Oct 27 2021 03:31 AM
Hey all
Working on anomaly based detections linked to scheduled rules - ie - using the rules which generated security alerts, thus security incidents to then do a look up against the anomaly table (blade). Has anyone worked on this ... we have a few ideas but the lack of consistency across the anomaly table compared with the other blades is making it "difficult" we have this as an idea - for account and then one for IP ... any thoughts.....
essentially looking to compliment security incidents with any information linked to the user / ip etc in an automated way - rather than manual lookup or notebook......
et mySecurityIncidentTable = SecurityIncident
| where TimeGenerated > ago(24h)
| extend myAlertIds = tostring(AlertIds[0])
| join (SecurityAlert | extend mySystemAlertId = tostring(SystemAlertId)) on $left.myAlertIds == $right.mySystemAlertId;
//
let Username1Table = mySecurityIncidentTable
| extend UsernameBase = split(split(ExtendedProperties, '"User Name":')[1], '"')[1]
| where isnotempty(UsernameBase)
| extend Username = iff(UsernameBase contains @"\\", split(UsernameBase, @"\\")[1], UsernameBase);
//
let Username2Table = mySecurityIncidentTable
| extend UsernameBase = split(split(ExtendedProperties, '"Client principal name":')[1], '"')[1]
| where isnotempty(UsernameBase)
| extend Username = iff(UsernameBase contains @"\\", split(UsernameBase, @"\\")[1], UsernameBase);
//
let UsernameTable = Username1Table
| union Username2Table
| extend Username = tostring(Username);
//
let UsernameUPNTable = UsernameTable
| join IdentityInfo on $left.Username == $right.AccountName;
//
UsernameUPNTable
| join (Anomalies | where TimeGenerated > ago(7d)) on $left.AccountUPN == $right.UserPrincipalName
=================================================================
let mySecurityIncidentTable = SecurityIncident
| where TimeGenerated > ago(24h)
| extend myAlertIds = tostring(AlertIds[0])
| join (SecurityAlert | extend mySystemAlertId = tostring(SystemAlertId)) on $left.myAlertIds == $right.mySystemAlertId;
//
let IPAddress1Table = mySecurityIncidentTable
| extend IPAddress = split(split(ExtendedProperties, 'Client IP address":')[1], '"')[1]
| where isnotempty(IPAddress);
//
let IPAddress2Table = mySecurityIncidentTable
| extend IPAddress = split(split(ExtendedProperties, 'IP Addresses":')[1], '"')[1]
| where isnotempty(IPAddress);
//
let IPAddress3Table = mySecurityIncidentTable
| extend IPAddress = split(split(ExtendedProperties, 'Attacker IP":')[1], '"')[1]
| where isnotempty(IPAddress);
//
let IPAddress4Table = mySecurityIncidentTable
| extend IPAddress = split(split(ExtendedProperties, 'Victim IP":')[1], '"')[1]
| where isnotempty(IPAddress);
//
let IPAddressTable = IPAddress1Table
| union IPAddress2Table, IPAddress3Table, IPAddress4Table
| extend IPAddress = tostring(IPAddress);
//
Anomalies
| extend IPAddress = tostring(Entities[0].Address)
| join IPAddressTable on IPAddres