScore > 74, "Medium",
+                                    "Low")   
       | where Active == true and ExpirationDateTime > now()
       // Filter to pick up only IOC's that contain the entities we want (in this case, DomainName)
       | where isnotempty(DomainName)
@@ -90,5 +96,7 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: PA_Url
-version: 1.4.0
+alertDetailsOverride:
+  alertSeverityColumnName: AlertPriority
+version: 1.5.0
 kind: Scheduled
@@ -41,6 +41,12 @@ query: |
   let Domain_Indicators = ThreatIntelligenceIndicator
     | where TimeGenerated >= ago(ioc_lookBack)
     | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+    // Filtering out rows where the Confidence Score is less than 50 as they would not have an Alert Priority label. 
+    | where ConfidenceScore > 50
+    // Determine AlertPriority based on ConfidenceScore
+    | extend AlertPriority = case(ConfidenceScore > 82, "High",
+                                  ConfidenceScore > 74, "Medium",
+                                  "Low")   
     | where Active == true and ExpirationDateTime > now()
     // Picking up only IOC's that contain the entities we want
     | where isnotempty(DomainName)
@@ -88,5 +94,7 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: Url
-version: 1.4.1
+alertDetailsOverride:
+  alertSeverityColumnName: AlertPriority
+version: 1.5.0
 kind: Scheduled
@@ -40,6 +40,12 @@ query: |
     | where TimeGenerated >= ago(ioc_lookBack)
     | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
     | where Active == true and ExpirationDateTime > now()
+    // Filtering out rows where the Confidence Score is less than 50 as they would not have an Alert Priority label. 
+    | where ConfidenceScore > 50
+    // Determine AlertPriority based on ConfidenceScore
+    | extend AlertPriority = case(ConfidenceScore > 82, "High",
+                                  ConfidenceScore > 74, "Medium",
+                                  "Low")   
     | where isnotempty(DomainName)
     | extend TI_DomainEntity = DomainName;
   // Join the threat intelligence indicators with syslog data on matching domain entities
@@ -83,5 +89,7 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: Url
-version: 1.4.0
+alertDetailsOverride:
+  alertSeverityColumnName: AlertPriority
+version: 1.5.0
 kind: Scheduled
@@ -30,6 +30,12 @@ query: |
     let DOMAIN_TI=ThreatIntelligenceIndicator
     | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
     | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+    // Filtering out rows where the Confidence Score is less than 50 as they would not have an Alert Priority label. 
+    | where ConfidenceScore > 50
+    // Determine AlertPriority based on ConfidenceScore
+    | extend AlertPriority = case(ConfidenceScore > 82, "High",
+                                  ConfidenceScore > 74, "Medium",
+                                  "Low")    
     | where Active == true
     // Picking up only IOC's that contain the entities we want
     | where isnotempty(DomainName);
@@ -66,7 +72,8 @@ customDetails:
   IoCExpirationTime: ExpirationDateTime
   IoCConfidenceScore: ConfidenceScore
 alertDetailsOverride:
+  alertSeverityColumnName: AlertPriority
   alertDisplayNameFormat: A web request from {{SrcIpAddr}} to hostname  {{domain}} matched an IoC
   alertDescriptionFormat: A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator.
-version: 1.0.4
+version: 1.1.0
 kind: Scheduled
@@ -28,6 +28,12 @@ query: |
   let emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$';
   ThreatIntelligenceIndicator
   | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
+  // Filtering out rows where the Confidence Score is less than 50 as they would not have an Alert Priority label. 
+  | where ConfidenceScore > 50
+  // Determine AlertPriority based on ConfidenceScore
+  | extend AlertPriority = case(ConfidenceScore > 82, "High",
+                                ConfidenceScore > 74, "Medium",
+                                "Low")   
   | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
   | where Active == true
   //Filtering the table for Email related IOCs
@@ -62,5 +68,7 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: Url
-version: 1.2.4
+alertDetailsOverride:
+  alertSeverityColumnName: AlertPriority
+version: 1.3.0
 kind: Scheduled
@@ -28,6 +28,12 @@ query: |
   let emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$';
   ThreatIntelligenceIndicator
   | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
+  // Filtering out rows where the Confidence Score is less than 50 as they would not have an Alert Priority label. 
+  | where ConfidenceScore > 50
+  // Determine AlertPriority based on ConfidenceScore
+  | extend AlertPriority = case(ConfidenceScore > 82, "High",
+                                ConfidenceScore > 74, "Medium",
+                                "Low")   
   | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
   | where Active == true
   //Filtering the table for Email related IOCs
@@ -60,5 +66,7 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: Url
-version: 1.2.4
+alertDetailsOverride:
+  alertSeverityColumnName: AlertPriority
+version: 1.3.0
 kind: Scheduled
@@ -28,6 +28,12 @@ query: |
   let emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$';
   ThreatIntelligenceIndicator
   | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
+  // Filtering out rows where the Confidence Score is less than 50 as they would not have an Alert Priority label. 
+  | where ConfidenceScore > 50
+  // Determine AlertPriority based on ConfidenceScore
+  | extend AlertPriority = case(ConfidenceScore > 82, "High",
+                                ConfidenceScore > 74, "Medium",
+                                "Low") 
   | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
   | where Active == true
   //Filtering the table for Email related IOCs
@@ -61,5 +67,7 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: Url
-version: 1.2.4
+alertDetailsOverride:
+  alertSeverityColumnName: AlertPriority
+version: 1.3.0
 kind: Scheduled
@@ -28,6 +28,12 @@ query: |
   let emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$';
   ThreatIntelligenceIndicator
   | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
+  // Filtering out rows where the Confidence Score is less than 50 as they would not have an Alert Priority label. 
+  | where ConfidenceScore > 50
+  // Determine AlertPriority based on ConfidenceScore
+  | extend AlertPriority = case(ConfidenceScore > 82, "High",
+                                ConfidenceScore > 74, "Medium",
+                                "Low") 
   | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
   | where Active == true
   //Filtering the table for Email related IOCs
@@ -67,5 +73,7 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: Url
-version: 1.2.5
+alertDetailsOverride:
+  alertSeverityColumnName: AlertPriority
+version: 1.3.0
 kind: Scheduled
@@ -34,6 +34,12 @@ query: |
   let emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$';
   ThreatIntelligenceIndicator
   | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
+  // Filtering out rows where the Confidence Score is less than 50 as they would not have an Alert Priority label. 
+  | where ConfidenceScore > 50
+  // Determine AlertPriority based on ConfidenceScore
+  | extend AlertPriority = case(ConfidenceScore > 82, "High",
+                                ConfidenceScore > 74, "Medium",
+                                "Low") 
   | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
   | where Active == true
   //Filtering the table for Email related IOCs
@@ -85,5 +91,7 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: Url
-version: 1.3.4
+alertDetailsOverride:
+  alertSeverityColumnName: AlertPriority
+version: 1.4.0
 kind: Scheduled
@@ -32,6 +32,12 @@ query: |
   let aadFunc = (tableName:string){
   ThreatIntelligenceIndicator
   | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
+  // Filtering out rows where the Confidence Score is less than 50 as they would not have an Alert Priority label. 
+  | where ConfidenceScore > 50
+  // Determine AlertPriority based on ConfidenceScore
+  | extend AlertPriority = case(ConfidenceScore > 82, "High",
+                                ConfidenceScore > 74, "Medium",
+                                "Low") 
   | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
   | where Active == true
   //Filtering the table for Email related IOCs
@@ -75,5 +81,7 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: Url
-version: 1.2.4
+alertDetailsOverride:
+  alertSeverityColumnName: AlertPriority
+version: 1.3.0
 kind: Scheduled
@@ -27,6 +27,12 @@ query: |
   let ioc_lookBack = 14d;
   let fileHashIndicators = ThreatIntelligenceIndicator
   | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
+  // Filtering out rows where the Confidence Score is less than 50 as they would not have an Alert Priority label. 
+  | where ConfidenceScore > 50
+  // Determine AlertPriority based on ConfidenceScore
+  | extend AlertPriority = case(ConfidenceScore > 82, "High",
+                                ConfidenceScore > 74, "Medium",
+                                "Low") 
   | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
   | where Active == true
   | where isnotempty(FileHashValue);
@@ -75,5 +81,7 @@ entityMappings:
         columnName: FileHashValue
       - identifier: Algorithm
         columnName: FileHashType
-version: 1.3.3
+alertDetailsOverride:
+  alertSeverityColumnName: AlertPriority
+version: 1.4.0
 kind: Scheduled
@@ -33,6 +33,12 @@ query: |
   let ioc_lookBack = 14d;
   ThreatIntelligenceIndicator
   | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
+  // Filtering out rows where the Confidence Score is less than 50 as they would not have an Alert Priority label. 
+  | where ConfidenceScore > 50
+  // Determine AlertPriority based on ConfidenceScore
+  | extend AlertPriority = case(ConfidenceScore > 82, "High",
+                                ConfidenceScore > 74, "Medium",
+                                "Low") 
   | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
   | where Active == true
   | where isnotempty(FileHashValue)
@@ -81,5 +87,7 @@ entityMappings:
         columnName: FileHashValue
       - identifier: Algorithm
         columnName: FileHashType
-version: 1.4.3
+alertDetailsOverride:
+  alertSeverityColumnName: AlertPriority
+version: 1.5.0
 kind: Scheduled
@@ -36,6 +36,12 @@ query: |
     | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)
     | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)
     | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)
+    // Filtering out rows where the Confidence Score is less than 50 as they would not have an Alert Priority label. 
+    | where ConfidenceScore > 50
+    // Determine AlertPriority based on ConfidenceScore
+    | extend AlertPriority = case(ConfidenceScore > 82, "High",
+                                  ConfidenceScore > 74, "Medium",
+                                  "Low")
     // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes
     | where ipv4_is_private(TI_ipEntity) == false and  TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127.";
   // Perform a join between IP indicators and AWSCloudTrail logs to identify potential malicious activity
@@ -70,5 +76,7 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: Url
-version: 1.4.0
+alertDetailsOverride:
+  alertSeverityColumnName: AlertPriority
+version: 1.5.0
 kind: Scheduled