Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Red Canary Threat Detection

Back
Id6d263abb-6445-45cc-93e9-c593d3d77b89
RulenameRed Canary Threat Detection
DescriptionTriggers Incidents using detection data assembled by Red Canary.
SeverityHigh
TacticsCollection
CommandAndControl
CredentialAccess
DefenseEvasion
Discovery
Execution
Exfiltration
Impact
InitialAccess
LateralMovement
Persistence
PrivilegeEscalation
Required data connectorsRedCanaryDataConnector
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Red Canary/Analytic Rules/RedCanaryThreatDetection.yaml
Version1.0.0
Arm template6d263abb-6445-45cc-93e9-c593d3d77b89.json
Deploy To Azure
RedCanaryDetections_CL
| extend    process_ioc_array = todynamic(process_iocs_s),
            child_process_ioc_array = todynamic(child_process_iocs_s),
            cross_process_ioc_array = todynamic(cross_process_iocs_s),
            file_mod_ioc_array = todynamic(file_modification_iocs_s),
            identities_array = todynamic(identities_s)
| extend    entities = array_concat(process_ioc_array, child_process_ioc_array, cross_process_ioc_array, file_mod_ioc_array, identities_array)
| mv-expand entities
| evaluate  bag_unpack(entities)
| extend    file_hash_array = todynamic(column_ifexists('file_hashes', '[]'))
| mv-expand file_hash_array
| evaluate  bag_unpack(file_hash_array, 'file_hash_')
| project   detection_id_s = column_ifexists('detection_id_s', ''),
            detection_url_s = column_ifexists('detection_url_s', ''),
            detection_headline_s = column_ifexists('detection_headline_s', ''),
            detection_details_s = column_ifexists('detection_details_s', ''),
            detection_severity_s = column_ifexists('detection_severity_s', ''),
            host_name_s = column_ifexists('host_name_s', ''),
            host_full_name_s = column_ifexists('host_full_name_s', ''),
            host_os_family_s = column_ifexists('host_os_family_s', ''),
            host_os_version_s = column_ifexists('host_os_version_s', ''),
            tactics_s = column_ifexists('tactics_s', ''),
            process_id = column_ifexists('process_id', ''),
            process_command_line = column_ifexists('process_command_line', ''),
            process_creation_time_utc = column_ifexists('process_creation_time_utc', ''),
            file_hash_algorithm = column_ifexists('file_hash_algorithm', ''),
            file_hash_value = column_ifexists('file_hash_value', ''),
            file_directory = column_ifexists('file_directory', ''),
            file_name = column_ifexists('file_name', ''),
            user_name = column_ifexists('user_name', ''),
            user_uid = column_ifexists('user_uid', '')
severity: High
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerThreshold: 0
customDetails:
  detection_id: detection_id_s
queryFrequency: 5m
requiredDataConnectors:
- connectorId: RedCanaryDataConnector
  dataTypes:
  - RedCanaryDetections_CL
id: 6d263abb-6445-45cc-93e9-c593d3d77b89
version: 1.0.0
name: Red Canary Threat Detection
kind: Scheduled
query: |
  RedCanaryDetections_CL
  | extend    process_ioc_array = todynamic(process_iocs_s),
              child_process_ioc_array = todynamic(child_process_iocs_s),
              cross_process_ioc_array = todynamic(cross_process_iocs_s),
              file_mod_ioc_array = todynamic(file_modification_iocs_s),
              identities_array = todynamic(identities_s)
  | extend    entities = array_concat(process_ioc_array, child_process_ioc_array, cross_process_ioc_array, file_mod_ioc_array, identities_array)
  | mv-expand entities
  | evaluate  bag_unpack(entities)
  | extend    file_hash_array = todynamic(column_ifexists('file_hashes', '[]'))
  | mv-expand file_hash_array
  | evaluate  bag_unpack(file_hash_array, 'file_hash_')
  | project   detection_id_s = column_ifexists('detection_id_s', ''),
              detection_url_s = column_ifexists('detection_url_s', ''),
              detection_headline_s = column_ifexists('detection_headline_s', ''),
              detection_details_s = column_ifexists('detection_details_s', ''),
              detection_severity_s = column_ifexists('detection_severity_s', ''),
              host_name_s = column_ifexists('host_name_s', ''),
              host_full_name_s = column_ifexists('host_full_name_s', ''),
              host_os_family_s = column_ifexists('host_os_family_s', ''),
              host_os_version_s = column_ifexists('host_os_version_s', ''),
              tactics_s = column_ifexists('tactics_s', ''),
              process_id = column_ifexists('process_id', ''),
              process_command_line = column_ifexists('process_command_line', ''),
              process_creation_time_utc = column_ifexists('process_creation_time_utc', ''),
              file_hash_algorithm = column_ifexists('file_hash_algorithm', ''),
              file_hash_value = column_ifexists('file_hash_value', ''),
              file_directory = column_ifexists('file_directory', ''),
              file_name = column_ifexists('file_name', ''),
              user_name = column_ifexists('user_name', ''),
              user_uid = column_ifexists('user_uid', '')  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Red Canary/Analytic Rules/RedCanaryThreatDetection.yaml
queryPeriod: 5m
relevantTechniques: []
triggerOperator: gt
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: 5m
    groupByCustomDetails:
    - detection_id
    reopenClosedIncident: false
    enabled: true
    groupByAlertDetails: []
    groupByEntities: []
    matchingMethod: Selected
  createIncident: true
tactics:
- Collection
- CommandAndControl
- CredentialAccess
- DefenseEvasion
- Discovery
- Execution
- Exfiltration
- Impact
- InitialAccess
- LateralMovement
- Persistence
- PrivilegeEscalation
alertDetailsOverride:
  alertSeverityColumnName: detection_severity_s
  alertDescriptionFormat: |
    Red Canary has published a {{detection_severity_s}} severity detection with details:

    {{detection_details_s}}

    View the Detection at: {{detection_url_s}}    
  alertTacticsColumnName: tactics_s
  alertDisplayNameFormat: Red Canary has published Detection-{{detection_id_s}}
description: Triggers Incidents using detection data assembled by Red Canary.
entityMappings:
- entityType: Process
  fieldMappings:
  - identifier: ProcessId
    columnName: process_id
  - identifier: CommandLine
    columnName: process_command_line
  - identifier: CreationTimeUtc
    columnName: process_creation_time_utc
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: user_name
  - identifier: Sid
    columnName: user_uid
  - identifier: Name
    columnName: user_name
- entityType: File
  fieldMappings:
  - identifier: Directory
    columnName: file_directory
  - identifier: Name
    columnName: file_name
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: host_name_s
  - identifier: FullName
    columnName: host_full_name_s
  - identifier: OSFamily
    columnName: host_os_family_s
- entityType: FileHash
  fieldMappings:
  - identifier: Algorithm
    columnName: file_hash_algorithm
  - identifier: Value
    columnName: file_hash_value
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6d263abb-6445-45cc-93e9-c593d3d77b89')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6d263abb-6445-45cc-93e9-c593d3d77b89')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Red Canary Threat Detection",
        "description": "Triggers Incidents using detection data assembled by Red Canary.",
        "severity": "High",
        "enabled": true,
        "query": "RedCanaryDetections_CL\n| extend    process_ioc_array = todynamic(process_iocs_s),\n            child_process_ioc_array = todynamic(child_process_iocs_s),\n            cross_process_ioc_array = todynamic(cross_process_iocs_s),\n            file_mod_ioc_array = todynamic(file_modification_iocs_s),\n            identities_array = todynamic(identities_s)\n| extend    entities = array_concat(process_ioc_array, child_process_ioc_array, cross_process_ioc_array, file_mod_ioc_array, identities_array)\n| mv-expand entities\n| evaluate  bag_unpack(entities)\n| extend    file_hash_array = todynamic(column_ifexists('file_hashes', '[]'))\n| mv-expand file_hash_array\n| evaluate  bag_unpack(file_hash_array, 'file_hash_')\n| project   detection_id_s = column_ifexists('detection_id_s', ''),\n            detection_url_s = column_ifexists('detection_url_s', ''),\n            detection_headline_s = column_ifexists('detection_headline_s', ''),\n            detection_details_s = column_ifexists('detection_details_s', ''),\n            detection_severity_s = column_ifexists('detection_severity_s', ''),\n            host_name_s = column_ifexists('host_name_s', ''),\n            host_full_name_s = column_ifexists('host_full_name_s', ''),\n            host_os_family_s = column_ifexists('host_os_family_s', ''),\n            host_os_version_s = column_ifexists('host_os_version_s', ''),\n            tactics_s = column_ifexists('tactics_s', ''),\n            process_id = column_ifexists('process_id', ''),\n            process_command_line = column_ifexists('process_command_line', ''),\n            process_creation_time_utc = column_ifexists('process_creation_time_utc', ''),\n            file_hash_algorithm = column_ifexists('file_hash_algorithm', ''),\n            file_hash_value = column_ifexists('file_hash_value', ''),\n            file_directory = column_ifexists('file_directory', ''),\n            file_name = column_ifexists('file_name', ''),\n            user_name = column_ifexists('user_name', ''),\n            user_uid = column_ifexists('user_uid', '')\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "CommandAndControl",
          "CredentialAccess",
          "DefenseEvasion",
          "Discovery",
          "Execution",
          "Exfiltration",
          "Impact",
          "InitialAccess",
          "LateralMovement",
          "Persistence",
          "PrivilegeEscalation"
        ],
        "techniques": [],
        "alertRuleTemplateName": "6d263abb-6445-45cc-93e9-c593d3d77b89",
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "lookbackDuration": "PT5M",
            "groupByCustomDetails": [
              "detection_id"
            ],
            "reopenClosedIncident": false,
            "enabled": true,
            "groupByAlertDetails": [],
            "groupByEntities": [],
            "matchingMethod": "Selected"
          }
        },
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "alertDetailsOverride": {
          "alertDisplayNameFormat": "Red Canary has published Detection-{{detection_id_s}}",
          "alertSeverityColumnName": "detection_severity_s",
          "alertTacticsColumnName": "tactics_s",
          "alertDescriptionFormat": "Red Canary has published a {{detection_severity_s}} severity detection with details:\n\n{{detection_details_s}}\n\nView the Detection at: {{detection_url_s}}\n"
        },
        "customDetails": {
          "detection_id": "detection_id_s"
        },
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "process_id",
                "identifier": "ProcessId"
              },
              {
                "columnName": "process_command_line",
                "identifier": "CommandLine"
              },
              {
                "columnName": "process_creation_time_utc",
                "identifier": "CreationTimeUtc"
              }
            ],
            "entityType": "Process"
          },
          {
            "fieldMappings": [
              {
                "columnName": "user_name",
                "identifier": "FullName"
              },
              {
                "columnName": "user_uid",
                "identifier": "Sid"
              },
              {
                "columnName": "user_name",
                "identifier": "Name"
              }
            ],
            "entityType": "Account"
          },
          {
            "fieldMappings": [
              {
                "columnName": "file_directory",
                "identifier": "Directory"
              },
              {
                "columnName": "file_name",
                "identifier": "Name"
              }
            ],
            "entityType": "File"
          },
          {
            "fieldMappings": [
              {
                "columnName": "host_name_s",
                "identifier": "HostName"
              },
              {
                "columnName": "host_full_name_s",
                "identifier": "FullName"
              },
              {
                "columnName": "host_os_family_s",
                "identifier": "OSFamily"
              }
            ],
            "entityType": "Host"
          },
          {
            "fieldMappings": [
              {
                "columnName": "file_hash_algorithm",
                "identifier": "Algorithm"
              },
              {
                "columnName": "file_hash_value",
                "identifier": "Value"
              }
            ],
            "entityType": "FileHash"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Red Canary/Analytic Rules/RedCanaryThreatDetection.yaml",
        "templateVersion": "1.0.0"
      }
    }
  ]
}