Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Red Canary Threat Detection

Back
Id6d263abb-6445-45cc-93e9-c593d3d77b89
RulenameRed Canary Threat Detection
DescriptionTriggers Incidents using detection data assembled by Red Canary.
SeverityHigh
TacticsCollection
CommandAndControl
CredentialAccess
DefenseEvasion
Discovery
Execution
Exfiltration
Impact
InitialAccess
LateralMovement
Persistence
PrivilegeEscalation
TechniquesT1566
T1059
T1547
T1548
T1562
T1003
T1087
T1021
T1119
T1071
T1041
T1499
Required data connectorsRedCanaryDataConnector
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Red Canary/Analytic Rules/RedCanaryThreatDetection.yaml
Version1.0.1
Arm template6d263abb-6445-45cc-93e9-c593d3d77b89.json
Deploy To Azure
RedCanaryDetections_CL
| extend    process_ioc_array = todynamic(process_iocs_s),
            child_process_ioc_array = todynamic(child_process_iocs_s),
            cross_process_ioc_array = todynamic(cross_process_iocs_s),
            file_mod_ioc_array = todynamic(file_modification_iocs_s),
            identities_array = todynamic(identities_s)
| extend    entities = array_concat(process_ioc_array, child_process_ioc_array, cross_process_ioc_array, file_mod_ioc_array, identities_array)
| mv-expand entities
| evaluate  bag_unpack(entities)
| extend    file_hash_array = todynamic(column_ifexists('file_hashes', '[]'))
| mv-expand file_hash_array
| evaluate  bag_unpack(file_hash_array, 'file_hash_')
| project   detection_id_s = column_ifexists('detection_id_s', ''),
            detection_url_s = column_ifexists('detection_url_s', ''),
            detection_headline_s = column_ifexists('detection_headline_s', ''),
            detection_details_s = column_ifexists('detection_details_s', ''),
            detection_severity_s = column_ifexists('detection_severity_s', ''),
            host_name_s = column_ifexists('host_name_s', ''),
            host_full_name_s = column_ifexists('host_full_name_s', ''),
            host_os_family_s = column_ifexists('host_os_family_s', ''),
            host_os_version_s = column_ifexists('host_os_version_s', ''),
            tactics_s = column_ifexists('tactics_s', ''),
            process_id = column_ifexists('process_id', ''),
            process_command_line = column_ifexists('process_command_line', ''),
            process_creation_time_utc = column_ifexists('process_creation_time_utc', ''),
            file_hash_algorithm = column_ifexists('file_hash_algorithm', ''),
            file_hash_value = column_ifexists('file_hash_value', ''),
            file_directory = column_ifexists('file_directory', ''),
            file_name = column_ifexists('file_name', ''),
            user_name = column_ifexists('user_name', ''),
            user_uid = column_ifexists('user_uid', '')
triggerThreshold: 0
entityMappings:
- entityType: Process
  fieldMappings:
  - columnName: process_id
    identifier: ProcessId
  - columnName: process_command_line
    identifier: CommandLine
  - columnName: process_creation_time_utc
    identifier: CreationTimeUtc
- entityType: Account
  fieldMappings:
  - columnName: user_name
    identifier: FullName
  - columnName: user_uid
    identifier: Sid
  - columnName: user_name
    identifier: Name
- entityType: File
  fieldMappings:
  - columnName: file_directory
    identifier: Directory
  - columnName: file_name
    identifier: Name
- entityType: Host
  fieldMappings:
  - columnName: host_name_s
    identifier: HostName
  - columnName: host_full_name_s
    identifier: FullName
  - columnName: host_os_family_s
    identifier: OSFamily
- entityType: FileHash
  fieldMappings:
  - columnName: file_hash_algorithm
    identifier: Algorithm
  - columnName: file_hash_value
    identifier: Value
queryPeriod: 5m
customDetails:
  detection_id: detection_id_s
version: 1.0.1
triggerOperator: gt
tactics:
- Collection
- CommandAndControl
- CredentialAccess
- DefenseEvasion
- Discovery
- Execution
- Exfiltration
- Impact
- InitialAccess
- LateralMovement
- Persistence
- PrivilegeEscalation
queryFrequency: 5m
requiredDataConnectors:
- connectorId: RedCanaryDataConnector
  dataTypes:
  - RedCanaryDetections_CL
query: |
  RedCanaryDetections_CL
  | extend    process_ioc_array = todynamic(process_iocs_s),
              child_process_ioc_array = todynamic(child_process_iocs_s),
              cross_process_ioc_array = todynamic(cross_process_iocs_s),
              file_mod_ioc_array = todynamic(file_modification_iocs_s),
              identities_array = todynamic(identities_s)
  | extend    entities = array_concat(process_ioc_array, child_process_ioc_array, cross_process_ioc_array, file_mod_ioc_array, identities_array)
  | mv-expand entities
  | evaluate  bag_unpack(entities)
  | extend    file_hash_array = todynamic(column_ifexists('file_hashes', '[]'))
  | mv-expand file_hash_array
  | evaluate  bag_unpack(file_hash_array, 'file_hash_')
  | project   detection_id_s = column_ifexists('detection_id_s', ''),
              detection_url_s = column_ifexists('detection_url_s', ''),
              detection_headline_s = column_ifexists('detection_headline_s', ''),
              detection_details_s = column_ifexists('detection_details_s', ''),
              detection_severity_s = column_ifexists('detection_severity_s', ''),
              host_name_s = column_ifexists('host_name_s', ''),
              host_full_name_s = column_ifexists('host_full_name_s', ''),
              host_os_family_s = column_ifexists('host_os_family_s', ''),
              host_os_version_s = column_ifexists('host_os_version_s', ''),
              tactics_s = column_ifexists('tactics_s', ''),
              process_id = column_ifexists('process_id', ''),
              process_command_line = column_ifexists('process_command_line', ''),
              process_creation_time_utc = column_ifexists('process_creation_time_utc', ''),
              file_hash_algorithm = column_ifexists('file_hash_algorithm', ''),
              file_hash_value = column_ifexists('file_hash_value', ''),
              file_directory = column_ifexists('file_directory', ''),
              file_name = column_ifexists('file_name', ''),
              user_name = column_ifexists('user_name', ''),
              user_uid = column_ifexists('user_uid', '')  
alertDetailsOverride:
  alertDisplayNameFormat: Red Canary has published Detection-{{detection_id_s}}
  alertDescriptionFormat: |
    Red Canary has published a {{detection_severity_s}} severity detection with details:

    {{detection_details_s}}

    View the Detection at: {{detection_url_s}}    
  alertTacticsColumnName: tactics_s
  alertSeverityColumnName: detection_severity_s
relevantTechniques:
- T1566
- T1059
- T1547
- T1548
- T1562
- T1003
- T1087
- T1021
- T1119
- T1071
- T1041
- T1499
eventGroupingSettings:
  aggregationKind: AlertPerResult
severity: High
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    groupByCustomDetails:
    - detection_id
    groupByEntities: []
    groupByAlertDetails: []
    matchingMethod: Selected
    reopenClosedIncident: false
    enabled: true
    lookbackDuration: 5m
kind: Scheduled
id: 6d263abb-6445-45cc-93e9-c593d3d77b89
name: Red Canary Threat Detection
description: Triggers Incidents using detection data assembled by Red Canary.
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Red Canary/Analytic Rules/RedCanaryThreatDetection.yaml
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6d263abb-6445-45cc-93e9-c593d3d77b89')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6d263abb-6445-45cc-93e9-c593d3d77b89')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Red Canary has published a {{detection_severity_s}} severity detection with details:\n\n{{detection_details_s}}\n\nView the Detection at: {{detection_url_s}}\n",
          "alertDisplayNameFormat": "Red Canary has published Detection-{{detection_id_s}}",
          "alertSeverityColumnName": "detection_severity_s",
          "alertTacticsColumnName": "tactics_s"
        },
        "alertRuleTemplateName": "6d263abb-6445-45cc-93e9-c593d3d77b89",
        "customDetails": {
          "detection_id": "detection_id_s"
        },
        "description": "Triggers Incidents using detection data assembled by Red Canary.",
        "displayName": "Red Canary Threat Detection",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Process",
            "fieldMappings": [
              {
                "columnName": "process_id",
                "identifier": "ProcessId"
              },
              {
                "columnName": "process_command_line",
                "identifier": "CommandLine"
              },
              {
                "columnName": "process_creation_time_utc",
                "identifier": "CreationTimeUtc"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "user_name",
                "identifier": "FullName"
              },
              {
                "columnName": "user_uid",
                "identifier": "Sid"
              },
              {
                "columnName": "user_name",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "File",
            "fieldMappings": [
              {
                "columnName": "file_directory",
                "identifier": "Directory"
              },
              {
                "columnName": "file_name",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "host_name_s",
                "identifier": "HostName"
              },
              {
                "columnName": "host_full_name_s",
                "identifier": "FullName"
              },
              {
                "columnName": "host_os_family_s",
                "identifier": "OSFamily"
              }
            ]
          },
          {
            "entityType": "FileHash",
            "fieldMappings": [
              {
                "columnName": "file_hash_algorithm",
                "identifier": "Algorithm"
              },
              {
                "columnName": "file_hash_value",
                "identifier": "Value"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [
              "detection_id"
            ],
            "groupByEntities": [],
            "lookbackDuration": "PT5M",
            "matchingMethod": "Selected",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Red Canary/Analytic Rules/RedCanaryThreatDetection.yaml",
        "query": "RedCanaryDetections_CL\n| extend    process_ioc_array = todynamic(process_iocs_s),\n            child_process_ioc_array = todynamic(child_process_iocs_s),\n            cross_process_ioc_array = todynamic(cross_process_iocs_s),\n            file_mod_ioc_array = todynamic(file_modification_iocs_s),\n            identities_array = todynamic(identities_s)\n| extend    entities = array_concat(process_ioc_array, child_process_ioc_array, cross_process_ioc_array, file_mod_ioc_array, identities_array)\n| mv-expand entities\n| evaluate  bag_unpack(entities)\n| extend    file_hash_array = todynamic(column_ifexists('file_hashes', '[]'))\n| mv-expand file_hash_array\n| evaluate  bag_unpack(file_hash_array, 'file_hash_')\n| project   detection_id_s = column_ifexists('detection_id_s', ''),\n            detection_url_s = column_ifexists('detection_url_s', ''),\n            detection_headline_s = column_ifexists('detection_headline_s', ''),\n            detection_details_s = column_ifexists('detection_details_s', ''),\n            detection_severity_s = column_ifexists('detection_severity_s', ''),\n            host_name_s = column_ifexists('host_name_s', ''),\n            host_full_name_s = column_ifexists('host_full_name_s', ''),\n            host_os_family_s = column_ifexists('host_os_family_s', ''),\n            host_os_version_s = column_ifexists('host_os_version_s', ''),\n            tactics_s = column_ifexists('tactics_s', ''),\n            process_id = column_ifexists('process_id', ''),\n            process_command_line = column_ifexists('process_command_line', ''),\n            process_creation_time_utc = column_ifexists('process_creation_time_utc', ''),\n            file_hash_algorithm = column_ifexists('file_hash_algorithm', ''),\n            file_hash_value = column_ifexists('file_hash_value', ''),\n            file_directory = column_ifexists('file_directory', ''),\n            file_name = column_ifexists('file_name', ''),\n            user_name = column_ifexists('user_name', ''),\n            user_uid = column_ifexists('user_uid', '')\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "CommandAndControl",
          "CredentialAccess",
          "DefenseEvasion",
          "Discovery",
          "Execution",
          "Exfiltration",
          "Impact",
          "InitialAccess",
          "LateralMovement",
          "Persistence",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1003",
          "T1021",
          "T1041",
          "T1059",
          "T1071",
          "T1087",
          "T1119",
          "T1499",
          "T1547",
          "T1548",
          "T1562",
          "T1566"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}