Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Preview - TI map File Hash entity to Cloud App Events

Back
Id2f6bbf88-f5b0-49a3-b2b5-97fc3664e4d4
RulenamePreview - TI map File Hash entity to Cloud App Events
DescriptionIdentifies compromises and attacks and detect malicious activities in one’s file hash entity from TI
SeverityMedium
TacticsCommandAndControl
TechniquesT1071
Required data connectorsMicrosoftDefenderThreatIntelligence
MicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/FileHashEntity_CloudAppEvents.yaml
Version1.0.3
Arm template2f6bbf88-f5b0-49a3-b2b5-97fc3664e4d4.json
Deploy To Azure
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
ThreatIntelligenceIndicator
    | where TimeGenerated >= ago(ioc_lookBack)
    | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
    | where Active == true and ExpirationDateTime > now()
    | extend FileHashValue = toupper(FileHashValue)
    | where isnotempty(FileHashValue)
    | join kind=innerunique (union isfuzzy=true
    (CloudAppEvents
        | join kind=innerunique (union isfuzzy=true(DeviceFileEvents
        | extend CloudAppEvents_TimeGenerated = TimeGenerated, Event = ReportId, FileHash = toupper(MD5))) on $left.TenantId == $right.TenantId))
    on $left.FileHashValue == $right.MD5
| summarize CloudAppEvents_TimeGenerated = argmax(CloudAppEvents_TimeGenerated, *) by IndicatorId, FileHash, FileHashType, FileHashValue
| extend Description = max_CloudAppEvents_TimeGenerated_Description, ActivityGroupNames = max_CloudAppEvents_TimeGenerated_ActivityGroupNames, ThreatType = max_CloudAppEvents_TimeGenerated_ThreatType, ExpirationDateTime = max_CloudAppEvents_TimeGenerated_ExpirationDateTime, ConfidenceScore = max_CloudAppEvents_TimeGenerated_ConfidenceScore, SourceIP = max_CloudAppEvents_TimeGenerated_NetworkSourceIP, SourcePort = max_CloudAppEvents_TimeGenerated_NetworkSourcePort, DestinationIP = max_CloudAppEvents_TimeGenerated_NetworkDestinationIP, DestinationPort = max_CloudAppEvents_TimeGenerated_NetworkDestinationPort, DeviceName = max_CloudAppEvents_TimeGenerated_DeviceName
| project CloudAppEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SourceIP, SourcePort, DestinationIP, DestinationPort, DeviceName, FileHashType, FileHashValue, FileHash
name: Preview - TI map File Hash entity to Cloud App Events
severity: Medium
queryFrequency: 1h
triggerOperator: gt
relevantTechniques:
- T1071
version: 1.0.3
description: |
    'Identifies compromises and attacks and detect malicious activities in one's file hash entity from TI'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/FileHashEntity_CloudAppEvents.yaml
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - CloudAppEvents
- connectorId: MicrosoftDefenderThreatIntelligence
  dataTypes:
  - ThreatIntelligenceIndicator
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceFileEvents
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: DestinationIP
  entityType: IP
- fieldMappings:
  - identifier: Address
    columnName: SourceIP
  entityType: IP
- fieldMappings:
  - identifier: HostName
    columnName: DeviceName
  entityType: Host
- fieldMappings:
  - identifier: Value
    columnName: FileHashValue
  - identifier: Algorithm
    columnName: FileHashType
  entityType: FileHash
tactics:
- CommandAndControl
queryPeriod: 14d
query: |
  let dt_lookBack = 1h;
  let ioc_lookBack = 14d;
  ThreatIntelligenceIndicator
      | where TimeGenerated >= ago(ioc_lookBack)
      | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
      | where Active == true and ExpirationDateTime > now()
      | extend FileHashValue = toupper(FileHashValue)
      | where isnotempty(FileHashValue)
      | join kind=innerunique (union isfuzzy=true
      (CloudAppEvents
          | join kind=innerunique (union isfuzzy=true(DeviceFileEvents
          | extend CloudAppEvents_TimeGenerated = TimeGenerated, Event = ReportId, FileHash = toupper(MD5))) on $left.TenantId == $right.TenantId))
      on $left.FileHashValue == $right.MD5
  | summarize CloudAppEvents_TimeGenerated = argmax(CloudAppEvents_TimeGenerated, *) by IndicatorId, FileHash, FileHashType, FileHashValue
  | extend Description = max_CloudAppEvents_TimeGenerated_Description, ActivityGroupNames = max_CloudAppEvents_TimeGenerated_ActivityGroupNames, ThreatType = max_CloudAppEvents_TimeGenerated_ThreatType, ExpirationDateTime = max_CloudAppEvents_TimeGenerated_ExpirationDateTime, ConfidenceScore = max_CloudAppEvents_TimeGenerated_ConfidenceScore, SourceIP = max_CloudAppEvents_TimeGenerated_NetworkSourceIP, SourcePort = max_CloudAppEvents_TimeGenerated_NetworkSourcePort, DestinationIP = max_CloudAppEvents_TimeGenerated_NetworkDestinationIP, DestinationPort = max_CloudAppEvents_TimeGenerated_NetworkDestinationPort, DeviceName = max_CloudAppEvents_TimeGenerated_DeviceName
  | project CloudAppEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SourceIP, SourcePort, DestinationIP, DestinationPort, DeviceName, FileHashType, FileHashValue, FileHash  
kind: Scheduled
triggerThreshold: 0
id: 2f6bbf88-f5b0-49a3-b2b5-97fc3664e4d4
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2f6bbf88-f5b0-49a3-b2b5-97fc3664e4d4')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2f6bbf88-f5b0-49a3-b2b5-97fc3664e4d4')]",
      "properties": {
        "alertRuleTemplateName": "2f6bbf88-f5b0-49a3-b2b5-97fc3664e4d4",
        "customDetails": null,
        "description": "'Identifies compromises and attacks and detect malicious activities in one's file hash entity from TI'\n",
        "displayName": "Preview - TI map File Hash entity to Cloud App Events",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "DestinationIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "FileHash",
            "fieldMappings": [
              {
                "columnName": "FileHashValue",
                "identifier": "Value"
              },
              {
                "columnName": "FileHashType",
                "identifier": "Algorithm"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/FileHashEntity_CloudAppEvents.yaml",
        "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n    | where TimeGenerated >= ago(ioc_lookBack)\n    | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n    | where Active == true and ExpirationDateTime > now()\n    | extend FileHashValue = toupper(FileHashValue)\n    | where isnotempty(FileHashValue)\n    | join kind=innerunique (union isfuzzy=true\n    (CloudAppEvents\n        | join kind=innerunique (union isfuzzy=true(DeviceFileEvents\n        | extend CloudAppEvents_TimeGenerated = TimeGenerated, Event = ReportId, FileHash = toupper(MD5))) on $left.TenantId == $right.TenantId))\n    on $left.FileHashValue == $right.MD5\n| summarize CloudAppEvents_TimeGenerated = argmax(CloudAppEvents_TimeGenerated, *) by IndicatorId, FileHash, FileHashType, FileHashValue\n| extend Description = max_CloudAppEvents_TimeGenerated_Description, ActivityGroupNames = max_CloudAppEvents_TimeGenerated_ActivityGroupNames, ThreatType = max_CloudAppEvents_TimeGenerated_ThreatType, ExpirationDateTime = max_CloudAppEvents_TimeGenerated_ExpirationDateTime, ConfidenceScore = max_CloudAppEvents_TimeGenerated_ConfidenceScore, SourceIP = max_CloudAppEvents_TimeGenerated_NetworkSourceIP, SourcePort = max_CloudAppEvents_TimeGenerated_NetworkSourcePort, DestinationIP = max_CloudAppEvents_TimeGenerated_NetworkDestinationIP, DestinationPort = max_CloudAppEvents_TimeGenerated_NetworkDestinationPort, DeviceName = max_CloudAppEvents_TimeGenerated_DeviceName\n| project CloudAppEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SourceIP, SourcePort, DestinationIP, DestinationPort, DeviceName, FileHashType, FileHashValue, FileHash\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "techniques": [
          "T1071"
        ],
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}