CYFIRMA - Attack Surface - Malicious DomainIP Reputation Medium Rule

Back


Id	70f137e4-e4ef-4635-92de-10c4f5b0fcd0
Rulename	CYFIRMA - Attack Surface - Malicious Domain/IP Reputation Medium Rule
Description	“This alert is raised when CYFIRMA detects a critical reputation score for an IP address linked to your infrastructure. The IP has been previously associated with hacking activity and web application attacks. Denied outbound traffic to a foreign country from a known Microsoft data center IP suggests potential misuse or compromise of cloud infrastructure.”
Severity	Medium
Tactics	InitialAccess CommandAndControl Reconnaissance Impact DefenseEvasion Exfiltration
Techniques	T1566 T1071 T1090 T1595 T1499 T1036 T1041
Required data connectors	CyfirmaAttackSurfaceAlertsConnector
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASDomainIPreputationsMediumRule.yaml
Version	1.0.1
Arm template	70f137e4-e4ef-4635-92de-10c4f5b0fcd0.json

KQL

// Medium Severity - Malicious Domain/IP Reputation Detected
let timeFrame = 5m;
CyfirmaASDomainIPReputationAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    Domain=sub_domain,
    TopDomain=top_domain,
    NetworkIP=ip,
    AlertUID=alert_uid,
    UID=uid,
    Categories=categories,
    IPversion=ip_version,
    ISP=isp,
    ThreatActors=threat_actors,
    Country=country,
    LastUsersReported=last_users_reported,
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT'
| project
    TimeGenerated,
    Domain,
    TopDomain,
    RiskScore,
    FirstSeen,
    LastSeen,
    NetworkIP,
    AlertUID,
    UID,
    Categories,
    IPversion,
    ISP,
    ThreatActors,
    Country,
    LastUsersReported,
    ProviderName,
    ProductName

YAML

name: CYFIRMA - Attack Surface - Malicious Domain/IP Reputation Medium Rule
alertDetailsOverride:
  alertDynamicProperties:
  - value: ProductName
    alertProperty: ProductName
  - value: ProviderName
    alertProperty: ProviderName
  alertDisplayNameFormat: 'CYFIRMA - Medium Severity Malicious Domain/IP Reputation Alert - Domain: {{Domain}}, IP: {{NetworkIP}} '
  alertDescriptionFormat: 'CYFIRMA - Medium Severity Malicious Domain/IP Reputation Alert - Domain: {{Domain}}, IP: {{NetworkIP}} '
version: 1.0.1
triggerThreshold: 0
entityMappings:
- fieldMappings:
  - columnName: Domain
    identifier: DomainName
  entityType: DNS
- fieldMappings:
  - columnName: TopDomain
    identifier: HostName
  - columnName: Domain
    identifier: DnsDomain
  entityType: Host
- fieldMappings:
  - columnName: NetworkIP
    identifier: Address
  entityType: IP
id: 70f137e4-e4ef-4635-92de-10c4f5b0fcd0
triggerOperator: gt
query: |
  // Medium Severity - Malicious Domain/IP Reputation Detected
  let timeFrame = 5m;
  CyfirmaASDomainIPReputationAlerts_CL
  | where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      Domain=sub_domain,
      TopDomain=top_domain,
      NetworkIP=ip,
      AlertUID=alert_uid,
      UID=uid,
      Categories=categories,
      IPversion=ip_version,
      ISP=isp,
      ThreatActors=threat_actors,
      Country=country,
      LastUsersReported=last_users_reported,
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT'
  | project
      TimeGenerated,
      Domain,
      TopDomain,
      RiskScore,
      FirstSeen,
      LastSeen,
      NetworkIP,
      AlertUID,
      UID,
      Categories,
      IPversion,
      ISP,
      ThreatActors,
      Country,
      LastUsersReported,
      ProviderName,
      ProductName  
description: |
  "This alert is raised when CYFIRMA detects a critical reputation score for an IP address linked to your infrastructure. 
  The IP has been previously associated with hacking activity and web application attacks. 
  Denied outbound traffic to a foreign country from a known Microsoft data center IP suggests potential misuse or compromise of cloud infrastructure."  
kind: Scheduled
queryFrequency: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASDomainIPreputationsMediumRule.yaml
severity: Medium
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: PT5H
    reopenClosedIncident: false
    matchingMethod: AllEntities
    enabled: false
queryPeriod: 5m
requiredDataConnectors:
- dataTypes:
  - CyfirmaASDomainIPReputationAlerts_CL
  connectorId: CyfirmaAttackSurfaceAlertsConnector
status: Available
customDetails:
  ISP: ISP
  RiskScore: RiskScore
  UID: UID
  IPversion: IPversion
  Country: Country
  LastSeen: LastSeen
  AlertUID: AlertUID
  FirstSeen: FirstSeen
  Categories: Categories
  TimeGenerated: TimeGenerated
  LastUsersReported: LastUsersReported
  ThreatActors: ThreatActors
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1566
- T1071
- T1090
- T1595
- T1499
- T1036
- T1041
tactics:
- InitialAccess
- CommandAndControl
- Reconnaissance
- Impact
- DefenseEvasion
- Exfiltration

ARM