RecordedFuture Threat Hunting Hash All Actors

Back


Id	6db6a8e6-2959-440b-ba57-a505875fcb37
Rulename	RecordedFuture Threat Hunting Hash All Actors
Description	Recorded Future Threat Hunting hash correlation for all actors.
Severity	Medium
Required data connectors	ThreatIntelligenceUploadIndicatorsAPI
Kind	Scheduled
Query frequency	15m
Query period	1d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Recorded Future/Analytic Rules/ThreatHunting/RecordedFutureThreatHuntingHashAllActors.yaml
Version	1.0.3
Arm template	6db6a8e6-2959-440b-ba57-a505875fcb37.json

KQL

let ioc_lookBack = 1d;
// The source table (imDns) can be replaced by any infrastructure table containing Hash data.
// The following workbook: Recorded Future - Hash Correlation will help researching available data and selecting tables and columns  
imFileEvent
| where isnotempty(Hash)
| extend lowerHash=tolower(Hash)
| join kind=inner (
ThreatIntelligenceIndicator
// Only look for IOCs
| where isnotempty(FileHashValue)
// Only look at Recorded Future Threat Hunt Indicators.
| where Description startswith "Recorded Future - Threat Hunt"
// Only work with the latest indicators  
| where TimeGenerated >= ago(ioc_lookBack)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| where Active == true and ExpirationDateTime > now()
| extend lowerHash=tolower(FileHashValue)
) on lowerHash
// select column from the source table to match with Recorded Future ThreatIntelligenceIndicator $left.Hash
| mv-expand RecordedFuturePortalLink=parse_json(tostring(parse_json(Tags)[0]))['RecordedFuturePortalLink']
| project Hash=FileHashValue, HashType, Description, Type, TimeGenerated, RecordedFuturePortalLink

YAML

incidentConfiguration:
  groupingConfiguration:
    enabled: true
    matchingMethod: AllEntities
    lookbackDuration: 1h
    reopenClosedIncident: false
  createIncident: true
queryPeriod: 1d
kind: Scheduled
version: 1.0.3
requiredDataConnectors:
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligenceUploadIndicatorsAPI
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerThreshold: 0
entityMappings:
- fieldMappings:
  - identifier: Value
    columnName: Hash
  - identifier: Algorithm
    columnName: HashType
  entityType: FileHash
name: RecordedFuture Threat Hunting Hash All Actors
customDetails:
  ActorInformation: RecordedFuturePortalLink
alertDetailsOverride:
  alertDisplayNameFormat: '{{Description}}'
  alertDescriptionFormat: '**{{Description}}**\n\nCorrelation found on {{Hash}} from the {{Type}} table.\n'
  alertDynamicProperties:
  - value: RecordedFuturePortalLink
    alertProperty: AlertLink
queryFrequency: 15m
id: 6db6a8e6-2959-440b-ba57-a505875fcb37
severity: Medium
description: |
    'Recorded Future Threat Hunting hash correlation for all actors.'
query: |
  let ioc_lookBack = 1d;
  // The source table (imDns) can be replaced by any infrastructure table containing Hash data.
  // The following workbook: Recorded Future - Hash Correlation will help researching available data and selecting tables and columns  
  imFileEvent
  | where isnotempty(Hash)
  | extend lowerHash=tolower(Hash)
  | join kind=inner (
  ThreatIntelligenceIndicator
  // Only look for IOCs
  | where isnotempty(FileHashValue)
  // Only look at Recorded Future Threat Hunt Indicators.
  | where Description startswith "Recorded Future - Threat Hunt"
  // Only work with the latest indicators  
  | where TimeGenerated >= ago(ioc_lookBack)
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
  | where Active == true and ExpirationDateTime > now()
  | extend lowerHash=tolower(FileHashValue)
  ) on lowerHash
  // select column from the source table to match with Recorded Future ThreatIntelligenceIndicator $left.Hash
  | mv-expand RecordedFuturePortalLink=parse_json(tostring(parse_json(Tags)[0]))['RecordedFuturePortalLink']
  | project Hash=FileHashValue, HashType, Description, Type, TimeGenerated, RecordedFuturePortalLink  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Recorded Future/Analytic Rules/ThreatHunting/RecordedFutureThreatHuntingHashAllActors.yaml
triggerOperator: gt

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6db6a8e6-2959-440b-ba57-a505875fcb37')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6db6a8e6-2959-440b-ba57-a505875fcb37')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "**{{Description}}**\\n\\nCorrelation found on {{Hash}} from the {{Type}} table.\\n",
          "alertDisplayNameFormat": "{{Description}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "AlertLink",
              "value": "RecordedFuturePortalLink"
            }
          ]
        },
        "alertRuleTemplateName": "6db6a8e6-2959-440b-ba57-a505875fcb37",
        "customDetails": {
          "ActorInformation": "RecordedFuturePortalLink"
        },
        "description": "'Recorded Future Threat Hunting hash correlation for all actors.'\n",
        "displayName": "RecordedFuture Threat Hunting Hash All Actors",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "FileHash",
            "fieldMappings": [
              {
                "columnName": "Hash",
                "identifier": "Value"
              },
              {
                "columnName": "HashType",
                "identifier": "Algorithm"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "PT1H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Recorded Future/Analytic Rules/ThreatHunting/RecordedFutureThreatHuntingHashAllActors.yaml",
        "query": "let ioc_lookBack = 1d;\n// The source table (imDns) can be replaced by any infrastructure table containing Hash data.\n// The following workbook: Recorded Future - Hash Correlation will help researching available data and selecting tables and columns  \nimFileEvent\n| where isnotempty(Hash)\n| extend lowerHash=tolower(Hash)\n| join kind=inner (\nThreatIntelligenceIndicator\n// Only look for IOCs\n| where isnotempty(FileHashValue)\n// Only look at Recorded Future Threat Hunt Indicators.\n| where Description startswith \"Recorded Future - Threat Hunt\"\n// Only work with the latest indicators  \n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| extend lowerHash=tolower(FileHashValue)\n) on lowerHash\n// select column from the source table to match with Recorded Future ThreatIntelligenceIndicator $left.Hash\n| mv-expand RecordedFuturePortalLink=parse_json(tostring(parse_json(Tags)[0]))['RecordedFuturePortalLink']\n| project Hash=FileHashValue, HashType, Description, Type, TimeGenerated, RecordedFuturePortalLink\n",
        "queryFrequency": "PT15M",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}