Merge pull request Azure#13198 from VirusTotal/feat-threat-hunting-google-threat-intelligence

Feat: Threat Hunting Google Threat Intelligence

Author: v-atulyadav

Solutions/Google Threat Intelligence/Analytic Rules/ThreatHunting/ThreatHuntDomain.yaml

@@ -0,0 +1,52 @@
+id: "d9e1646c-dc17-4150-ac85-581f5c9cb41f"
+name: Google Threat Intelligence - Threat Hunting Domain
+description: |
+  'Google Threat Intelligence domain correlation.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: ThreatIntelligence
+    dataTypes:
+      - ThreatIntelIndicators
+queryFrequency: 30m
+queryPeriod: 1d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - CommandAndControl
+relevantTechniques:
+  - T1071
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: true
+    reopenClosedIncident: false
+    lookbackDuration: 1h
+    matchingMethod: AllEntities
+eventGroupingSettings:
+  aggregationKind: AlertPerResult
+alertDetailsOverride:
+  alertDisplayNameFormat: 'Google Threat Intelligence Match'
+  alertDescriptionFormat: 'Correlation found from the {{Type}} table.'
+query: |
+  let ioc_lookBack = 1d;
+  _Im_Dns
+  | where isnotempty(DnsQuery)
+  | extend lowerDomain=tolower(DnsQuery)
+  | join kind=inner (
+  ThreatIntelIndicators
+  | where ObservableKey == 'domain-name:value'
+  | where isnotempty(ObservableValue)
+  | where SourceSystem == "Google Threat Intelligence"
+  | where TimeGenerated >= ago(ioc_lookBack)
+  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
+  | where IsActive == true and (isnull(ValidUntil) or ValidUntil > now())
+  | extend lowerDomain=tolower(ObservableValue)
+  ) on lowerDomain
+  | project Domain=ObservableValue, Description=Data.description, Type, TimeGenerated
+entityMappings:
+  - entityType: DNS
+    fieldMappings:
+      - identifier: DomainName
+        columnName: Domain
+version: 1.0.0
+kind: Scheduled

Solutions/Google Threat Intelligence/Analytic Rules/ThreatHunting/ThreatHuntHash.yaml

@@ -0,0 +1,54 @@
+id: "8f9cd0e5-b4ab-4821-95e2-1082fcd784c7"
+name: Google Threat Intelligence - Threat Hunting Hash
+description: |
+  'Google Threat Intelligence hash correlation.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: ThreatIntelligence
+    dataTypes:
+      - ThreatIntelIndicators
+queryFrequency: 30m
+queryPeriod: 1d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Execution
+relevantTechniques:
+  - T1059
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: true
+    reopenClosedIncident: false
+    lookbackDuration: 1h
+    matchingMethod: AllEntities
+eventGroupingSettings:
+  aggregationKind: AlertPerResult
+alertDetailsOverride:
+  alertDisplayNameFormat: 'Google Threat Intelligence Match'
+  alertDescriptionFormat: 'Correlation found from the {{Type}} table.'
+query: |
+  let ioc_lookBack = 1d;
+  _Im_FileEvent
+  | where isnotempty(Hash)
+  | extend lowerHash=tolower(Hash)
+  | join kind=inner (
+  ThreatIntelIndicators
+  | where ObservableKey contains 'file:hashes'
+  | where isnotempty(ObservableValue)
+  | where SourceSystem == "Google Threat Intelligence"
+  | where TimeGenerated >= ago(ioc_lookBack)
+  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
+  | where IsActive == true and (isnull(ValidUntil) or ValidUntil > now())
+  | extend lowerHash=tolower(ObservableValue)
+  ) on lowerHash
+  | project Hash=ObservableValue, HashType=extract("file:hashes.('[^']*')", 1, ObservableKey), Description=Data.description, Type, TimeGenerated
+entityMappings:
+  - entityType: FileHash
+    fieldMappings:
+      - identifier: Value
+        columnName: Hash
+      - identifier: Algorithm
+        columnName: HashType
+version: 1.0.0
+kind: Scheduled

Solutions/Google Threat Intelligence/Analytic Rules/ThreatHunting/ThreatHuntIp.yaml

@@ -0,0 +1,50 @@
+id: "7edb2abb-7ef7-4685-92eb-a628703ccf9f"
+name: Google Threat Intelligence - Threat Hunting IP
+description: |
+  'Google Threat Intelligence IP correlation.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: ThreatIntelligence
+    dataTypes:
+      - ThreatIntelIndicators
+queryFrequency: 30m
+queryPeriod: 1d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - CommandAndControl
+relevantTechniques:
+  - T1071
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: true
+    reopenClosedIncident: false
+    lookbackDuration: 1h
+    matchingMethod: AllEntities
+eventGroupingSettings:
+  aggregationKind: AlertPerResult
+alertDetailsOverride:
+  alertDisplayNameFormat: 'Google Threat Intelligence Match'
+  alertDescriptionFormat: 'Correlation found from the {{Type}} table.'
+query: |
+  let ioc_lookBack = 1d;
+  _Im_NetworkSession
+  | where isnotempty(DstIpAddr)
+  | join kind=inner (
+  ThreatIntelIndicators
+  | where ObservableKey == 'ipv4-addr:value'
+  | where isnotempty(ObservableValue)
+  | where SourceSystem == "Google Threat Intelligence"
+  | where TimeGenerated >= ago(ioc_lookBack)
+  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
+  | where IsActive == true and (isnull(ValidUntil) or ValidUntil > now())
+  ) on $left.DstIpAddr == $right.ObservableValue
+  | project NetworkIP=ObservableValue, Description=Data.description, Type, TimeGenerated
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: NetworkIP
+version: 1.0.0
+kind: Scheduled

Solutions/Google Threat Intelligence/Analytic Rules/ThreatHunting/ThreatHuntUrl.yaml

@@ -0,0 +1,52 @@
+id: "89290690-54c4-4196-91c5-d32b1df5d873"
+name: Google Threat Intelligence - Threat Hunting Url
+description: |
+  'Google Threat Intelligence Url correlation.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: ThreatIntelligence
+    dataTypes:
+      - ThreatIntelIndicators
+queryFrequency: 30m
+queryPeriod: 1d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: true
+    reopenClosedIncident: false
+    lookbackDuration: 1h
+    matchingMethod: AllEntities
+eventGroupingSettings:
+  aggregationKind: AlertPerResult
+alertDetailsOverride:
+  alertDisplayNameFormat: 'Google Threat Intelligence Match'
+  alertDescriptionFormat: 'Correlation found from the {{Type}} table.'
+query: |
+  let ioc_lookBack = 1d;
+  _Im_WebSession
+  | where isnotempty(Url)
+  | extend lowerUrl=tolower(Url)
+  | join kind=inner (
+  ThreatIntelIndicators
+  | where ObservableKey == 'url:value'
+  | where isnotempty(ObservableValue)
+  | where SourceSystem == "Google Threat Intelligence"
+  | where TimeGenerated >= ago(ioc_lookBack)
+  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
+  | where IsActive == true and (isnull(ValidUntil) or ValidUntil > now())
+  | extend lowerUrl=tolower(ObservableValue)
+  ) on lowerUrl
+  | project Url=ObservableValue, Description=Data.description, Type, TimeGenerated
+entityMappings:
+  - entityType: URL
+    fieldMappings:
+      - identifier: Url
+        columnName: Url
+version: 1.0.0
+kind: Scheduled

Solutions/Google Threat Intelligence/Data/Solution_GoogleThreatIntelligence.json

@@ -5,8 +5,18 @@
   "Description": "This Google Threat Intelligence Solution contains Playbooks that can help enrich incident information with threat information and intelligence for IPs, file hashes and URLs from Google Threat Intelligence. Enriched information can help drive focused investigations in Security Operations.",
   "Data Connectors": [],
   "Parsers": [],
-  "Hunting Queries": [],
-  "Analytic Rules": [],
+  "Hunting Queries": [
+    "Hunting Queries/ThreatHuntHash.yaml",
+    "Hunting Queries/ThreatHuntIp.yaml",
+    "Hunting Queries/ThreatHuntDomain.yaml",
+    "Hunting Queries/ThreatHuntUrl.yaml"
+  ],
+  "Analytic Rules": [
+    "Analytic Rules/ThreatHunting/ThreatHuntHash.yaml",
+    "Analytic Rules/ThreatHunting/ThreatHuntIp.yaml",
+    "Analytic Rules/ThreatHunting/ThreatHuntDomain.yaml",
+    "Analytic Rules/ThreatHunting/ThreatHuntUrl.yaml"
+  ],
   "Workbooks": [],
   "Playbooks": [
     "Playbooks/CustomConnector/GTICustomConnector/azuredeploy.json",

Solutions/Google Threat Intelligence/Hunting Queries/ThreatHuntDomain.yaml

@@ -0,0 +1,35 @@
+id: "34288e97-5194-4f2e-abf2-c2783189f6ae"
+name: Google Threat Intelligence - Threat Hunting Domain
+description: |
+  'Google Threat Intelligence domain correlation.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: ThreatIntelligence
+    dataTypes:
+      - ThreatIntelIndicators
+tags:
+  - GoogleThreatIntelligence
+query: |
+  _Im_Dns
+  | where isnotempty(Domain)
+  | join kind=inner (
+  ThreatIntelIndicators
+  | where ObservableKey == 'domain-name:value'
+  | where isnotempty(ObservableValue)
+  | where SourceSystem == "Google Threat Intelligence"
+  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
+  | where IsActive == true and (isnull(ValidUntil) or ValidUntil > now())
+  ) on $left.Domain == $right.ObservableValue
+  | project Domain, DstIpAddr
+  | extend IP_0_Address = DstIpAddr
+  | extend DNS_0_DomainName = Domain
+entityMappings:
+  - entityType: DNS
+    fieldMappings:
+      - identifier: DomainName
+        columnName: Domain
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: DstIpAddr
+version: 1.0.0

Solutions/Google Threat Intelligence/Hunting Queries/ThreatHuntHash.yaml

@@ -0,0 +1,35 @@
+id: "0051a0d9-684f-4317-abbd-c1e5c24b39cb"
+name: Google Threat Intelligence - Threat Hunting Hash
+description: |
+  'Google Threat Intelligence hash correlation.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: ThreatIntelligence
+    dataTypes:
+      - ThreatIntelIndicators
+tags:
+  - GoogleThreatIntelligence
+query: |
+  _Im_FileEvent
+  | where isnotempty(Hash)
+  | join kind=inner (
+  ThreatIntelIndicators
+  | where ObservableKey contains 'file:hashes'
+  | where isnotempty(ObservableValue)
+  | where SourceSystem == "Google Threat Intelligence"
+  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
+  | where IsActive == true and (isnull(ValidUntil) or ValidUntil > now())
+  ) on $left.Hash == $right.ObservableValue
+  | project Hash, HashType
+  | extend FileHash_0_Value = Hash
+  | extend FileHash_0_Algorithm = HashType
+entityMappings:
+  - entityType: FileHash
+    fieldMappings:
+      - identifier: Value
+        columnName: Hash
+  - entityType: FileHash
+    fieldMappings:
+      - identifier: Algorithm
+        columnName: HashType
+version: 1.0.0

Solutions/Google Threat Intelligence/Hunting Queries/ThreatHuntIp.yaml

@@ -0,0 +1,30 @@
+id: "faa83502-2763-49ae-9216-e576fa1fdccb"
+name: Google Threat Intelligence - Threat Hunting IP
+description: |
+  'Google Threat Intelligence IP correlation.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: ThreatIntelligence
+    dataTypes:
+      - ThreatIntelIndicators
+tags:
+  - GoogleThreatIntelligence
+query: |
+  _Im_NetworkSession
+  | where isnotempty(DstIpAddr)
+  | join kind= innerunique  (
+  ThreatIntelIndicators
+  | where ObservableKey == 'ipv4-addr:value'
+  | where isnotempty(ObservableValue)
+  | where SourceSystem == "Google Threat Intelligence"
+  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
+  | where IsActive == true and (isnull(ValidUntil) or ValidUntil > now())
+  ) on $left.DstIpAddr == $right.ObservableValue
+  | project DstIpAddr
+  | extend IP_0_Address = DstIpAddr
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: DstIpAddr
+version: 1.0.0

Solutions/Google Threat Intelligence/Hunting Queries/ThreatHuntUrl.yaml

@@ -0,0 +1,30 @@
+id: "a1705fa5-c904-4f1b-9e2d-a4ccb30377a2"
+name: Google Threat Intelligence - Threat Hunting Url
+description: |
+  'Google Threat Intelligence Url correlation.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: ThreatIntelligence
+    dataTypes:
+      - ThreatIntelIndicators
+tags:
+  - GoogleThreatIntelligence
+query: |
+  _Im_WebSession
+  | where isnotempty(Url)
+  | join kind=inner (
+  ThreatIntelIndicators
+  | where ObservableKey == 'url:value'
+  | where isnotempty(ObservableValue)
+  | where SourceSystem == "Google Threat Intelligence"
+  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
+  | where IsActive == true and (isnull(ValidUntil) or ValidUntil > now())
+  ) on $left.Url == $right.ObservableValue
+  | project Url
+  | extend URL_0_Url = Url
+entityMappings:
+  - entityType: URL
+    fieldMappings:
+      - identifier: Url
+        columnName: Url
+version: 1.0.0