CYFIRMA - High severity TOR Node Network Indicators - Monitor Recommended Rule
| Id | 6f107cf8-02f9-4440-b5d8-1235293e5ad7 |
| Rulename | CYFIRMA - High severity TOR Node Network Indicators - Monitor Recommended Rule |
| Description | “This KQL query identifies network-based indicators from CYFIRMA intelligence that are associated with the role ‘TOR’. These indicators may include IP addresses, domains, and URLs related to Tor network activity. Threat actors often use Tor for anonymous communication, command and control, data exfiltration, and evasion of network defenses.” |
| Severity | High |
| Tactics | CommandAndControl Exfiltration InitialAccess Persistence Reconnaissance |
| Techniques | T1090 T1572 T1048 T1071 T1189 T1505 T1595 T1090.003 T1048.002 T1071.001 T1505.003 T1595.002 |
| Required data connectors | CyfirmaCyberIntelligenceDC |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | GreaterThan |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/TORNodeNetworkIndicatorsMonitorHighSeverityRule.yaml |
| Version | 1.0.1 |
| Arm template | 6f107cf8-02f9-4440-b5d8-1235293e5ad7.json |
//TOR Node Network Indicators - Monitor Recommended
let timeFrame= 5m;
CyfirmaIndicators_CL
| where ConfidenceScore >= 80
and TimeGenerated between (ago(timeFrame) .. now())
and pattern !contains 'file:hashes' and RecommendedActions has 'Monitor' and Roles has 'TOR'
| extend IPv4 = extract(@"ipv4-addr:value\s*=\s*'([^']+)'", 1, pattern)
| extend IPv6 = extract(@"ipv6-addr:value\s*=\s*'([^']+)'", 1, pattern)
| extend URL = extract(@"url:value\s*=\s*'([^']+)'", 1, pattern)
| extend Domain = extract(@"domain-name:value\s*=\s*'([^']+)'", 1, pattern)
| extend parsed = parse_json(extensions)
| extend extensionKeys = bag_keys(parsed)
| mv-expand extensionKeys
| extend extensionKeyStr = tostring(extensionKeys)
| extend ext = parsed[extensionKeyStr]
| extend props = ext.properties
| extend
extension_id = extensionKeyStr,
ASN_Owner = props.asn_owner,
ASN = props.asn,
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| project
IPv4,
IPv6,
URL,
Domain,
ThreatActors,
RecommendedActions,
Sources,
Roles,
Country,
IPAbuse,
name,
Description,
ConfidenceScore,
IndicatorID,
created,
modified,
valid_from,
Tags,
ThreatType,
TimeGenerated,
SecurityVendors,
ProductName,
ProviderName
requiredDataConnectors:
- dataTypes:
- CyfirmaIndicators_CL
connectorId: CyfirmaCyberIntelligenceDC
queryPeriod: 5m
triggerThreshold: 0
queryFrequency: 5m
suppressionDuration: 5m
severity: High
eventGroupingSettings:
aggregationKind: AlertPerResult
enabled: false
description: |
"This KQL query identifies network-based indicators from CYFIRMA intelligence that are associated with the role 'TOR'.
These indicators may include IP addresses, domains, and URLs related to Tor network activity.
Threat actors often use Tor for anonymous communication, command and control, data exfiltration, and evasion of network defenses."
customDetails:
Tags: Tags
SecurityVendors: SecurityVendors
TimeGenerated: TimeGenerated
Sources: Sources
ThreatType: ThreatType
Roles: Roles
ValidFrom: valid_from
Modified: modified
Created: created
ThreatActors: ThreatActors
IPAbuse: IPAbuse
RecommendedActions: RecommendedActions
Description: Description
ConfidenceScore: ConfidenceScore
IndicatorID: IndicatorID
Country: Country
name: CYFIRMA - High severity TOR Node Network Indicators - Monitor Recommended Rule
version: 1.0.1
triggerOperator: GreaterThan
id: 6f107cf8-02f9-4440-b5d8-1235293e5ad7
incidentConfiguration:
createIncident: true
groupingConfiguration:
lookbackDuration: PT5H
matchingMethod: AllEntities
enabled: false
reopenClosedIncident: false
tactics:
- CommandAndControl
- Exfiltration
- InitialAccess
- Persistence
- Reconnaissance
relevantTechniques:
- T1090
- T1572
- T1048
- T1071
- T1189
- T1505
- T1595
- T1090.003
- T1048.002
- T1071.001
- T1505.003
- T1595.002
entityMappings:
- fieldMappings:
- identifier: Address
columnName: IPv4
entityType: IP
- fieldMappings:
- identifier: Address
columnName: IPv6
entityType: IP
- fieldMappings:
- identifier: DomainName
columnName: Domain
entityType: DNS
- fieldMappings:
- identifier: Url
columnName: URL
entityType: URL
kind: Scheduled
suppressionEnabled: true
alertDetailsOverride:
alertDisplayNameFormat: 'High-Confidence TOR Node Network Indicators - Monitor Recommended - {{name}} '
alertDynamicProperties:
- value: ProductName
alertProperty: ProductName
- value: ProviderName
alertProperty: ProviderName
alertDescriptionFormat: '{{Description}} - {{name}} '
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/TORNodeNetworkIndicatorsMonitorHighSeverityRule.yaml
query: |
//TOR Node Network Indicators - Monitor Recommended
let timeFrame= 5m;
CyfirmaIndicators_CL
| where ConfidenceScore >= 80
and TimeGenerated between (ago(timeFrame) .. now())
and pattern !contains 'file:hashes' and RecommendedActions has 'Monitor' and Roles has 'TOR'
| extend IPv4 = extract(@"ipv4-addr:value\s*=\s*'([^']+)'", 1, pattern)
| extend IPv6 = extract(@"ipv6-addr:value\s*=\s*'([^']+)'", 1, pattern)
| extend URL = extract(@"url:value\s*=\s*'([^']+)'", 1, pattern)
| extend Domain = extract(@"domain-name:value\s*=\s*'([^']+)'", 1, pattern)
| extend parsed = parse_json(extensions)
| extend extensionKeys = bag_keys(parsed)
| mv-expand extensionKeys
| extend extensionKeyStr = tostring(extensionKeys)
| extend ext = parsed[extensionKeyStr]
| extend props = ext.properties
| extend
extension_id = extensionKeyStr,
ASN_Owner = props.asn_owner,
ASN = props.asn,
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| project
IPv4,
IPv6,
URL,
Domain,
ThreatActors,
RecommendedActions,
Sources,
Roles,
Country,
IPAbuse,
name,
Description,
ConfidenceScore,
IndicatorID,
created,
modified,
valid_from,
Tags,
ThreatType,
TimeGenerated,
SecurityVendors,
ProductName,
ProviderName