Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CYFIRMA - Attack Surface - Malicious DomainIP Reputation Medium Rule

Back
Id70f137e4-e4ef-4635-92de-10c4f5b0fcd0
RulenameCYFIRMA - Attack Surface - Malicious Domain/IP Reputation Medium Rule
Description“This alert is raised when CYFIRMA detects a critical reputation score for an IP address linked to your infrastructure.

The IP has been previously associated with hacking activity and web application attacks.

Denied outbound traffic to a foreign country from a known Microsoft data center IP suggests potential misuse or compromise of cloud infrastructure.”
SeverityMedium
TacticsInitialAccess
CommandAndControl
Reconnaissance
Impact
DefenseEvasion
Exfiltration
TechniquesT1566
T1071
T1090
T1595
T1499
T1036
T1041
Required data connectorsCyfirmaAttackSurfaceAlertsConnector
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASDomainIPreputationsMediumRule.yaml
Version1.0.0
Arm template70f137e4-e4ef-4635-92de-10c4f5b0fcd0.json
Deploy To Azure
// Medium Severity - Malicious Domain/IP Reputation Detected
let timeFrame = 5m;
CyfirmaASDomainIPReputationAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    Domain=sub_domain,
    TopDomain=top_domain,
    NetworkIP=ip,
    AlertUID=alert_uid,
    UID=uid,
    Categories=categories,
    IPversion=ip_version,
    ISP=isp,
    ThreatActors=threat_actors,
    Country=country,
    LastUsersReported=last_users_reported,
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT'
| project
    TimeGenerated,
    Domain,
    TopDomain,
    RiskScore,
    FirstSeen,
    LastSeen,
    NetworkIP,
    AlertUID,
    UID,
    Categories,
    IPversion,
    ISP,
    ThreatActors,
    Country,
    LastUsersReported,
    ProviderName,
    ProductName
tactics:
- InitialAccess
- CommandAndControl
- Reconnaissance
- Impact
- DefenseEvasion
- Exfiltration
name: CYFIRMA - Attack Surface - Malicious Domain/IP Reputation Medium Rule
id: 70f137e4-e4ef-4635-92de-10c4f5b0fcd0
requiredDataConnectors:
- connectorId: CyfirmaAttackSurfaceAlertsConnector
  dataTypes:
  - CyfirmaASDomainIPReputationAlerts_CL
query: |
  // Medium Severity - Malicious Domain/IP Reputation Detected
  let timeFrame = 5m;
  CyfirmaASDomainIPReputationAlerts_CL
  | where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      Domain=sub_domain,
      TopDomain=top_domain,
      NetworkIP=ip,
      AlertUID=alert_uid,
      UID=uid,
      Categories=categories,
      IPversion=ip_version,
      ISP=isp,
      ThreatActors=threat_actors,
      Country=country,
      LastUsersReported=last_users_reported,
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT'
  | project
      TimeGenerated,
      Domain,
      TopDomain,
      RiskScore,
      FirstSeen,
      LastSeen,
      NetworkIP,
      AlertUID,
      UID,
      Categories,
      IPversion,
      ISP,
      ThreatActors,
      Country,
      LastUsersReported,
      ProviderName,
      ProductName  
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1566
- T1071
- T1090
- T1595
- T1499
- T1036
- T1041
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AllEntities
    reopenClosedIncident: false
    lookbackDuration: 5h
    enabled: false
description: |
  "This alert is raised when CYFIRMA detects a critical reputation score for an IP address linked to your infrastructure. 
  The IP has been previously associated with hacking activity and web application attacks. 
  Denied outbound traffic to a foreign country from a known Microsoft data center IP suggests potential misuse or compromise of cloud infrastructure."  
triggerOperator: gt
queryPeriod: 5m
severity: Medium
entityMappings:
- fieldMappings:
  - identifier: DomainName
    columnName: Domain
  entityType: DNS
- fieldMappings:
  - identifier: HostName
    columnName: TopDomain
  - identifier: DnsDomain
    columnName: Domain
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: NetworkIP
  entityType: IP
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASDomainIPreputationsMediumRule.yaml
version: 1.0.0
alertDetailsOverride:
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
  alertDisplayNameFormat: 'CYFIRMA - Medium Severity Malicious Domain/IP Reputation Alert - Domain: {{Domain}}, IP: {{NetworkIP}} '
  alertDescriptionFormat: 'CYFIRMA - Medium Severity Malicious Domain/IP Reputation Alert - Domain: {{Domain}}, IP: {{NetworkIP}} '
triggerThreshold: 0
queryFrequency: 5m
kind: Scheduled
status: Available
customDetails:
  IPversion: IPversion
  TimeGenerated: TimeGenerated
  ThreatActors: ThreatActors
  Categories: Categories
  AlertUID: AlertUID
  UID: UID
  LastSeen: LastSeen
  LastUsersReported: LastUsersReported
  ISP: ISP
  FirstSeen: FirstSeen
  RiskScore: RiskScore
  Country: Country
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/70f137e4-e4ef-4635-92de-10c4f5b0fcd0')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/70f137e4-e4ef-4635-92de-10c4f5b0fcd0')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "CYFIRMA - Medium Severity Malicious Domain/IP Reputation Alert - Domain: {{Domain}}, IP: {{NetworkIP}} ",
          "alertDisplayNameFormat": "CYFIRMA - Medium Severity Malicious Domain/IP Reputation Alert - Domain: {{Domain}}, IP: {{NetworkIP}} ",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProductName",
              "value": "ProductName"
            },
            {
              "alertProperty": "ProviderName",
              "value": "ProviderName"
            }
          ]
        },
        "alertRuleTemplateName": "70f137e4-e4ef-4635-92de-10c4f5b0fcd0",
        "customDetails": {
          "AlertUID": "AlertUID",
          "Categories": "Categories",
          "Country": "Country",
          "FirstSeen": "FirstSeen",
          "IPversion": "IPversion",
          "ISP": "ISP",
          "LastSeen": "LastSeen",
          "LastUsersReported": "LastUsersReported",
          "RiskScore": "RiskScore",
          "ThreatActors": "ThreatActors",
          "TimeGenerated": "TimeGenerated",
          "UID": "UID"
        },
        "description": "\"This alert is raised when CYFIRMA detects a critical reputation score for an IP address linked to your infrastructure. \nThe IP has been previously associated with hacking activity and web application attacks. \nDenied outbound traffic to a foreign country from a known Microsoft data center IP suggests potential misuse or compromise of cloud infrastructure.\"\n",
        "displayName": "CYFIRMA - Attack Surface - Malicious Domain/IP Reputation Medium Rule",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "DNS",
            "fieldMappings": [
              {
                "columnName": "Domain",
                "identifier": "DomainName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "TopDomain",
                "identifier": "HostName"
              },
              {
                "columnName": "Domain",
                "identifier": "DnsDomain"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "NetworkIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASDomainIPreputationsMediumRule.yaml",
        "query": "// Medium Severity - Malicious Domain/IP Reputation Detected\nlet timeFrame = 5m;\nCyfirmaASDomainIPReputationAlerts_CL\n| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())\n| extend\n    FirstSeen=first_seen,\n    LastSeen=last_seen,\n    RiskScore=risk_score,\n    Domain=sub_domain,\n    TopDomain=top_domain,\n    NetworkIP=ip,\n    AlertUID=alert_uid,\n    UID=uid,\n    Categories=categories,\n    IPversion=ip_version,\n    ISP=isp,\n    ThreatActors=threat_actors,\n    Country=country,\n    LastUsersReported=last_users_reported,\n    ProviderName='CYFIRMA',\n    ProductName='DeCYFIR/DeTCT'\n| project\n    TimeGenerated,\n    Domain,\n    TopDomain,\n    RiskScore,\n    FirstSeen,\n    LastSeen,\n    NetworkIP,\n    AlertUID,\n    UID,\n    Categories,\n    IPversion,\n    ISP,\n    ThreatActors,\n    Country,\n    LastUsersReported,\n    ProviderName,\n    ProductName\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "DefenseEvasion",
          "Exfiltration",
          "Impact",
          "InitialAccess",
          "Reconnaissance"
        ],
        "techniques": [
          "T1036",
          "T1041",
          "T1071",
          "T1090",
          "T1499",
          "T1566",
          "T1595"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}