anomaly detections linked to rules

Iron Contributor

Hey all

 

Working on anomaly based detections linked to scheduled rules - ie - using the rules which generated security alerts, thus security incidents to then do a look up against the anomaly table (blade).   Has anyone worked on this ... we have a few ideas but the lack of consistency across the anomaly table compared with the other blades is making it "difficult" we have this as an idea - for account and then one for IP ... any thoughts..... 

 

essentially looking to compliment security incidents with any information linked to the user / ip etc in an automated way - rather than manual lookup or notebook...... 

 

et mySecurityIncidentTable = SecurityIncident

| where TimeGenerated > ago(24h)

| extend myAlertIds = tostring(AlertIds[0])

| join (SecurityAlert | extend mySystemAlertId = tostring(SystemAlertId)) on $left.myAlertIds == $right.mySystemAlertId;

//

let Username1Table = mySecurityIncidentTable

| extend UsernameBase = split(split(ExtendedProperties, '"User Name":')[1], '"')[1]

| where isnotempty(UsernameBase)

| extend Username = iff(UsernameBase contains @"\\", split(UsernameBase, @"\\")[1], UsernameBase);

//

let Username2Table = mySecurityIncidentTable

| extend UsernameBase = split(split(ExtendedProperties, '"Client principal name":')[1], '"')[1]

| where isnotempty(UsernameBase)

| extend Username = iff(UsernameBase contains @"\\", split(UsernameBase, @"\\")[1], UsernameBase);

//

let UsernameTable = Username1Table

| union Username2Table

| extend Username = tostring(Username);

//

let UsernameUPNTable = UsernameTable

| join IdentityInfo on $left.Username == $right.AccountName;

//

UsernameUPNTable

| join (Anomalies | where TimeGenerated > ago(7d)) on $left.AccountUPN == $right.UserPrincipalName

 

=================================================================

 

let mySecurityIncidentTable = SecurityIncident

| where TimeGenerated > ago(24h)

| extend myAlertIds = tostring(AlertIds[0])

| join (SecurityAlert | extend mySystemAlertId = tostring(SystemAlertId)) on $left.myAlertIds == $right.mySystemAlertId;

//

let IPAddress1Table = mySecurityIncidentTable

| extend IPAddress = split(split(ExtendedProperties, 'Client IP address":')[1], '"')[1]

| where isnotempty(IPAddress);

//

let IPAddress2Table = mySecurityIncidentTable

| extend IPAddress = split(split(ExtendedProperties, 'IP Addresses":')[1], '"')[1]

| where isnotempty(IPAddress);

//

let IPAddress3Table = mySecurityIncidentTable

| extend IPAddress = split(split(ExtendedProperties, 'Attacker IP":')[1], '"')[1]

| where isnotempty(IPAddress);

//

let IPAddress4Table = mySecurityIncidentTable

| extend IPAddress = split(split(ExtendedProperties, 'Victim IP":')[1], '"')[1]

| where isnotempty(IPAddress);

//

let IPAddressTable = IPAddress1Table

| union IPAddress2Table, IPAddress3Table, IPAddress4Table

| extend IPAddress = tostring(IPAddress);

//

Anomalies

| extend IPAddress = tostring(Entities[0].Address)

| join IPAddressTable on IPAddres

 

0 Replies