CYFIRMA - Medium severity File Hash Indicators with Monitor Action Rule

Back


Id	5347c581-eb36-4bf5-a7e5-be1fb2d617f5
Rulename	CYFIRMA - Medium severity File Hash Indicators with Monitor Action Rule
Description	“This query retrieves file hash indicators marked for Monitoring, with no assigned role, from the CyfirmaIndicators_CL table. It extracts MD5, SHA1, and SHA256 hashes and includes threat metadata for use in preventive security controls such as EDRs, threat intel platforms.”
Severity	Medium
Tactics	Execution InitialAccess DefenseEvasion Impact
Techniques	T1204 T1566 T1027 T1486 T1566.001
Required data connectors	CyfirmaCyberIntelligenceDC
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	GreaterThan
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/FileHashIndicatorsMonitorMediumSeverityRule.yaml
Version	1.0.1
Arm template	5347c581-eb36-4bf5-a7e5-be1fb2d617f5.json

KQL

// File Hash Indicators with Monitor Action
let timeFrame = 5m;
CyfirmaIndicators_CL 
| where  (ConfidenceScore < 80 and ConfidenceScore >= 50)
    and TimeGenerated between (ago(timeFrame) .. now())
    and pattern contains 'file:hashes' and RecommendedActions has 'Monitor' and (isempty(Roles) or not(Roles has_any ('Malware', 'Trojan')))
| extend MD5 = extract(@"file:hashes\.md5\s*=\s*'([a-fA-F0-9]{32})'", 1, pattern)
| extend SHA1 = extract(@"file:hashes\.'SHA-1'\s*=\s*'([a-fA-F0-9]{40})'", 1, pattern)
| extend SHA256 = extract(@"file:hashes\.'SHA-256'\s*=\s*'([a-fA-F0-9]{64})'", 1, pattern)
| extend
    Algo_MD5='MD5',
    Algo_SHA1= 'SHA1',
    Algo_SHA256='SHA256',
    ProviderName = 'CYFIRMA',
    ProductName = 'DeCYFIR/DeTCT'
| project  
    MD5,
    SHA1,
    SHA256,
    Algo_MD5,
    Algo_SHA1,
    Algo_SHA256,
    ThreatActors,
    Sources,
    RecommendedActions,
    Roles,
    Country,
    name,
    Description,
    ConfidenceScore,
    SecurityVendors,
    IndicatorID,
    created,
    modified,
    valid_from,
    Tags,
    ThreatType,
    TimeGenerated,
    ProductName,
    ProviderName

YAML

queryFrequency: 5m
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AllEntities
    enabled: false
    lookbackDuration: PT5H
    reopenClosedIncident: false
kind: Scheduled
suppressionDuration: 5m
version: 1.0.1
relevantTechniques:
- T1204
- T1566
- T1027
- T1486
- T1566.001
alertDetailsOverride:
  alertDisplayNameFormat: 'High-Confidence File Hash Indicators with Monitor Action - {{name}} '
  alertDescriptionFormat: '{{Description}} - {{name}} '
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
triggerOperator: GreaterThan
customDetails:
  Tags: Tags
  SecurityVendors: SecurityVendors
  ConfidenceScore: ConfidenceScore
  Modified: modified
  IndicatorID: IndicatorID
  RecommendedActions: RecommendedActions
  ValidFrom: valid_from
  Roles: Roles
  ThreatType: ThreatType
  Description: Description
  Created: created
  TimeGenerated: TimeGenerated
  ThreatActors: ThreatActors
  Country: Country
  Sources: Sources
eventGroupingSettings:
  aggregationKind: AlertPerResult
requiredDataConnectors:
- connectorId: CyfirmaCyberIntelligenceDC
  dataTypes:
  - CyfirmaIndicators_CL
id: 5347c581-eb36-4bf5-a7e5-be1fb2d617f5
name: CYFIRMA - Medium severity File Hash Indicators with Monitor Action Rule
query: |
  // File Hash Indicators with Monitor Action
  let timeFrame = 5m;
  CyfirmaIndicators_CL 
  | where  (ConfidenceScore < 80 and ConfidenceScore >= 50)
      and TimeGenerated between (ago(timeFrame) .. now())
      and pattern contains 'file:hashes' and RecommendedActions has 'Monitor' and (isempty(Roles) or not(Roles has_any ('Malware', 'Trojan')))
  | extend MD5 = extract(@"file:hashes\.md5\s*=\s*'([a-fA-F0-9]{32})'", 1, pattern)
  | extend SHA1 = extract(@"file:hashes\.'SHA-1'\s*=\s*'([a-fA-F0-9]{40})'", 1, pattern)
  | extend SHA256 = extract(@"file:hashes\.'SHA-256'\s*=\s*'([a-fA-F0-9]{64})'", 1, pattern)
  | extend
      Algo_MD5='MD5',
      Algo_SHA1= 'SHA1',
      Algo_SHA256='SHA256',
      ProviderName = 'CYFIRMA',
      ProductName = 'DeCYFIR/DeTCT'
  | project  
      MD5,
      SHA1,
      SHA256,
      Algo_MD5,
      Algo_SHA1,
      Algo_SHA256,
      ThreatActors,
      Sources,
      RecommendedActions,
      Roles,
      Country,
      name,
      Description,
      ConfidenceScore,
      SecurityVendors,
      IndicatorID,
      created,
      modified,
      valid_from,
      Tags,
      ThreatType,
      TimeGenerated,
      ProductName,
      ProviderName  
enabled: false
queryPeriod: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/FileHashIndicatorsMonitorMediumSeverityRule.yaml
triggerThreshold: 0
description: |
  "This query retrieves file hash indicators marked for Monitoring, with no assigned role, from the CyfirmaIndicators_CL table. 
  It extracts MD5, SHA1, and SHA256 hashes and includes threat metadata for use in preventive security controls such as EDRs, threat intel platforms."  
entityMappings:
- entityType: FileHash
  fieldMappings:
  - identifier: Algorithm
    columnName: Algo_MD5
  - identifier: Value
    columnName: MD5
- entityType: FileHash
  fieldMappings:
  - identifier: Algorithm
    columnName: Algo_SHA1
  - identifier: Value
    columnName: SHA1
- entityType: FileHash
  fieldMappings:
  - identifier: Algorithm
    columnName: Algo_SHA256
  - identifier: Value
    columnName: SHA256
severity: Medium
tactics:
- Execution
- InitialAccess
- DefenseEvasion
- Impact
suppressionEnabled: true

ARM