Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CYFIRMA - Medium severity File Hash Indicators with Block Action and Malware

Back
Id24dcff02-123c-4e10-a531-2a22a609120a
RulenameCYFIRMA - Medium severity File Hash Indicators with Block Action and Malware
Description“This KQL query retrieves file hash indicators (MD5, SHA1, SHA256) from the CyfirmaIndicators_CL table within the last 5 minutes.

It filters records with a confidence score of 80 or higher, containing file hash patterns, a recommended action of ‘Block’, and roles marked as ‘Malware’.

Extracted hashes and key threat intelligence details are projected for Blocking and investigation.”
SeverityMedium
TacticsInitialAccess
Execution
Persistence
PrivilegeEscalation
DefenseEvasion
CredentialAccess
Discovery
LateralMovement
Collection
Impact
TechniquesT1566
T1203
T1059
T1204
T1547
T1053
T1055
T1027
T1562
T1036
T1003
T1555
T1082
T1057
T1021
T1113
T1486
T1566.001
T1059.001
T1059.003
T1547.001
T1053.005
T1562.001
T1003.001
T1555.003
T1021.002
Required data connectorsCyfirmaCyberIntelligenceDC
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/MalwareFileHashIndicatorsBlockMediumSeverityRule.yaml
Version1.0.0
Arm template24dcff02-123c-4e10-a531-2a22a609120a.json
Deploy To Azure
// File Hash Indicators with Block Action and Malware
let timeFrame = 5m;
CyfirmaIndicators_CL 
| where  (ConfidenceScore < 80 and ConfidenceScore >= 50)
    and TimeGenerated between (ago(timeFrame) .. now())
    and pattern contains 'file:hashes' and RecommendedActions has 'Block' and (Roles contains "Malware")
| extend MD5 = extract(@"file:hashes\.md5\s*=\s*'([a-fA-F0-9]{32})'", 1, pattern)
| extend SHA1 = extract(@"file:hashes\.'SHA-1'\s*=\s*'([a-fA-F0-9]{40})'", 1, pattern)
| extend SHA256 = extract(@"file:hashes\.'SHA-256'\s*=\s*'([a-fA-F0-9]{64})'", 1, pattern)
| extend
    Algo_MD5='md5',
    Algo_SHA1= 'SHA1',
    Algo_SHA256='SHA256',
    ProviderName = 'CYFIRMA',
    ProductName = 'DeCYFIR/DeTCT'
| project  
    MD5,
    Algo_MD5,
    SHA1,
    Algo_SHA1,
    SHA256,
    Algo_SHA256,
    ThreatActors,
    Sources,
    RecommendedActions,
    Roles,
    Country,
    name,
    Description,
    ConfidenceScore,
    SecurityVendors,
    IndicatorID,
    created,
    modified,
    valid_from,
    Tags,
    ThreatType,
    TimeGenerated,
    ProductName,
    ProviderName
suppressionDuration: 5m
relevantTechniques:
- T1566
- T1203
- T1059
- T1204
- T1547
- T1053
- T1055
- T1027
- T1562
- T1036
- T1003
- T1555
- T1082
- T1057
- T1021
- T1113
- T1486
- T1566.001
- T1059.001
- T1059.003
- T1547.001
- T1053.005
- T1562.001
- T1003.001
- T1555.003
- T1021.002
description: |
  "This KQL query retrieves file hash indicators (MD5, SHA1, SHA256) from the CyfirmaIndicators_CL table within the last 5 minutes. 
  It filters records with a confidence score of 80 or higher, containing file hash patterns, a recommended action of 'Block', and roles marked as 'Malware'. 
  Extracted hashes and key threat intelligence details are projected for Blocking and investigation."  
queryPeriod: 5m
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/MalwareFileHashIndicatorsBlockMediumSeverityRule.yaml
alertDetailsOverride:
  alertDisplayNameFormat: 'High-Confidence File Hash Indicators with Block Action and Malware - {{name}} '
  alertDescriptionFormat: '{{Description}} - {{name}} '
  alertDynamicProperties:
  - value: ProviderName
    alertProperty: ProviderName
  - value: ProductName
    alertProperty: ProductName
query: |
  // File Hash Indicators with Block Action and Malware
  let timeFrame = 5m;
  CyfirmaIndicators_CL 
  | where  (ConfidenceScore < 80 and ConfidenceScore >= 50)
      and TimeGenerated between (ago(timeFrame) .. now())
      and pattern contains 'file:hashes' and RecommendedActions has 'Block' and (Roles contains "Malware")
  | extend MD5 = extract(@"file:hashes\.md5\s*=\s*'([a-fA-F0-9]{32})'", 1, pattern)
  | extend SHA1 = extract(@"file:hashes\.'SHA-1'\s*=\s*'([a-fA-F0-9]{40})'", 1, pattern)
  | extend SHA256 = extract(@"file:hashes\.'SHA-256'\s*=\s*'([a-fA-F0-9]{64})'", 1, pattern)
  | extend
      Algo_MD5='md5',
      Algo_SHA1= 'SHA1',
      Algo_SHA256='SHA256',
      ProviderName = 'CYFIRMA',
      ProductName = 'DeCYFIR/DeTCT'
  | project  
      MD5,
      Algo_MD5,
      SHA1,
      Algo_SHA1,
      SHA256,
      Algo_SHA256,
      ThreatActors,
      Sources,
      RecommendedActions,
      Roles,
      Country,
      name,
      Description,
      ConfidenceScore,
      SecurityVendors,
      IndicatorID,
      created,
      modified,
      valid_from,
      Tags,
      ThreatType,
      TimeGenerated,
      ProductName,
      ProviderName  
version: 1.0.0
name: CYFIRMA - Medium severity File Hash Indicators with Block Action and Malware
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: false
    lookbackDuration: 5m
    matchingMethod: AllEntities
    reopenClosedIncident: false
tactics:
- InitialAccess
- Execution
- Persistence
- PrivilegeEscalation
- DefenseEvasion
- CredentialAccess
- Discovery
- LateralMovement
- Collection
- Impact
eventGroupingSettings:
  aggregationKind: AlertPerResult
entityMappings:
- fieldMappings:
  - identifier: Algorithm
    columnName: Algo_MD5
  - identifier: Value
    columnName: MD5
  entityType: FileHash
- fieldMappings:
  - identifier: Algorithm
    columnName: Algo_SHA1
  - identifier: Value
    columnName: SHA1
  entityType: FileHash
- fieldMappings:
  - identifier: Algorithm
    columnName: Algo_SHA256
  - identifier: Value
    columnName: SHA256
  entityType: FileHash
suppressionEnabled: true
requiredDataConnectors:
- dataTypes:
  - CyfirmaIndicators_CL
  connectorId: CyfirmaCyberIntelligenceDC
severity: Medium
enabled: false
id: 24dcff02-123c-4e10-a531-2a22a609120a
customDetails:
  ConfidenceScore: ConfidenceScore
  ThreatActors: ThreatActors
  IndicatorID: IndicatorID
  created: created
  modified: modified
  Tags: Tags
  Country: Country
  SecurityVendors: SecurityVendors
  TimeGenerated: TimeGenerated
  Description: Description
  ThreatType: ThreatType
  Roles: Roles
  Sources: Sources
  RecommendedActions: RecommendedActions
  valid_from: valid_from
triggerOperator: GreaterThan
triggerThreshold: 0
queryFrequency: 5m
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/24dcff02-123c-4e10-a531-2a22a609120a')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/24dcff02-123c-4e10-a531-2a22a609120a')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{Description}} - {{name}} ",
          "alertDisplayNameFormat": "High-Confidence File Hash Indicators with Block Action and Malware - {{name}} ",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProviderName",
              "value": "ProviderName"
            },
            {
              "alertProperty": "ProductName",
              "value": "ProductName"
            }
          ]
        },
        "alertRuleTemplateName": "24dcff02-123c-4e10-a531-2a22a609120a",
        "customDetails": {
          "ConfidenceScore": "ConfidenceScore",
          "Country": "Country",
          "created": "created",
          "Description": "Description",
          "IndicatorID": "IndicatorID",
          "modified": "modified",
          "RecommendedActions": "RecommendedActions",
          "Roles": "Roles",
          "SecurityVendors": "SecurityVendors",
          "Sources": "Sources",
          "Tags": "Tags",
          "ThreatActors": "ThreatActors",
          "ThreatType": "ThreatType",
          "TimeGenerated": "TimeGenerated",
          "valid_from": "valid_from"
        },
        "description": "\"This KQL query retrieves file hash indicators (MD5, SHA1, SHA256) from the CyfirmaIndicators_CL table within the last 5 minutes. \nIt filters records with a confidence score of 80 or higher, containing file hash patterns, a recommended action of 'Block', and roles marked as 'Malware'. \nExtracted hashes and key threat intelligence details are projected for Blocking and investigation.\"\n",
        "displayName": "CYFIRMA - Medium severity File Hash Indicators with Block Action and Malware",
        "enabled": false,
        "entityMappings": [
          {
            "entityType": "FileHash",
            "fieldMappings": [
              {
                "columnName": "Algo_MD5",
                "identifier": "Algorithm"
              },
              {
                "columnName": "MD5",
                "identifier": "Value"
              }
            ]
          },
          {
            "entityType": "FileHash",
            "fieldMappings": [
              {
                "columnName": "Algo_SHA1",
                "identifier": "Algorithm"
              },
              {
                "columnName": "SHA1",
                "identifier": "Value"
              }
            ]
          },
          {
            "entityType": "FileHash",
            "fieldMappings": [
              {
                "columnName": "Algo_SHA256",
                "identifier": "Algorithm"
              },
              {
                "columnName": "SHA256",
                "identifier": "Value"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5M",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/MalwareFileHashIndicatorsBlockMediumSeverityRule.yaml",
        "query": "// File Hash Indicators with Block Action and Malware\nlet timeFrame = 5m;\nCyfirmaIndicators_CL \n| where  (ConfidenceScore < 80 and ConfidenceScore >= 50)\n    and TimeGenerated between (ago(timeFrame) .. now())\n    and pattern contains 'file:hashes' and RecommendedActions has 'Block' and (Roles contains \"Malware\")\n| extend MD5 = extract(@\"file:hashes\\.md5\\s*=\\s*'([a-fA-F0-9]{32})'\", 1, pattern)\n| extend SHA1 = extract(@\"file:hashes\\.'SHA-1'\\s*=\\s*'([a-fA-F0-9]{40})'\", 1, pattern)\n| extend SHA256 = extract(@\"file:hashes\\.'SHA-256'\\s*=\\s*'([a-fA-F0-9]{64})'\", 1, pattern)\n| extend\n    Algo_MD5='md5',\n    Algo_SHA1= 'SHA1',\n    Algo_SHA256='SHA256',\n    ProviderName = 'CYFIRMA',\n    ProductName = 'DeCYFIR/DeTCT'\n| project  \n    MD5,\n    Algo_MD5,\n    SHA1,\n    Algo_SHA1,\n    SHA256,\n    Algo_SHA256,\n    ThreatActors,\n    Sources,\n    RecommendedActions,\n    Roles,\n    Country,\n    name,\n    Description,\n    ConfidenceScore,\n    SecurityVendors,\n    IndicatorID,\n    created,\n    modified,\n    valid_from,\n    Tags,\n    ThreatType,\n    TimeGenerated,\n    ProductName,\n    ProviderName\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "subTechniques": [
          "T1566.001",
          "T1059.001",
          "T1059.003",
          "T1547.001",
          "T1053.005",
          "T1562.001",
          "T1003.001",
          "T1555.003",
          "T1021.002"
        ],
        "suppressionDuration": "PT5M",
        "suppressionEnabled": true,
        "tactics": [
          "Collection",
          "CredentialAccess",
          "DefenseEvasion",
          "Discovery",
          "Execution",
          "Impact",
          "InitialAccess",
          "LateralMovement",
          "Persistence",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1003",
          "T1021",
          "T1027",
          "T1036",
          "T1053",
          "T1055",
          "T1057",
          "T1059",
          "T1082",
          "T1113",
          "T1203",
          "T1204",
          "T1486",
          "T1547",
          "T1555",
          "T1562",
          "T1566"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}