Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Preview - TI map File Hash entity to Cloud App Events

Back
Id2f6bbf88-f5b0-49a3-b2b5-97fc3664e4d4
RulenamePreview - TI map File Hash entity to Cloud App Events
DescriptionIdentifies compromises and attacks and detect malicious activities in one’s file hash entity from TI
SeverityMedium
TacticsCommandAndControl
TechniquesT1071
Required data connectorsMicrosoftDefenderThreatIntelligence
MicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/FileHashEntity_CloudAppEvents.yaml
Version1.0.2
Arm template2f6bbf88-f5b0-49a3-b2b5-97fc3664e4d4.json
Deploy To Azure
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
ThreatIntelligenceIndicator
    | where TimeGenerated >= ago(ioc_lookBack)
    | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
    | where Active == true and ExpirationDateTime > now()
    | extend FileHashValue = toupper(FileHashValue)
    | join kind=innerunique (union isfuzzy=true
    (CloudAppEvents
        | join kind=innerunique (union isfuzzy=true(DeviceFileEvents
        | extend CloudAppEvents_TimeGenerated = TimeGenerated, Event = ReportId, FileHash = toupper(MD5))) on $left.TenantId == $right.TenantId))
    on $left.FileHashValue == $right.MD5
| summarize CloudAppEvents_TimeGenerated = argmax(CloudAppEvents_TimeGenerated, *) by IndicatorId, FileHash, FileHashType, FileHashValue
| extend Description = max_CloudAppEvents_TimeGenerated_Description, ActivityGroupNames = max_CloudAppEvents_TimeGenerated_ActivityGroupNames, ThreatType = max_CloudAppEvents_TimeGenerated_ThreatType, ExpirationDateTime = max_CloudAppEvents_TimeGenerated_ExpirationDateTime, ConfidenceScore = max_CloudAppEvents_TimeGenerated_ConfidenceScore, SourceIP = max_CloudAppEvents_TimeGenerated_NetworkSourceIP, SourcePort = max_CloudAppEvents_TimeGenerated_NetworkSourcePort, DestinationIP = max_CloudAppEvents_TimeGenerated_NetworkDestinationIP, DestinationPort = max_CloudAppEvents_TimeGenerated_NetworkDestinationPort, DeviceName = max_CloudAppEvents_TimeGenerated_DeviceName
| project CloudAppEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SourceIP, SourcePort, DestinationIP, DestinationPort, DeviceName, FileHashType, FileHashValue, FileHash
id: 2f6bbf88-f5b0-49a3-b2b5-97fc3664e4d4
queryFrequency: 1h
version: 1.0.2
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/FileHashEntity_CloudAppEvents.yaml
requiredDataConnectors:
- dataTypes:
  - CloudAppEvents
  connectorId: MicrosoftThreatProtection
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: MicrosoftDefenderThreatIntelligence
- dataTypes:
  - DeviceFileEvents
  connectorId: MicrosoftThreatProtection
query: |
  let dt_lookBack = 1h;
  let ioc_lookBack = 14d;
  ThreatIntelligenceIndicator
      | where TimeGenerated >= ago(ioc_lookBack)
      | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
      | where Active == true and ExpirationDateTime > now()
      | extend FileHashValue = toupper(FileHashValue)
      | join kind=innerunique (union isfuzzy=true
      (CloudAppEvents
          | join kind=innerunique (union isfuzzy=true(DeviceFileEvents
          | extend CloudAppEvents_TimeGenerated = TimeGenerated, Event = ReportId, FileHash = toupper(MD5))) on $left.TenantId == $right.TenantId))
      on $left.FileHashValue == $right.MD5
  | summarize CloudAppEvents_TimeGenerated = argmax(CloudAppEvents_TimeGenerated, *) by IndicatorId, FileHash, FileHashType, FileHashValue
  | extend Description = max_CloudAppEvents_TimeGenerated_Description, ActivityGroupNames = max_CloudAppEvents_TimeGenerated_ActivityGroupNames, ThreatType = max_CloudAppEvents_TimeGenerated_ThreatType, ExpirationDateTime = max_CloudAppEvents_TimeGenerated_ExpirationDateTime, ConfidenceScore = max_CloudAppEvents_TimeGenerated_ConfidenceScore, SourceIP = max_CloudAppEvents_TimeGenerated_NetworkSourceIP, SourcePort = max_CloudAppEvents_TimeGenerated_NetworkSourcePort, DestinationIP = max_CloudAppEvents_TimeGenerated_NetworkDestinationIP, DestinationPort = max_CloudAppEvents_TimeGenerated_NetworkDestinationPort, DeviceName = max_CloudAppEvents_TimeGenerated_DeviceName
  | project CloudAppEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SourceIP, SourcePort, DestinationIP, DestinationPort, DeviceName, FileHashType, FileHashValue, FileHash  
name: Preview - TI map File Hash entity to Cloud App Events
kind: Scheduled
description: |
    'Identifies compromises and attacks and detect malicious activities in one's file hash entity from TI'
severity: Medium
triggerOperator: gt
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: DestinationIP
    identifier: Address
- entityType: IP
  fieldMappings:
  - columnName: SourceIP
    identifier: Address
- entityType: Host
  fieldMappings:
  - columnName: DeviceName
    identifier: HostName
- entityType: FileHash
  fieldMappings:
  - columnName: FileHashValue
    identifier: Value
  - columnName: FileHashType
    identifier: Algorithm
triggerThreshold: 0
queryPeriod: 14d
tactics:
- CommandAndControl
relevantTechniques:
- T1071
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2f6bbf88-f5b0-49a3-b2b5-97fc3664e4d4')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2f6bbf88-f5b0-49a3-b2b5-97fc3664e4d4')]",
      "properties": {
        "alertRuleTemplateName": "2f6bbf88-f5b0-49a3-b2b5-97fc3664e4d4",
        "customDetails": null,
        "description": "'Identifies compromises and attacks and detect malicious activities in one's file hash entity from TI'\n",
        "displayName": "Preview - TI map File Hash entity to Cloud App Events",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "DestinationIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "FileHash",
            "fieldMappings": [
              {
                "columnName": "FileHashValue",
                "identifier": "Value"
              },
              {
                "columnName": "FileHashType",
                "identifier": "Algorithm"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/FileHashEntity_CloudAppEvents.yaml",
        "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n    | where TimeGenerated >= ago(ioc_lookBack)\n    | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n    | where Active == true and ExpirationDateTime > now()\n    | extend FileHashValue = toupper(FileHashValue)\n    | join kind=innerunique (union isfuzzy=true\n    (CloudAppEvents\n        | join kind=innerunique (union isfuzzy=true(DeviceFileEvents\n        | extend CloudAppEvents_TimeGenerated = TimeGenerated, Event = ReportId, FileHash = toupper(MD5))) on $left.TenantId == $right.TenantId))\n    on $left.FileHashValue == $right.MD5\n| summarize CloudAppEvents_TimeGenerated = argmax(CloudAppEvents_TimeGenerated, *) by IndicatorId, FileHash, FileHashType, FileHashValue\n| extend Description = max_CloudAppEvents_TimeGenerated_Description, ActivityGroupNames = max_CloudAppEvents_TimeGenerated_ActivityGroupNames, ThreatType = max_CloudAppEvents_TimeGenerated_ThreatType, ExpirationDateTime = max_CloudAppEvents_TimeGenerated_ExpirationDateTime, ConfidenceScore = max_CloudAppEvents_TimeGenerated_ConfidenceScore, SourceIP = max_CloudAppEvents_TimeGenerated_NetworkSourceIP, SourcePort = max_CloudAppEvents_TimeGenerated_NetworkSourcePort, DestinationIP = max_CloudAppEvents_TimeGenerated_NetworkDestinationIP, DestinationPort = max_CloudAppEvents_TimeGenerated_NetworkDestinationPort, DeviceName = max_CloudAppEvents_TimeGenerated_DeviceName\n| project CloudAppEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SourceIP, SourcePort, DestinationIP, DestinationPort, DeviceName, FileHashType, FileHashValue, FileHash\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "techniques": [
          "T1071"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}