Patch 1 ThreatIntelIndicator Table Evolution

Sentinel/Defending malicious MS graph activity with MS Sentinel Threat Intelligence.kql

@@ -8,6 +8,14 @@ MicrosoftGraphActivityLogs
 | distinct IPAddress
 | join ThreatIntelligenceIndicator on $left.IPAddress == $right.NetworkIP
 
+// Add New Query for new Table ThreatIntelIndicators as the previous one is deprecated and will shut down soon. Ref : https://learn.microsoft.com/en-us/azure/sentinel/work-with-stix-objects-indicators
+
+MicrosoftGraphActivityLogs
+| where TimeGenerated > ago(1h)
+| distinct IPAddress
+| join kind = inner (ThreatIntelIndicators
+| where IndicatorType in ("ipv4-addr", "ipv6-addr", "network-traffic"))on $left.IPAddress == $right.ObservableValue
+
 //Microsoft have released a new premium user risk detection in Identity Protection called Suspicious API Traffic. This detection is reported when Identity Protection detects anomalous Graph traffic by a user. Suspicious API traffic might suggest that a user is compromised and conducting reconnaissance in their environment. 
 
 SigninLogs

Sentinel/Detecting TeamsPhisher attack with Azure Sentinel.kql

@@ -15,6 +15,23 @@ and UserId !endswith "your_corporate_domain_3"
 | distinct UserIPs
 | join ThreatIntelligenceIndicator on $left.UserIPs == $right.NetworkIP
 
+// Upgrade Detection to new Table ThreatIntelIndicators. Ref : https://learn.microsoft.com/en-us/azure/sentinel/work-with-stix-objects-indicators 
+
+OfficeActivity
+| where TimeGenerated > ago(1h)
+| where RecordType =~ 'MicrosoftTeams'
+| where Operation == "MessageCreatedHasLink"
+| where CommunicationType == "OneOnOne" or CommunicationType == "GroupChat"
+| where UserId !endswith "your_corporate_domain_1"     // Filter off all internal teams user 1-to-1 message
+and UserId !endswith "your_corporate_domain_2"
+and UserId !endswith "your_corporate_domain_3"
+| extend UserDomains = tostring(split(UserId, '@')[1])
+| extend UserIPs = tostring(split(ClientIP, '::ffff:')[1])
+| where UserIPs != ""
+| distinct UserIPs
+| join kind = inner ThreatIntelIndicators
+| where IndicatorType in ("ipv4-addr", "ipv6-addr", "network-traffic") )on $left.UserIPs == $right.ObservableValue
+
 // MITRE ATT&CK Mapping
 
 // Based on the operations and objectives of the KQL code, the following MITRE ATT&CK techniques are relevant:

Sentinel/M365 Copilot Extensions Threat Monitoring.kql

@@ -24,6 +24,23 @@ CloudAppEvents
 | extend Action = tostring(PluginAccessURL.Action)
 | join ThreatIntelligenceIndicator on $left.Domain == $right.DomainName
 
+// Upgrade Detection to new Table ThreatIntelIndicators. Ref : https://learn.microsoft.com/en-us/azure/sentinel/work-with-stix-objects-indicators 
+
+CloudAppEvents
+| where TimeGenerated > ago(1h)
+| where ActionType == @"CopilotInteraction"
+| extend UserID = tostring(RawEventData.UserId)
+| extend CopilotData = todynamic(RawEventData.CopilotEventData)
+| extend CopilotPlugin = tostring(CopilotData.AISystemPlugin[0].Id)
+| where isnotempty(CopilotPlugin)
+| extend PluginAccessURL = tostring(CopilotData.AccessedResources)
+| mv-expand todynamic(PluginAccessURL)
+| where PluginAccessURL has "SiteUrl"
+| extend Url = tostring(PluginAccessURL.SiteUrl)
+| extend Domain = tostring(parse_url(Url).Host)
+| extend Action = tostring(PluginAccessURL.Action)
+| join kind = inner (ThreatIntelligenceIndicator
+| where IndicatorType == "domain-name"  )on $left.Domain == $right.ObservableValue
 
 // MITRE ATT&CK
 // T1116 Browser Extensions