Detection of Specific Hashes in CommonSecurityLog

Back


Id	388e197d-ec9e-46b6-addb-947d74d2a5c4
Rulename	Detection of Specific Hashes in CommonSecurityLog
Description	Identifies a match in CommonSecurityLog from Recorded Future Hash Observed in Underground Virus Testing Sites RiskList.
Severity	Medium
Tactics	PreAttack
Techniques	T1587.001
Required data connectors	CEF
Kind	Scheduled
Query frequency	1h
Query period	1d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Recorded Future/Analytic Rules/RecordedFutureHashObservedInUndergroundinCommonSecurityLog.yaml
Version	1.0.0
Arm template	388e197d-ec9e-46b6-addb-947d74d2a5c4.json

KQL

// Identifies a match in CommonSecurityLog from the Recorded Future Hashes Observed in Underground Virus Testing Sites
let dt_lookBack = 1h;
let ioc_lookBack = 1d;
let fileHashIndicators = ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
// Picking up only Recorded Future IOC's that have been observed in undersground testing sites
| where Description == "Recorded Future - HASH - Observed in Underground Virus Testing Sites"
| where Active == true
| where isnotempty(FileHashValue);
// Handle matches against both lower case and uppercase versions of the hash:
(fileHashIndicators | extend  FileHashValue = tolower(FileHashValue)
| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))
| join (
  CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack)
  | where isnotempty(FileHash)
  | extend CommonSecurityLog_TimeGenerated = TimeGenerated
  )
on $left.FileHashValue == $right.FileHash
| where CommonSecurityLog_TimeGenerated >= TimeGenerated and CommonSecurityLog_TimeGenerated < ExpirationDateTime
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,
CommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, RequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity, FileHash, AdditionalInformation
| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url

YAML

severity: Medium
triggerThreshold: 0
requiredDataConnectors:
- connectorId: CEF
  dataTypes:
  - CommonSecurityLog
kind: Scheduled
id: 388e197d-ec9e-46b6-addb-947d74d2a5c4
triggerOperator: gt
tactics:
- PreAttack
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Recorded Future/Analytic Rules/RecordedFutureHashObservedInUndergroundinCommonSecurityLog.yaml
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: HostCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: URLCustomEntity
relevantTechniques:
- T1587.001
version: 1.0.0
queryPeriod: 1d
name: Detection of Specific Hashes in CommonSecurityLog
status: Available
description: |
    'Identifies a match in CommonSecurityLog from Recorded Future Hash Observed in Underground Virus Testing Sites RiskList.'
query: |
  // Identifies a match in CommonSecurityLog from the Recorded Future Hashes Observed in Underground Virus Testing Sites
  let dt_lookBack = 1h;
  let ioc_lookBack = 1d;
  let fileHashIndicators = ThreatIntelligenceIndicator
  | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
  // Picking up only Recorded Future IOC's that have been observed in undersground testing sites
  | where Description == "Recorded Future - HASH - Observed in Underground Virus Testing Sites"
  | where Active == true
  | where isnotempty(FileHashValue);
  // Handle matches against both lower case and uppercase versions of the hash:
  (fileHashIndicators | extend  FileHashValue = tolower(FileHashValue)
  | union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))
  | join (
    CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack)
    | where isnotempty(FileHash)
    | extend CommonSecurityLog_TimeGenerated = TimeGenerated
    )
  on $left.FileHashValue == $right.FileHash
  | where CommonSecurityLog_TimeGenerated >= TimeGenerated and CommonSecurityLog_TimeGenerated < ExpirationDateTime
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,
  CommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, RequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity, FileHash, AdditionalInformation
  | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/388e197d-ec9e-46b6-addb-947d74d2a5c4')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/388e197d-ec9e-46b6-addb-947d74d2a5c4')]",
      "properties": {
        "alertRuleTemplateName": "388e197d-ec9e-46b6-addb-947d74d2a5c4",
        "customDetails": null,
        "description": "'Identifies a match in CommonSecurityLog from Recorded Future Hash Observed in Underground Virus Testing Sites RiskList.'\n",
        "displayName": "Detection of Specific Hashes in CommonSecurityLog",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "URLCustomEntity",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Recorded Future/Analytic Rules/RecordedFutureHashObservedInUndergroundinCommonSecurityLog.yaml",
        "query": "// Identifies a match in CommonSecurityLog from the Recorded Future Hashes Observed in Underground Virus Testing Sites\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 1d;\nlet fileHashIndicators = ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n// Picking up only Recorded Future IOC's that have been observed in undersground testing sites\n| where Description == \"Recorded Future - HASH - Observed in Underground Virus Testing Sites\"\n| where Active == true\n| where isnotempty(FileHashValue);\n// Handle matches against both lower case and uppercase versions of the hash:\n(fileHashIndicators | extend  FileHashValue = tolower(FileHashValue)\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\n| join (\n  CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack)\n  | where isnotempty(FileHash)\n  | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n  )\non $left.FileHashValue == $right.FileHash\n| where CommonSecurityLog_TimeGenerated >= TimeGenerated and CommonSecurityLog_TimeGenerated < ExpirationDateTime\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nCommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, RequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity, FileHash, AdditionalInformation\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "PreAttack"
        ],
        "techniques": [
          "T1587"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}