Consuming threat data in a flat file

IOC’s.  You can’t afford one of those $70,000 feeds of hashes and IP addresses (and larger companies may be wasting their money anyway), but from time to time you receive you receive a bunch of indicators from a reliable source and you don’t want them to go to waste.  If you are a Microsoft shop, step one might be pasting those indicators into a spreadsheet template and uploading them into the MS365 portal.  That’s great for protecting yourself right now and going forward, but what about looking back in time to make sure that you weren’t already pwned?  Sure, you could construct a query with a huge array, but referencing a text file would be a lot easier.

Here are instructions for using Azure Sentinel to do this with minimal fuss.

Pre-Requisites: Azure Sentinel Instance with Microsoft 365 Defender Data Connector in place

Ingredient: A simple text file called evilipaddrs.txt which is just a list of known bad IP’s.

Steps:

Azure  Portal -> Create blob storage in the Storage Accounts blade

(You do NOT want to give access for the world at large to this storage)

Browse to Storage Explorer/Blob Containers/Your new storage, click Upload to upload evilipaddrs.txt

Right click on your newly uploaded file and select “Get Shared Access Signature…” – this is to generate a URL you can use in your Sentinel query

a.       Note the Start and Expiry Time – you’ll want to set the expiry time out to a date you are comfortable with

b.       Leave the permissions alone (it should default to read/list)

c.       Click create and copy the URI on the dialog that appears and paste it someplace safe

d.       Click Close


Now hop over to Azure Sentinel/Logs

Paste in this query:


       

let badipaddresses = (externaldata(bad_ip: string )
[@"Your URL WILL GO HERE"]
with (format="txt"))
| where bad_ip !startswith "#"
| project bad_ip;
badipaddresses
| join 
(
DeviceNetworkEvents
| where TimeGenerated > ago(90d)


Replace "Your URL WILL GO HERE" with the link (keep the quotation marks), and run the query.  That’s it!

Other notes:

Instead of Azure Storage, you may ask, can you just park the file in OneDrive and share it out with a link?  That should work, but you  might not want to enable the ability to share a file to “anyone with a link” in the first place.

Google Drive might be an option- and I tried that – but I don’t see a way to link to a text file that presents the raw data (and not a web page “viewer” showing the file with a mess of other material you don't want to wade through).

Deeper dives in this topic

https://techcommunity.microsoft.com/t5/azure-sentinel/implementing-lookups-in-azure-sentinel/ba-p/1091306
https://thewindowsupdate.com/2020/01/06/implementing-lookups-in-azure-sentinel-part-1-reference-files/

Comments

Post a Comment

Popular posts from this blog

MS 365: Handilng False Positives Is Two Step Process on the Back End

Today in "weird things I just noticed", I was looking at a group of messages falsely flagged as Junk Mail in the Explorer (within the 365 Defender portal).  I selected the messages, clicked Message Actions, and then Report Clean.  All done? Not quite.  If you do this within Outlook, your message is reported and automatically moved to the Inbox.  In Explorer, you then need to separately take the action "Move to Inbox"- which presents a Remediation wizard to document what you're doing and set the priority.  Once complete you can go to the Action Center to track process. That's fine, I see where Microsoft is coming from since it's a back-end administrative action that involves getting hands within someone's mailbox.  It's just something to keep in mind if you identify a source of false positives in email filtering.
Read more

Microsoft Sentinel - Hunting for Single Character Filenames

 Hackers, the good ones and the evil ones, are lazy.  In the interest of fewer keystrokes they will use filenames with single characters (e.g. "f.exe" or "2.ps1").  So this short but sweet query will help you find potentially problematic executables: let allowlist = datatable (DName:string) ['because you are going to have exceptions','Put em here']; let allowarray = allowlist | summarize make_set(DName); DeviceProcessEvents | where FileName matches regex @'^.\.[eE][xX][eE]' or FileName matches regex @'^.\.[pP][sS][0-9]' or FileName matches regex @'^.\.[cC][mM][dD]' or FileName matches regex @'^.\.[cC][oO][mM]' | where SHA1 !in (allowarray) | project AccountName, DeviceName, SHA1, FileName, FolderPath, InitiatingProcessAccountName, InitiatingProcessAccountUpn   I was reminded of this when reading this tweet from @GossiTheDog and @h2jazi, but please note that the above query will NOT de...
Read more

Active Directory Identity Protection Alerts & Using Microsoft Sentinel For the Deets

Image
 Ever get one of these? An alert that says "User at Risk Detected... We detected a new user with at least high risk in your [company] directory.  This might be because we noticed suspicious account activity or we found their emails and passwords posted in a public location." This is Azure AD Identity Protection at work.  But if you click on "View Detailed Report" to dig into the risk events, you may get the rather vague "Unfamiliar Sign in Properties" as the source of the alert.  But.what property in particular caused this alert?  The portal doesn't seem to say. The good news is you may be able to find the answer in Sentinel.  Use this query to look at the high risk detection: //The details on identity protection risk detections, highlighting what you're probably looking for @tinyinfosec May, 2022 //Then go back to SignInLogs to review all recent signins in context SecurityAlert | where ProductName == "Azure Active Directory Identity Protectio...
Read more