Detection of Specific Hashes in CommonSecurityLog

Back


Id	388e197d-ec9e-46b6-addb-947d74d2a5c4
Rulename	Detection of Specific Hashes in CommonSecurityLog
Description	Identifies a match in CommonSecurityLog from Recorded Future Hash Observed in Underground Virus Testing Sites RiskList.
Severity	Medium
Tactics	PreAttack
Techniques	T1587.001
Required data connectors	CEF
Kind	Scheduled
Query frequency	1h
Query period	1d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Recorded Future/Analytic Rules/RecordedFutureHashObservedInUndergroundinCommonSecurityLog.yaml
Version	1.0.0
Arm template	388e197d-ec9e-46b6-addb-947d74d2a5c4.json

KQL

// Identifies a match in CommonSecurityLog from the Recorded Future Hashes Observed in Underground Virus Testing Sites
let dt_lookBack = 1h;
let ioc_lookBack = 1d;
let fileHashIndicators = ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
// Picking up only Recorded Future IOC's that have been observed in undersground testing sites
| where Description == "Recorded Future - HASH - Observed in Underground Virus Testing Sites"
| where Active == true
| where isnotempty(FileHashValue);
// Handle matches against both lower case and uppercase versions of the hash:
(fileHashIndicators | extend  FileHashValue = tolower(FileHashValue)
| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))
| join (
  CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack)
  | where isnotempty(FileHash)
  | extend CommonSecurityLog_TimeGenerated = TimeGenerated
  )
on $left.FileHashValue == $right.FileHash
| where CommonSecurityLog_TimeGenerated >= TimeGenerated and CommonSecurityLog_TimeGenerated < ExpirationDateTime
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,
CommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, RequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity, FileHash, AdditionalInformation
| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url

YAML

triggerOperator: gt
queryFrequency: 1h
description: |
    'Identifies a match in CommonSecurityLog from Recorded Future Hash Observed in Underground Virus Testing Sites RiskList.'
status: Available
kind: Scheduled
triggerThreshold: 0
requiredDataConnectors:
- connectorId: CEF
  dataTypes:
  - CommonSecurityLog
version: 1.0.0
queryPeriod: 1d
name: Detection of Specific Hashes in CommonSecurityLog
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Recorded Future/Analytic Rules/RecordedFutureHashObservedInUndergroundinCommonSecurityLog.yaml
id: 388e197d-ec9e-46b6-addb-947d74d2a5c4
tactics:
- PreAttack
relevantTechniques:
- T1587.001
severity: Medium
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
  entityType: Account
- fieldMappings:
  - identifier: FullName
    columnName: HostCustomEntity
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
- fieldMappings:
  - identifier: Url
    columnName: URLCustomEntity
  entityType: URL
query: |
  // Identifies a match in CommonSecurityLog from the Recorded Future Hashes Observed in Underground Virus Testing Sites
  let dt_lookBack = 1h;
  let ioc_lookBack = 1d;
  let fileHashIndicators = ThreatIntelligenceIndicator
  | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
  // Picking up only Recorded Future IOC's that have been observed in undersground testing sites
  | where Description == "Recorded Future - HASH - Observed in Underground Virus Testing Sites"
  | where Active == true
  | where isnotempty(FileHashValue);
  // Handle matches against both lower case and uppercase versions of the hash:
  (fileHashIndicators | extend  FileHashValue = tolower(FileHashValue)
  | union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))
  | join (
    CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack)
    | where isnotempty(FileHash)
    | extend CommonSecurityLog_TimeGenerated = TimeGenerated
    )
  on $left.FileHashValue == $right.FileHash
  | where CommonSecurityLog_TimeGenerated >= TimeGenerated and CommonSecurityLog_TimeGenerated < ExpirationDateTime
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,
  CommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, RequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity, FileHash, AdditionalInformation
  | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/388e197d-ec9e-46b6-addb-947d74d2a5c4')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/388e197d-ec9e-46b6-addb-947d74d2a5c4')]",
      "properties": {
        "alertRuleTemplateName": "388e197d-ec9e-46b6-addb-947d74d2a5c4",
        "customDetails": null,
        "description": "'Identifies a match in CommonSecurityLog from Recorded Future Hash Observed in Underground Virus Testing Sites RiskList.'\n",
        "displayName": "Detection of Specific Hashes in CommonSecurityLog",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "URLCustomEntity",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Recorded Future/Analytic Rules/RecordedFutureHashObservedInUndergroundinCommonSecurityLog.yaml",
        "query": "// Identifies a match in CommonSecurityLog from the Recorded Future Hashes Observed in Underground Virus Testing Sites\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 1d;\nlet fileHashIndicators = ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n// Picking up only Recorded Future IOC's that have been observed in undersground testing sites\n| where Description == \"Recorded Future - HASH - Observed in Underground Virus Testing Sites\"\n| where Active == true\n| where isnotempty(FileHashValue);\n// Handle matches against both lower case and uppercase versions of the hash:\n(fileHashIndicators | extend  FileHashValue = tolower(FileHashValue)\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\n| join (\n  CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack)\n  | where isnotempty(FileHash)\n  | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n  )\non $left.FileHashValue == $right.FileHash\n| where CommonSecurityLog_TimeGenerated >= TimeGenerated and CommonSecurityLog_TimeGenerated < ExpirationDateTime\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nCommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, RequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity, FileHash, AdditionalInformation\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "PreAttack"
        ],
        "techniques": [
          "T1587"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}