Red Canary Threat Detection

Back


Id	6d263abb-6445-45cc-93e9-c593d3d77b89
Rulename	Red Canary Threat Detection
Description	Triggers Incidents using detection data assembled by Red Canary.
Severity	High
Tactics	Collection CommandAndControl CredentialAccess DefenseEvasion Discovery Execution Exfiltration Impact InitialAccess LateralMovement Persistence PrivilegeEscalation
Techniques	T1566 T1059 T1547 T1548 T1562 T1003 T1087 T1021 T1119 T1071 T1041 T1499
Required data connectors	RedCanaryDataConnector
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Red Canary/Analytic Rules/RedCanaryThreatDetection.yaml
Version	1.0.1
Arm template	6d263abb-6445-45cc-93e9-c593d3d77b89.json

KQL

RedCanaryDetections_CL
| extend    process_ioc_array = todynamic(process_iocs_s),
            child_process_ioc_array = todynamic(child_process_iocs_s),
            cross_process_ioc_array = todynamic(cross_process_iocs_s),
            file_mod_ioc_array = todynamic(file_modification_iocs_s),
            identities_array = todynamic(identities_s)
| extend    entities = array_concat(process_ioc_array, child_process_ioc_array, cross_process_ioc_array, file_mod_ioc_array, identities_array)
| mv-expand entities
| evaluate  bag_unpack(entities)
| extend    file_hash_array = todynamic(column_ifexists('file_hashes', '[]'))
| mv-expand file_hash_array
| evaluate  bag_unpack(file_hash_array, 'file_hash_')
| project   detection_id_s = column_ifexists('detection_id_s', ''),
            detection_url_s = column_ifexists('detection_url_s', ''),
            detection_headline_s = column_ifexists('detection_headline_s', ''),
            detection_details_s = column_ifexists('detection_details_s', ''),
            detection_severity_s = column_ifexists('detection_severity_s', ''),
            host_name_s = column_ifexists('host_name_s', ''),
            host_full_name_s = column_ifexists('host_full_name_s', ''),
            host_os_family_s = column_ifexists('host_os_family_s', ''),
            host_os_version_s = column_ifexists('host_os_version_s', ''),
            tactics_s = column_ifexists('tactics_s', ''),
            process_id = column_ifexists('process_id', ''),
            process_command_line = column_ifexists('process_command_line', ''),
            process_creation_time_utc = column_ifexists('process_creation_time_utc', ''),
            file_hash_algorithm = column_ifexists('file_hash_algorithm', ''),
            file_hash_value = column_ifexists('file_hash_value', ''),
            file_directory = column_ifexists('file_directory', ''),
            file_name = column_ifexists('file_name', ''),
            user_name = column_ifexists('user_name', ''),
            user_uid = column_ifexists('user_uid', '')

YAML

incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: 5m
    enabled: true
    groupByEntities: []
    groupByCustomDetails:
    - detection_id
    groupByAlertDetails: []
    matchingMethod: Selected
    reopenClosedIncident: false
id: 6d263abb-6445-45cc-93e9-c593d3d77b89
tactics:
- Collection
- CommandAndControl
- CredentialAccess
- DefenseEvasion
- Discovery
- Execution
- Exfiltration
- Impact
- InitialAccess
- LateralMovement
- Persistence
- PrivilegeEscalation
queryPeriod: 5m
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerThreshold: 0
name: Red Canary Threat Detection
query: |
  RedCanaryDetections_CL
  | extend    process_ioc_array = todynamic(process_iocs_s),
              child_process_ioc_array = todynamic(child_process_iocs_s),
              cross_process_ioc_array = todynamic(cross_process_iocs_s),
              file_mod_ioc_array = todynamic(file_modification_iocs_s),
              identities_array = todynamic(identities_s)
  | extend    entities = array_concat(process_ioc_array, child_process_ioc_array, cross_process_ioc_array, file_mod_ioc_array, identities_array)
  | mv-expand entities
  | evaluate  bag_unpack(entities)
  | extend    file_hash_array = todynamic(column_ifexists('file_hashes', '[]'))
  | mv-expand file_hash_array
  | evaluate  bag_unpack(file_hash_array, 'file_hash_')
  | project   detection_id_s = column_ifexists('detection_id_s', ''),
              detection_url_s = column_ifexists('detection_url_s', ''),
              detection_headline_s = column_ifexists('detection_headline_s', ''),
              detection_details_s = column_ifexists('detection_details_s', ''),
              detection_severity_s = column_ifexists('detection_severity_s', ''),
              host_name_s = column_ifexists('host_name_s', ''),
              host_full_name_s = column_ifexists('host_full_name_s', ''),
              host_os_family_s = column_ifexists('host_os_family_s', ''),
              host_os_version_s = column_ifexists('host_os_version_s', ''),
              tactics_s = column_ifexists('tactics_s', ''),
              process_id = column_ifexists('process_id', ''),
              process_command_line = column_ifexists('process_command_line', ''),
              process_creation_time_utc = column_ifexists('process_creation_time_utc', ''),
              file_hash_algorithm = column_ifexists('file_hash_algorithm', ''),
              file_hash_value = column_ifexists('file_hash_value', ''),
              file_directory = column_ifexists('file_directory', ''),
              file_name = column_ifexists('file_name', ''),
              user_name = column_ifexists('user_name', ''),
              user_uid = column_ifexists('user_uid', '')  
severity: High
customDetails:
  detection_id: detection_id_s
triggerOperator: gt
kind: Scheduled
relevantTechniques:
- T1566
- T1059
- T1547
- T1548
- T1562
- T1003
- T1087
- T1021
- T1119
- T1071
- T1041
- T1499
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Red Canary/Analytic Rules/RedCanaryThreatDetection.yaml
queryFrequency: 5m
requiredDataConnectors:
- connectorId: RedCanaryDataConnector
  dataTypes:
  - RedCanaryDetections_CL
version: 1.0.1
description: Triggers Incidents using detection data assembled by Red Canary.
alertDetailsOverride:
  alertDisplayNameFormat: Red Canary has published Detection-{{detection_id_s}}
  alertSeverityColumnName: detection_severity_s
  alertDescriptionFormat: |
    Red Canary has published a {{detection_severity_s}} severity detection with details:

    {{detection_details_s}}

    View the Detection at: {{detection_url_s}}    
  alertTacticsColumnName: tactics_s
entityMappings:
- fieldMappings:
  - columnName: process_id
    identifier: ProcessId
  - columnName: process_command_line
    identifier: CommandLine
  - columnName: process_creation_time_utc
    identifier: CreationTimeUtc
  entityType: Process
- fieldMappings:
  - columnName: user_name
    identifier: FullName
  - columnName: user_uid
    identifier: Sid
  - columnName: user_name
    identifier: Name
  entityType: Account
- fieldMappings:
  - columnName: file_directory
    identifier: Directory
  - columnName: file_name
    identifier: Name
  entityType: File
- fieldMappings:
  - columnName: host_name_s
    identifier: HostName
  - columnName: host_full_name_s
    identifier: FullName
  - columnName: host_os_family_s
    identifier: OSFamily
  entityType: Host
- fieldMappings:
  - columnName: file_hash_algorithm
    identifier: Algorithm
  - columnName: file_hash_value
    identifier: Value
  entityType: FileHash

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6d263abb-6445-45cc-93e9-c593d3d77b89')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6d263abb-6445-45cc-93e9-c593d3d77b89')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Red Canary has published a {{detection_severity_s}} severity detection with details:\n\n{{detection_details_s}}\n\nView the Detection at: {{detection_url_s}}\n",
          "alertDisplayNameFormat": "Red Canary has published Detection-{{detection_id_s}}",
          "alertSeverityColumnName": "detection_severity_s",
          "alertTacticsColumnName": "tactics_s"
        },
        "alertRuleTemplateName": "6d263abb-6445-45cc-93e9-c593d3d77b89",
        "customDetails": {
          "detection_id": "detection_id_s"
        },
        "description": "Triggers Incidents using detection data assembled by Red Canary.",
        "displayName": "Red Canary Threat Detection",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Process",
            "fieldMappings": [
              {
                "columnName": "process_id",
                "identifier": "ProcessId"
              },
              {
                "columnName": "process_command_line",
                "identifier": "CommandLine"
              },
              {
                "columnName": "process_creation_time_utc",
                "identifier": "CreationTimeUtc"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "user_name",
                "identifier": "FullName"
              },
              {
                "columnName": "user_uid",
                "identifier": "Sid"
              },
              {
                "columnName": "user_name",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "File",
            "fieldMappings": [
              {
                "columnName": "file_directory",
                "identifier": "Directory"
              },
              {
                "columnName": "file_name",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "host_name_s",
                "identifier": "HostName"
              },
              {
                "columnName": "host_full_name_s",
                "identifier": "FullName"
              },
              {
                "columnName": "host_os_family_s",
                "identifier": "OSFamily"
              }
            ]
          },
          {
            "entityType": "FileHash",
            "fieldMappings": [
              {
                "columnName": "file_hash_algorithm",
                "identifier": "Algorithm"
              },
              {
                "columnName": "file_hash_value",
                "identifier": "Value"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [
              "detection_id"
            ],
            "groupByEntities": [],
            "lookbackDuration": "PT5M",
            "matchingMethod": "Selected",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Red Canary/Analytic Rules/RedCanaryThreatDetection.yaml",
        "query": "RedCanaryDetections_CL\n| extend    process_ioc_array = todynamic(process_iocs_s),\n            child_process_ioc_array = todynamic(child_process_iocs_s),\n            cross_process_ioc_array = todynamic(cross_process_iocs_s),\n            file_mod_ioc_array = todynamic(file_modification_iocs_s),\n            identities_array = todynamic(identities_s)\n| extend    entities = array_concat(process_ioc_array, child_process_ioc_array, cross_process_ioc_array, file_mod_ioc_array, identities_array)\n| mv-expand entities\n| evaluate  bag_unpack(entities)\n| extend    file_hash_array = todynamic(column_ifexists('file_hashes', '[]'))\n| mv-expand file_hash_array\n| evaluate  bag_unpack(file_hash_array, 'file_hash_')\n| project   detection_id_s = column_ifexists('detection_id_s', ''),\n            detection_url_s = column_ifexists('detection_url_s', ''),\n            detection_headline_s = column_ifexists('detection_headline_s', ''),\n            detection_details_s = column_ifexists('detection_details_s', ''),\n            detection_severity_s = column_ifexists('detection_severity_s', ''),\n            host_name_s = column_ifexists('host_name_s', ''),\n            host_full_name_s = column_ifexists('host_full_name_s', ''),\n            host_os_family_s = column_ifexists('host_os_family_s', ''),\n            host_os_version_s = column_ifexists('host_os_version_s', ''),\n            tactics_s = column_ifexists('tactics_s', ''),\n            process_id = column_ifexists('process_id', ''),\n            process_command_line = column_ifexists('process_command_line', ''),\n            process_creation_time_utc = column_ifexists('process_creation_time_utc', ''),\n            file_hash_algorithm = column_ifexists('file_hash_algorithm', ''),\n            file_hash_value = column_ifexists('file_hash_value', ''),\n            file_directory = column_ifexists('file_directory', ''),\n            file_name = column_ifexists('file_name', ''),\n            user_name = column_ifexists('user_name', ''),\n            user_uid = column_ifexists('user_uid', '')\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "CommandAndControl",
          "CredentialAccess",
          "DefenseEvasion",
          "Discovery",
          "Execution",
          "Exfiltration",
          "Impact",
          "InitialAccess",
          "LateralMovement",
          "Persistence",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1003",
          "T1021",
          "T1041",
          "T1059",
          "T1071",
          "T1087",
          "T1119",
          "T1499",
          "T1547",
          "T1548",
          "T1562",
          "T1566"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}