Red Canary Threat Detection
| Id | 6d263abb-6445-45cc-93e9-c593d3d77b89 |
| Rulename | Red Canary Threat Detection |
| Description | Triggers Incidents using detection data assembled by Red Canary. |
| Severity | High |
| Tactics | Collection CommandAndControl CredentialAccess DefenseEvasion Discovery Execution Exfiltration Impact InitialAccess LateralMovement Persistence PrivilegeEscalation |
| Techniques | T1566 T1059 T1547 T1548 T1562 T1003 T1087 T1021 T1119 T1071 T1041 T1499 |
| Required data connectors | RedCanaryDataConnector |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Red Canary/Analytic Rules/RedCanaryThreatDetection.yaml |
| Version | 1.0.1 |
| Arm template | 6d263abb-6445-45cc-93e9-c593d3d77b89.json |
RedCanaryDetections_CL
| extend process_ioc_array = todynamic(process_iocs_s),
child_process_ioc_array = todynamic(child_process_iocs_s),
cross_process_ioc_array = todynamic(cross_process_iocs_s),
file_mod_ioc_array = todynamic(file_modification_iocs_s),
identities_array = todynamic(identities_s)
| extend entities = array_concat(process_ioc_array, child_process_ioc_array, cross_process_ioc_array, file_mod_ioc_array, identities_array)
| mv-expand entities
| evaluate bag_unpack(entities)
| extend file_hash_array = todynamic(column_ifexists('file_hashes', '[]'))
| mv-expand file_hash_array
| evaluate bag_unpack(file_hash_array, 'file_hash_')
| project detection_id_s = column_ifexists('detection_id_s', ''),
detection_url_s = column_ifexists('detection_url_s', ''),
detection_headline_s = column_ifexists('detection_headline_s', ''),
detection_details_s = column_ifexists('detection_details_s', ''),
detection_severity_s = column_ifexists('detection_severity_s', ''),
host_name_s = column_ifexists('host_name_s', ''),
host_full_name_s = column_ifexists('host_full_name_s', ''),
host_os_family_s = column_ifexists('host_os_family_s', ''),
host_os_version_s = column_ifexists('host_os_version_s', ''),
tactics_s = column_ifexists('tactics_s', ''),
process_id = column_ifexists('process_id', ''),
process_command_line = column_ifexists('process_command_line', ''),
process_creation_time_utc = column_ifexists('process_creation_time_utc', ''),
file_hash_algorithm = column_ifexists('file_hash_algorithm', ''),
file_hash_value = column_ifexists('file_hash_value', ''),
file_directory = column_ifexists('file_directory', ''),
file_name = column_ifexists('file_name', ''),
user_name = column_ifexists('user_name', ''),
user_uid = column_ifexists('user_uid', '')
kind: Scheduled
triggerThreshold: 0
query: |
RedCanaryDetections_CL
| extend process_ioc_array = todynamic(process_iocs_s),
child_process_ioc_array = todynamic(child_process_iocs_s),
cross_process_ioc_array = todynamic(cross_process_iocs_s),
file_mod_ioc_array = todynamic(file_modification_iocs_s),
identities_array = todynamic(identities_s)
| extend entities = array_concat(process_ioc_array, child_process_ioc_array, cross_process_ioc_array, file_mod_ioc_array, identities_array)
| mv-expand entities
| evaluate bag_unpack(entities)
| extend file_hash_array = todynamic(column_ifexists('file_hashes', '[]'))
| mv-expand file_hash_array
| evaluate bag_unpack(file_hash_array, 'file_hash_')
| project detection_id_s = column_ifexists('detection_id_s', ''),
detection_url_s = column_ifexists('detection_url_s', ''),
detection_headline_s = column_ifexists('detection_headline_s', ''),
detection_details_s = column_ifexists('detection_details_s', ''),
detection_severity_s = column_ifexists('detection_severity_s', ''),
host_name_s = column_ifexists('host_name_s', ''),
host_full_name_s = column_ifexists('host_full_name_s', ''),
host_os_family_s = column_ifexists('host_os_family_s', ''),
host_os_version_s = column_ifexists('host_os_version_s', ''),
tactics_s = column_ifexists('tactics_s', ''),
process_id = column_ifexists('process_id', ''),
process_command_line = column_ifexists('process_command_line', ''),
process_creation_time_utc = column_ifexists('process_creation_time_utc', ''),
file_hash_algorithm = column_ifexists('file_hash_algorithm', ''),
file_hash_value = column_ifexists('file_hash_value', ''),
file_directory = column_ifexists('file_directory', ''),
file_name = column_ifexists('file_name', ''),
user_name = column_ifexists('user_name', ''),
user_uid = column_ifexists('user_uid', '')
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Red Canary/Analytic Rules/RedCanaryThreatDetection.yaml
entityMappings:
- fieldMappings:
- columnName: process_id
identifier: ProcessId
- columnName: process_command_line
identifier: CommandLine
- columnName: process_creation_time_utc
identifier: CreationTimeUtc
entityType: Process
- fieldMappings:
- columnName: user_name
identifier: FullName
- columnName: user_uid
identifier: Sid
- columnName: user_name
identifier: Name
entityType: Account
- fieldMappings:
- columnName: file_directory
identifier: Directory
- columnName: file_name
identifier: Name
entityType: File
- fieldMappings:
- columnName: host_name_s
identifier: HostName
- columnName: host_full_name_s
identifier: FullName
- columnName: host_os_family_s
identifier: OSFamily
entityType: Host
- fieldMappings:
- columnName: file_hash_algorithm
identifier: Algorithm
- columnName: file_hash_value
identifier: Value
entityType: FileHash
version: 1.0.1
queryFrequency: 5m
severity: High
requiredDataConnectors:
- dataTypes:
- RedCanaryDetections_CL
connectorId: RedCanaryDataConnector
eventGroupingSettings:
aggregationKind: AlertPerResult
description: Triggers Incidents using detection data assembled by Red Canary.
id: 6d263abb-6445-45cc-93e9-c593d3d77b89
triggerOperator: gt
alertDetailsOverride:
alertTacticsColumnName: tactics_s
alertSeverityColumnName: detection_severity_s
alertDisplayNameFormat: Red Canary has published Detection-{{detection_id_s}}
alertDescriptionFormat: |
Red Canary has published a {{detection_severity_s}} severity detection with details:
{{detection_details_s}}
View the Detection at: {{detection_url_s}}
tactics:
- Collection
- CommandAndControl
- CredentialAccess
- DefenseEvasion
- Discovery
- Execution
- Exfiltration
- Impact
- InitialAccess
- LateralMovement
- Persistence
- PrivilegeEscalation
incidentConfiguration:
groupingConfiguration:
lookbackDuration: 5m
enabled: true
groupByCustomDetails:
- detection_id
groupByEntities: []
groupByAlertDetails: []
matchingMethod: Selected
reopenClosedIncident: false
createIncident: true
customDetails:
detection_id: detection_id_s
relevantTechniques:
- T1566
- T1059
- T1547
- T1548
- T1562
- T1003
- T1087
- T1021
- T1119
- T1071
- T1041
- T1499
name: Red Canary Threat Detection
queryPeriod: 5m
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6d263abb-6445-45cc-93e9-c593d3d77b89')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6d263abb-6445-45cc-93e9-c593d3d77b89')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "Red Canary has published a {{detection_severity_s}} severity detection with details:\n\n{{detection_details_s}}\n\nView the Detection at: {{detection_url_s}}\n",
"alertDisplayNameFormat": "Red Canary has published Detection-{{detection_id_s}}",
"alertSeverityColumnName": "detection_severity_s",
"alertTacticsColumnName": "tactics_s"
},
"alertRuleTemplateName": "6d263abb-6445-45cc-93e9-c593d3d77b89",
"customDetails": {
"detection_id": "detection_id_s"
},
"description": "Triggers Incidents using detection data assembled by Red Canary.",
"displayName": "Red Canary Threat Detection",
"enabled": true,
"entityMappings": [
{
"entityType": "Process",
"fieldMappings": [
{
"columnName": "process_id",
"identifier": "ProcessId"
},
{
"columnName": "process_command_line",
"identifier": "CommandLine"
},
{
"columnName": "process_creation_time_utc",
"identifier": "CreationTimeUtc"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "user_name",
"identifier": "FullName"
},
{
"columnName": "user_uid",
"identifier": "Sid"
},
{
"columnName": "user_name",
"identifier": "Name"
}
]
},
{
"entityType": "File",
"fieldMappings": [
{
"columnName": "file_directory",
"identifier": "Directory"
},
{
"columnName": "file_name",
"identifier": "Name"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "host_name_s",
"identifier": "HostName"
},
{
"columnName": "host_full_name_s",
"identifier": "FullName"
},
{
"columnName": "host_os_family_s",
"identifier": "OSFamily"
}
]
},
{
"entityType": "FileHash",
"fieldMappings": [
{
"columnName": "file_hash_algorithm",
"identifier": "Algorithm"
},
{
"columnName": "file_hash_value",
"identifier": "Value"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"groupByAlertDetails": [],
"groupByCustomDetails": [
"detection_id"
],
"groupByEntities": [],
"lookbackDuration": "PT5M",
"matchingMethod": "Selected",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Red Canary/Analytic Rules/RedCanaryThreatDetection.yaml",
"query": "RedCanaryDetections_CL\n| extend process_ioc_array = todynamic(process_iocs_s),\n child_process_ioc_array = todynamic(child_process_iocs_s),\n cross_process_ioc_array = todynamic(cross_process_iocs_s),\n file_mod_ioc_array = todynamic(file_modification_iocs_s),\n identities_array = todynamic(identities_s)\n| extend entities = array_concat(process_ioc_array, child_process_ioc_array, cross_process_ioc_array, file_mod_ioc_array, identities_array)\n| mv-expand entities\n| evaluate bag_unpack(entities)\n| extend file_hash_array = todynamic(column_ifexists('file_hashes', '[]'))\n| mv-expand file_hash_array\n| evaluate bag_unpack(file_hash_array, 'file_hash_')\n| project detection_id_s = column_ifexists('detection_id_s', ''),\n detection_url_s = column_ifexists('detection_url_s', ''),\n detection_headline_s = column_ifexists('detection_headline_s', ''),\n detection_details_s = column_ifexists('detection_details_s', ''),\n detection_severity_s = column_ifexists('detection_severity_s', ''),\n host_name_s = column_ifexists('host_name_s', ''),\n host_full_name_s = column_ifexists('host_full_name_s', ''),\n host_os_family_s = column_ifexists('host_os_family_s', ''),\n host_os_version_s = column_ifexists('host_os_version_s', ''),\n tactics_s = column_ifexists('tactics_s', ''),\n process_id = column_ifexists('process_id', ''),\n process_command_line = column_ifexists('process_command_line', ''),\n process_creation_time_utc = column_ifexists('process_creation_time_utc', ''),\n file_hash_algorithm = column_ifexists('file_hash_algorithm', ''),\n file_hash_value = column_ifexists('file_hash_value', ''),\n file_directory = column_ifexists('file_directory', ''),\n file_name = column_ifexists('file_name', ''),\n user_name = column_ifexists('user_name', ''),\n user_uid = column_ifexists('user_uid', '')\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Collection",
"CommandAndControl",
"CredentialAccess",
"DefenseEvasion",
"Discovery",
"Execution",
"Exfiltration",
"Impact",
"InitialAccess",
"LateralMovement",
"Persistence",
"PrivilegeEscalation"
],
"techniques": [
"T1003",
"T1021",
"T1041",
"T1059",
"T1071",
"T1087",
"T1119",
"T1499",
"T1547",
"T1548",
"T1562",
"T1566"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}