CYFIRMA - Medium severity File Hash Indicators with Block Action and Malware
| Id | 24dcff02-123c-4e10-a531-2a22a609120a |
| Rulename | CYFIRMA - Medium severity File Hash Indicators with Block Action and Malware |
| Description | “This KQL query retrieves file hash indicators (MD5, SHA1, SHA256) from the CyfirmaIndicators_CL table within the last 5 minutes. It filters records with a confidence score of 80 or higher, containing file hash patterns, a recommended action of ‘Block’, and roles marked as ‘Malware’. Extracted hashes and key threat intelligence details are projected for Blocking and investigation.” |
| Severity | Medium |
| Tactics | InitialAccess Execution Persistence PrivilegeEscalation DefenseEvasion CredentialAccess Discovery LateralMovement Collection Impact |
| Techniques | T1566 T1203 T1059 T1204 T1547 T1053 T1055 T1027 T1562 T1036 T1003 T1555 T1082 T1057 T1021 T1113 T1486 T1566.001 T1059.001 T1059.003 T1547.001 T1053.005 T1562.001 T1003.001 T1555.003 T1021.002 |
| Required data connectors | CyfirmaCyberIntelligenceDC |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | GreaterThan |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/MalwareFileHashIndicatorsBlockMediumSeverityRule.yaml |
| Version | 1.0.1 |
| Arm template | 24dcff02-123c-4e10-a531-2a22a609120a.json |
// File Hash Indicators with Block Action and Malware
let timeFrame = 5m;
CyfirmaIndicators_CL
| where (ConfidenceScore < 80 and ConfidenceScore >= 50)
and TimeGenerated between (ago(timeFrame) .. now())
and pattern contains 'file:hashes' and RecommendedActions has 'Block' and (Roles contains "Malware")
| extend MD5 = extract(@"file:hashes\.md5\s*=\s*'([a-fA-F0-9]{32})'", 1, pattern)
| extend SHA1 = extract(@"file:hashes\.'SHA-1'\s*=\s*'([a-fA-F0-9]{40})'", 1, pattern)
| extend SHA256 = extract(@"file:hashes\.'SHA-256'\s*=\s*'([a-fA-F0-9]{64})'", 1, pattern)
| extend
Algo_MD5='md5',
Algo_SHA1= 'SHA1',
Algo_SHA256='SHA256',
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| project
MD5,
Algo_MD5,
SHA1,
Algo_SHA1,
SHA256,
Algo_SHA256,
ThreatActors,
Sources,
RecommendedActions,
Roles,
Country,
name,
Description,
ConfidenceScore,
SecurityVendors,
IndicatorID,
created,
modified,
valid_from,
Tags,
ThreatType,
TimeGenerated,
ProductName,
ProviderName
eventGroupingSettings:
aggregationKind: AlertPerResult
version: 1.0.1
suppressionEnabled: true
query: |
// File Hash Indicators with Block Action and Malware
let timeFrame = 5m;
CyfirmaIndicators_CL
| where (ConfidenceScore < 80 and ConfidenceScore >= 50)
and TimeGenerated between (ago(timeFrame) .. now())
and pattern contains 'file:hashes' and RecommendedActions has 'Block' and (Roles contains "Malware")
| extend MD5 = extract(@"file:hashes\.md5\s*=\s*'([a-fA-F0-9]{32})'", 1, pattern)
| extend SHA1 = extract(@"file:hashes\.'SHA-1'\s*=\s*'([a-fA-F0-9]{40})'", 1, pattern)
| extend SHA256 = extract(@"file:hashes\.'SHA-256'\s*=\s*'([a-fA-F0-9]{64})'", 1, pattern)
| extend
Algo_MD5='md5',
Algo_SHA1= 'SHA1',
Algo_SHA256='SHA256',
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| project
MD5,
Algo_MD5,
SHA1,
Algo_SHA1,
SHA256,
Algo_SHA256,
ThreatActors,
Sources,
RecommendedActions,
Roles,
Country,
name,
Description,
ConfidenceScore,
SecurityVendors,
IndicatorID,
created,
modified,
valid_from,
Tags,
ThreatType,
TimeGenerated,
ProductName,
ProviderName
requiredDataConnectors:
- dataTypes:
- CyfirmaIndicators_CL
connectorId: CyfirmaCyberIntelligenceDC
id: 24dcff02-123c-4e10-a531-2a22a609120a
tactics:
- InitialAccess
- Execution
- Persistence
- PrivilegeEscalation
- DefenseEvasion
- CredentialAccess
- Discovery
- LateralMovement
- Collection
- Impact
queryPeriod: 5m
queryFrequency: 5m
entityMappings:
- entityType: FileHash
fieldMappings:
- identifier: Algorithm
columnName: Algo_MD5
- identifier: Value
columnName: MD5
- entityType: FileHash
fieldMappings:
- identifier: Algorithm
columnName: Algo_SHA1
- identifier: Value
columnName: SHA1
- entityType: FileHash
fieldMappings:
- identifier: Algorithm
columnName: Algo_SHA256
- identifier: Value
columnName: SHA256
customDetails:
Sources: Sources
valid_from: valid_from
modified: modified
created: created
TimeGenerated: TimeGenerated
SecurityVendors: SecurityVendors
ThreatType: ThreatType
RecommendedActions: RecommendedActions
Country: Country
ConfidenceScore: ConfidenceScore
Tags: Tags
Roles: Roles
IndicatorID: IndicatorID
Description: Description
ThreatActors: ThreatActors
triggerOperator: GreaterThan
triggerThreshold: 0
severity: Medium
relevantTechniques:
- T1566
- T1203
- T1059
- T1204
- T1547
- T1053
- T1055
- T1027
- T1562
- T1036
- T1003
- T1555
- T1082
- T1057
- T1021
- T1113
- T1486
- T1566.001
- T1059.001
- T1059.003
- T1547.001
- T1053.005
- T1562.001
- T1003.001
- T1555.003
- T1021.002
enabled: false
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: false
reopenClosedIncident: false
matchingMethod: AllEntities
lookbackDuration: PT5H
kind: Scheduled
suppressionDuration: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/MalwareFileHashIndicatorsBlockMediumSeverityRule.yaml
name: CYFIRMA - Medium severity File Hash Indicators with Block Action and Malware
alertDetailsOverride:
alertDynamicProperties:
- alertProperty: ProviderName
value: ProviderName
- alertProperty: ProductName
value: ProductName
alertDisplayNameFormat: 'High-Confidence File Hash Indicators with Block Action and Malware - {{name}} '
alertDescriptionFormat: '{{Description}} - {{name}} '
description: |
"This KQL query retrieves file hash indicators (MD5, SHA1, SHA256) from the CyfirmaIndicators_CL table within the last 5 minutes.
It filters records with a confidence score of 80 or higher, containing file hash patterns, a recommended action of 'Block', and roles marked as 'Malware'.
Extracted hashes and key threat intelligence details are projected for Blocking and investigation."