Add Red Sift solution (Push connector via Codeless Connector Framework)

New Microsoft Sentinel solution that ingests Red Sift events via a push CCF connector.

Includes:
- connector definition, DCR, and table schemas for RedSiftAuth_CL and RedSiftEmailForensics_CL
- five analytic rules for new IP logins, MFA disabled events, and suspicious email URL activity
- solution data and metadata for the initial Red Sift release

Author: earada

Logos/redsift_logo.svg

@@ -0,0 +1,101 @@
+id: 6e0b70d4-0ab8-480e-9707-8ad45fc21a65
+name: Red Sift - New Email with URL from Previously Unseen Sender
+description: |
+  'Detects email forensics events that contain one or more URLs where the sender in the from field has not been seen in the previous 14 days, which may indicate phishing activity or a newly observed sender.'
+severity: Medium
+status: Available
+requiredDataConnectors:
+  - connectorId: RedSiftPush
+    dataTypes:
+      - RedSiftEmailForensics_CL
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  let lookback = 14d;
+  let recentWindow = 1h;
+  let historicalSenders = RedSiftEmailForensics_CL
+  | extend
+      EmailFrom = tostring(column_ifexists("EmailFrom", ""))
+  | where TimeGenerated between (ago(lookback) .. ago(recentWindow))
+  | where isnotempty(EmailFrom)
+  | summarize by EmailFrom;
+  RedSiftEmailForensics_CL
+  | extend
+      EmailFrom = tostring(column_ifexists("EmailFrom", "")),
+      EmailSubject = tostring(column_ifexists("EmailSubject", "")),
+      EmailReturnPath = tostring(column_ifexists("EmailReturnPath", "")),
+      EmailMessageUid = tostring(column_ifexists("EmailMessageUid", "")),
+      SrcIp = tostring(column_ifexists("SrcIp", "")),
+      DstHostname = tostring(column_ifexists("DstHostname", "")),
+      Severity = tostring(column_ifexists("Severity", "")),
+      Message = tostring(column_ifexists("Message", "")),
+      CorrelationUid = tostring(column_ifexists("CorrelationUid", "")),
+      EmailUrls = todynamic(column_ifexists("EmailUrls", dynamic([])))
+  | where TimeGenerated >= ago(recentWindow)
+  | where isnotempty(EmailFrom)
+  | extend UrlCount = array_length(EmailUrls)
+  | where UrlCount > 0
+  | mv-apply Url = EmailUrls on (
+      summarize UrlSet = make_set(tostring(Url.url_string), 50)
+    )
+  | extend UrlList = strcat_array(UrlSet, ", ")
+  | join kind=leftanti (historicalSenders) on EmailFrom
+  | project
+      TimeGenerated,
+      EmailFrom,
+      EmailSubject,
+      EmailReturnPath,
+      EmailMessageUid,
+      SrcIp,
+      DstHostname,
+      UrlCount,
+      UrlList,
+      Severity,
+      Message,
+      CorrelationUid
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: EmailFrom
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SrcIp
+  - entityType: DNS
+    fieldMappings:
+      - identifier: DomainName
+        columnName: DstHostname
+customDetails:
+  EmailSubject: EmailSubject
+  ReturnPath: EmailReturnPath
+  UrlCount: UrlCount
+  UrlList: UrlList
+  CorrelationUid: CorrelationUid
+alertDetailsOverride:
+  alertDisplayNameFormat: "RedSift - New URL-bearing sender {{EmailFrom}}"
+  alertDescriptionFormat: "Email from previously unseen sender {{EmailFrom}} contains {{UrlCount}} URL(s)."
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: true
+    reopenClosedIncident: false
+    lookbackDuration: P1D
+    matchingMethod: Selected
+    groupByEntities:
+      - Account
+    groupByAlertDetails: []
+    groupByCustomDetails:
+      - EmailSubject
+eventGroupingSettings:
+  aggregationKind: AlertPerResult
+suppressionEnabled: false
+suppressionDuration: PT1H
+version: 1.0.0
+kind: Scheduled

Solutions/Red Sift/Analytic Rules/RedSiftEmailUrlFromNewSender.yaml

@@ -0,0 +1,103 @@
+id: 6084dfd8-830b-4839-9a9c-5f08cc984729
+name: Red Sift - New Email with URL from Previously Unseen Source
+description: |
+  'Detects email forensics events that contain one or more URLs where the sender is using a source IP address not seen in the previous 14 days, which may indicate suspicious infrastructure changes or phishing activity.'
+severity: Medium
+status: Available
+requiredDataConnectors:
+  - connectorId: RedSiftPush
+    dataTypes:
+      - RedSiftEmailForensics_CL
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  let lookback = 14d;
+  let recentWindow = 1h;
+  let historicalSources = RedSiftEmailForensics_CL
+  | extend
+      EmailFrom = tostring(column_ifexists("EmailFrom", "")),
+      SrcIp = tostring(column_ifexists("SrcIp", ""))
+  | where TimeGenerated between (ago(lookback) .. ago(recentWindow))
+  | where isnotempty(EmailFrom) and isnotempty(SrcIp)
+  | summarize by EmailFrom, SrcIp;
+  RedSiftEmailForensics_CL
+  | extend
+      EmailFrom = tostring(column_ifexists("EmailFrom", "")),
+      EmailSubject = tostring(column_ifexists("EmailSubject", "")),
+      EmailReturnPath = tostring(column_ifexists("EmailReturnPath", "")),
+      EmailMessageUid = tostring(column_ifexists("EmailMessageUid", "")),
+      SrcIp = tostring(column_ifexists("SrcIp", "")),
+      DstHostname = tostring(column_ifexists("DstHostname", "")),
+      Severity = tostring(column_ifexists("Severity", "")),
+      Message = tostring(column_ifexists("Message", "")),
+      CorrelationUid = tostring(column_ifexists("CorrelationUid", "")),
+      EmailUrls = todynamic(column_ifexists("EmailUrls", dynamic([])))
+  | where TimeGenerated >= ago(recentWindow)
+  | where isnotempty(EmailFrom) and isnotempty(SrcIp)
+  | extend UrlCount = array_length(EmailUrls)
+  | where UrlCount > 0
+  | mv-apply Url = EmailUrls on (
+      summarize UrlSet = make_set(tostring(Url.url_string), 50)
+    )
+  | extend UrlList = strcat_array(UrlSet, ", ")
+  | join kind=leftanti (historicalSources) on EmailFrom, SrcIp
+  | project
+      TimeGenerated,
+      EmailFrom,
+      EmailSubject,
+      EmailReturnPath,
+      EmailMessageUid,
+      SrcIp,
+      DstHostname,
+      UrlCount,
+      UrlList,
+      Severity,
+      Message,
+      CorrelationUid
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: EmailFrom
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SrcIp
+  - entityType: DNS
+    fieldMappings:
+      - identifier: DomainName
+        columnName: DstHostname
+customDetails:
+  EmailSubject: EmailSubject
+  ReturnPath: EmailReturnPath
+  UrlCount: UrlCount
+  UrlList: UrlList
+  CorrelationUid: CorrelationUid
+alertDetailsOverride:
+  alertDisplayNameFormat: "RedSift - New URL-bearing email source for {{EmailFrom}}"
+  alertDescriptionFormat: "Email from {{EmailFrom}} contains {{UrlCount}} URL(s) and originated from previously unseen source IP {{SrcIp}}."
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: true
+    reopenClosedIncident: false
+    lookbackDuration: P1D
+    matchingMethod: Selected
+    groupByEntities:
+      - Account
+      - IP
+    groupByAlertDetails: []
+    groupByCustomDetails:
+      - EmailSubject
+eventGroupingSettings:
+  aggregationKind: AlertPerResult
+suppressionEnabled: false
+suppressionDuration: PT1H
+version: 1.0.0
+kind: Scheduled

Solutions/Red Sift/Analytic Rules/RedSiftEmailUrlFromNewSource.yaml

@@ -0,0 +1,128 @@
+id: 8972b513-12a2-4b46-8263-3f091d88a8bc
+name: Red Sift - Email with URL to Previously Unseen Domain
+description: |
+  'Detects email forensics events containing one or more URLs whose domain has not been seen in the previous 14 days, which may indicate newly observed phishing infrastructure or suspicious delivery patterns.'
+severity: Medium
+status: Available
+requiredDataConnectors:
+  - connectorId: RedSiftPush
+    dataTypes:
+      - RedSiftEmailForensics_CL
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  let lookback = 14d;
+  let recentWindow = 1h;
+  let historicalDomains = RedSiftEmailForensics_CL
+  | extend EmailUrls = todynamic(EmailUrls)
+  | where TimeGenerated between (ago(lookback) .. ago(recentWindow))
+  | where isnotempty(EmailUrls) and array_length(EmailUrls) > 0
+  | mv-expand Url = EmailUrls
+  | extend UrlString = tostring(Url.url_string)
+  | where isnotempty(UrlString)
+  | extend UrlDomain = tostring(parse_url(UrlString).Host)
+  | where isnotempty(UrlDomain)
+  | summarize by UrlDomain;
+  RedSiftEmailForensics_CL
+  | extend
+      EmailFrom = tostring(column_ifexists("EmailFrom", "")),
+      EmailSubject = tostring(column_ifexists("EmailSubject", "")),
+      EmailReturnPath = tostring(column_ifexists("EmailReturnPath", "")),
+      EmailMessageUid = tostring(column_ifexists("EmailMessageUid", "")),
+      SrcIp = tostring(column_ifexists("SrcIp", "")),
+      DstHostname = tostring(column_ifexists("DstHostname", "")),
+      Severity = tostring(column_ifexists("Severity", "")),
+      Message = tostring(column_ifexists("Message", "")),
+      CorrelationUid = tostring(column_ifexists("CorrelationUid", "")),
+      EmailUrls = todynamic(EmailUrls)
+  | where TimeGenerated >= ago(recentWindow)
+  | where isnotempty(EmailUrls) and array_length(EmailUrls) > 0
+  | mv-expand Url = EmailUrls
+  | extend UrlString = tostring(Url.url_string)
+  | where isnotempty(UrlString)
+  | extend UrlDomain = tostring(parse_url(UrlString).Host)
+  | where isnotempty(UrlDomain)
+  | join kind=leftanti (historicalDomains) on UrlDomain
+  | summarize
+      NewUrlDomains = make_set(UrlDomain, 50),
+      NewUrls = make_set(UrlString, 50),
+      NewDomainCount = dcount(UrlDomain),
+      UrlCount = dcount(UrlString),
+      RepresentativeUrlDomain = take_any(UrlDomain)
+      by TimeGenerated,
+      EmailFrom,
+      EmailSubject,
+      EmailReturnPath,
+      EmailMessageUid,
+      SrcIp,
+      DstHostname,
+      Severity,
+      Message,
+      CorrelationUid
+  | extend
+      NewUrlDomainList = strcat_array(NewUrlDomains, ", "),
+      NewUrlList = strcat_array(NewUrls, ", ")
+  | project
+      TimeGenerated,
+      EmailFrom,
+      EmailSubject,
+      EmailReturnPath,
+      EmailMessageUid,
+      SrcIp,
+      DstHostname,
+      RepresentativeUrlDomain,
+      NewDomainCount,
+      UrlCount,
+      NewUrlDomainList,
+      NewUrlList,
+      Severity,
+      Message,
+      CorrelationUid
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: EmailFrom
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SrcIp
+  - entityType: DNS
+    fieldMappings:
+      - identifier: DomainName
+        columnName: RepresentativeUrlDomain
+customDetails:
+  EmailSubject: EmailSubject
+  ReturnPath: EmailReturnPath
+  NewDomainCount: NewDomainCount
+  NewUrlDomainList: NewUrlDomainList
+  NewUrlList: NewUrlList
+  CorrelationUid: CorrelationUid
+alertDetailsOverride:
+  alertDisplayNameFormat: "RedSift - URL to new domain in email from {{EmailFrom}}"
+  alertDescriptionFormat: "Email from {{EmailFrom}} contains {{NewDomainCount}} previously unseen URL domain(s): {{NewUrlDomainList}}."
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: true
+    reopenClosedIncident: false
+    lookbackDuration: P1D
+    matchingMethod: Selected
+    groupByEntities:
+      - Account
+      - DNS
+    groupByAlertDetails: []
+    groupByCustomDetails:
+      - EmailSubject
+eventGroupingSettings:
+  aggregationKind: AlertPerResult
+suppressionEnabled: false
+suppressionDuration: PT1H
+version: 1.0.0
+kind: Scheduled