Red Canary Threat Detection
| Id | 6d263abb-6445-45cc-93e9-c593d3d77b89 |
| Rulename | Red Canary Threat Detection |
| Description | Triggers Incidents using detection data assembled by Red Canary. |
| Severity | High |
| Tactics | Collection CommandAndControl CredentialAccess DefenseEvasion Discovery Execution Exfiltration Impact InitialAccess LateralMovement Persistence PrivilegeEscalation |
| Required data connectors | RedCanaryDataConnector |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Red Canary/Analytic Rules/RedCanaryThreatDetection.yaml |
| Version | 1.0.0 |
| Arm template | 6d263abb-6445-45cc-93e9-c593d3d77b89.json |
RedCanaryDetections_CL
| extend process_ioc_array = todynamic(process_iocs_s),
child_process_ioc_array = todynamic(child_process_iocs_s),
cross_process_ioc_array = todynamic(cross_process_iocs_s),
file_mod_ioc_array = todynamic(file_modification_iocs_s),
identities_array = todynamic(identities_s)
| extend entities = array_concat(process_ioc_array, child_process_ioc_array, cross_process_ioc_array, file_mod_ioc_array, identities_array)
| mv-expand entities
| evaluate bag_unpack(entities)
| extend file_hash_array = todynamic(column_ifexists('file_hashes', '[]'))
| mv-expand file_hash_array
| evaluate bag_unpack(file_hash_array, 'file_hash_')
| project detection_id_s = column_ifexists('detection_id_s', ''),
detection_url_s = column_ifexists('detection_url_s', ''),
detection_headline_s = column_ifexists('detection_headline_s', ''),
detection_details_s = column_ifexists('detection_details_s', ''),
detection_severity_s = column_ifexists('detection_severity_s', ''),
host_name_s = column_ifexists('host_name_s', ''),
host_full_name_s = column_ifexists('host_full_name_s', ''),
host_os_family_s = column_ifexists('host_os_family_s', ''),
host_os_version_s = column_ifexists('host_os_version_s', ''),
tactics_s = column_ifexists('tactics_s', ''),
process_id = column_ifexists('process_id', ''),
process_command_line = column_ifexists('process_command_line', ''),
process_creation_time_utc = column_ifexists('process_creation_time_utc', ''),
file_hash_algorithm = column_ifexists('file_hash_algorithm', ''),
file_hash_value = column_ifexists('file_hash_value', ''),
file_directory = column_ifexists('file_directory', ''),
file_name = column_ifexists('file_name', ''),
user_name = column_ifexists('user_name', ''),
user_uid = column_ifexists('user_uid', '')
severity: High
eventGroupingSettings:
aggregationKind: AlertPerResult
triggerThreshold: 0
customDetails:
detection_id: detection_id_s
queryFrequency: 5m
requiredDataConnectors:
- connectorId: RedCanaryDataConnector
dataTypes:
- RedCanaryDetections_CL
id: 6d263abb-6445-45cc-93e9-c593d3d77b89
version: 1.0.0
name: Red Canary Threat Detection
kind: Scheduled
query: |
RedCanaryDetections_CL
| extend process_ioc_array = todynamic(process_iocs_s),
child_process_ioc_array = todynamic(child_process_iocs_s),
cross_process_ioc_array = todynamic(cross_process_iocs_s),
file_mod_ioc_array = todynamic(file_modification_iocs_s),
identities_array = todynamic(identities_s)
| extend entities = array_concat(process_ioc_array, child_process_ioc_array, cross_process_ioc_array, file_mod_ioc_array, identities_array)
| mv-expand entities
| evaluate bag_unpack(entities)
| extend file_hash_array = todynamic(column_ifexists('file_hashes', '[]'))
| mv-expand file_hash_array
| evaluate bag_unpack(file_hash_array, 'file_hash_')
| project detection_id_s = column_ifexists('detection_id_s', ''),
detection_url_s = column_ifexists('detection_url_s', ''),
detection_headline_s = column_ifexists('detection_headline_s', ''),
detection_details_s = column_ifexists('detection_details_s', ''),
detection_severity_s = column_ifexists('detection_severity_s', ''),
host_name_s = column_ifexists('host_name_s', ''),
host_full_name_s = column_ifexists('host_full_name_s', ''),
host_os_family_s = column_ifexists('host_os_family_s', ''),
host_os_version_s = column_ifexists('host_os_version_s', ''),
tactics_s = column_ifexists('tactics_s', ''),
process_id = column_ifexists('process_id', ''),
process_command_line = column_ifexists('process_command_line', ''),
process_creation_time_utc = column_ifexists('process_creation_time_utc', ''),
file_hash_algorithm = column_ifexists('file_hash_algorithm', ''),
file_hash_value = column_ifexists('file_hash_value', ''),
file_directory = column_ifexists('file_directory', ''),
file_name = column_ifexists('file_name', ''),
user_name = column_ifexists('user_name', ''),
user_uid = column_ifexists('user_uid', '')
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Red Canary/Analytic Rules/RedCanaryThreatDetection.yaml
queryPeriod: 5m
relevantTechniques: []
triggerOperator: gt
incidentConfiguration:
groupingConfiguration:
lookbackDuration: 5m
groupByCustomDetails:
- detection_id
reopenClosedIncident: false
enabled: true
groupByAlertDetails: []
groupByEntities: []
matchingMethod: Selected
createIncident: true
tactics:
- Collection
- CommandAndControl
- CredentialAccess
- DefenseEvasion
- Discovery
- Execution
- Exfiltration
- Impact
- InitialAccess
- LateralMovement
- Persistence
- PrivilegeEscalation
alertDetailsOverride:
alertSeverityColumnName: detection_severity_s
alertDescriptionFormat: |
Red Canary has published a {{detection_severity_s}} severity detection with details:
{{detection_details_s}}
View the Detection at: {{detection_url_s}}
alertTacticsColumnName: tactics_s
alertDisplayNameFormat: Red Canary has published Detection-{{detection_id_s}}
description: Triggers Incidents using detection data assembled by Red Canary.
entityMappings:
- entityType: Process
fieldMappings:
- identifier: ProcessId
columnName: process_id
- identifier: CommandLine
columnName: process_command_line
- identifier: CreationTimeUtc
columnName: process_creation_time_utc
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: user_name
- identifier: Sid
columnName: user_uid
- identifier: Name
columnName: user_name
- entityType: File
fieldMappings:
- identifier: Directory
columnName: file_directory
- identifier: Name
columnName: file_name
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: host_name_s
- identifier: FullName
columnName: host_full_name_s
- identifier: OSFamily
columnName: host_os_family_s
- entityType: FileHash
fieldMappings:
- identifier: Algorithm
columnName: file_hash_algorithm
- identifier: Value
columnName: file_hash_value
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6d263abb-6445-45cc-93e9-c593d3d77b89')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6d263abb-6445-45cc-93e9-c593d3d77b89')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "Red Canary Threat Detection",
"description": "Triggers Incidents using detection data assembled by Red Canary.",
"severity": "High",
"enabled": true,
"query": "RedCanaryDetections_CL\n| extend process_ioc_array = todynamic(process_iocs_s),\n child_process_ioc_array = todynamic(child_process_iocs_s),\n cross_process_ioc_array = todynamic(cross_process_iocs_s),\n file_mod_ioc_array = todynamic(file_modification_iocs_s),\n identities_array = todynamic(identities_s)\n| extend entities = array_concat(process_ioc_array, child_process_ioc_array, cross_process_ioc_array, file_mod_ioc_array, identities_array)\n| mv-expand entities\n| evaluate bag_unpack(entities)\n| extend file_hash_array = todynamic(column_ifexists('file_hashes', '[]'))\n| mv-expand file_hash_array\n| evaluate bag_unpack(file_hash_array, 'file_hash_')\n| project detection_id_s = column_ifexists('detection_id_s', ''),\n detection_url_s = column_ifexists('detection_url_s', ''),\n detection_headline_s = column_ifexists('detection_headline_s', ''),\n detection_details_s = column_ifexists('detection_details_s', ''),\n detection_severity_s = column_ifexists('detection_severity_s', ''),\n host_name_s = column_ifexists('host_name_s', ''),\n host_full_name_s = column_ifexists('host_full_name_s', ''),\n host_os_family_s = column_ifexists('host_os_family_s', ''),\n host_os_version_s = column_ifexists('host_os_version_s', ''),\n tactics_s = column_ifexists('tactics_s', ''),\n process_id = column_ifexists('process_id', ''),\n process_command_line = column_ifexists('process_command_line', ''),\n process_creation_time_utc = column_ifexists('process_creation_time_utc', ''),\n file_hash_algorithm = column_ifexists('file_hash_algorithm', ''),\n file_hash_value = column_ifexists('file_hash_value', ''),\n file_directory = column_ifexists('file_directory', ''),\n file_name = column_ifexists('file_name', ''),\n user_name = column_ifexists('user_name', ''),\n user_uid = column_ifexists('user_uid', '')\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Collection",
"CommandAndControl",
"CredentialAccess",
"DefenseEvasion",
"Discovery",
"Execution",
"Exfiltration",
"Impact",
"InitialAccess",
"LateralMovement",
"Persistence",
"PrivilegeEscalation"
],
"techniques": [],
"alertRuleTemplateName": "6d263abb-6445-45cc-93e9-c593d3d77b89",
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"lookbackDuration": "PT5M",
"groupByCustomDetails": [
"detection_id"
],
"reopenClosedIncident": false,
"enabled": true,
"groupByAlertDetails": [],
"groupByEntities": [],
"matchingMethod": "Selected"
}
},
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"alertDetailsOverride": {
"alertDisplayNameFormat": "Red Canary has published Detection-{{detection_id_s}}",
"alertSeverityColumnName": "detection_severity_s",
"alertTacticsColumnName": "tactics_s",
"alertDescriptionFormat": "Red Canary has published a {{detection_severity_s}} severity detection with details:\n\n{{detection_details_s}}\n\nView the Detection at: {{detection_url_s}}\n"
},
"customDetails": {
"detection_id": "detection_id_s"
},
"entityMappings": [
{
"fieldMappings": [
{
"columnName": "process_id",
"identifier": "ProcessId"
},
{
"columnName": "process_command_line",
"identifier": "CommandLine"
},
{
"columnName": "process_creation_time_utc",
"identifier": "CreationTimeUtc"
}
],
"entityType": "Process"
},
{
"fieldMappings": [
{
"columnName": "user_name",
"identifier": "FullName"
},
{
"columnName": "user_uid",
"identifier": "Sid"
},
{
"columnName": "user_name",
"identifier": "Name"
}
],
"entityType": "Account"
},
{
"fieldMappings": [
{
"columnName": "file_directory",
"identifier": "Directory"
},
{
"columnName": "file_name",
"identifier": "Name"
}
],
"entityType": "File"
},
{
"fieldMappings": [
{
"columnName": "host_name_s",
"identifier": "HostName"
},
{
"columnName": "host_full_name_s",
"identifier": "FullName"
},
{
"columnName": "host_os_family_s",
"identifier": "OSFamily"
}
],
"entityType": "Host"
},
{
"fieldMappings": [
{
"columnName": "file_hash_algorithm",
"identifier": "Algorithm"
},
{
"columnName": "file_hash_value",
"identifier": "Value"
}
],
"entityType": "FileHash"
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Red Canary/Analytic Rules/RedCanaryThreatDetection.yaml",
"templateVersion": "1.0.0"
}
}
]
}