Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. CYFIRMA - High severity File Hash Indicators with Block Action Rule

CYFIRMA - High severity File Hash Indicators with Block Action Rule

Back
Id7cb829b2-915a-42c2-adb9-725e9ce9bf43
RulenameCYFIRMA - High severity File Hash Indicators with Block Action Rule
Description“This query retrieves file hash indicators marked for blocking, with no assigned role, from the CyfirmaIndicators_CL table.

It extracts MD5, SHA1, and SHA256 hashes and includes threat metadata for use in preventive security controls such as EDRs, threat intel platforms, or automated blocklists.”
SeverityHigh
TacticsExecution
InitialAccess
DefenseEvasion
Impact
TechniquesT1204
T1566
T1027
T1486
T1566.001
Required data connectorsCyfirmaCyberIntelligenceDC
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/FileHashIndicatorsBlockHighSeverityRule.yaml
Version1.0.1
Arm template7cb829b2-915a-42c2-adb9-725e9ce9bf43.json
Deploy To Azure
// File Hash Indicators with Block Action
let timeFrame = 5m;
CyfirmaIndicators_CL 
| where ConfidenceScore >= 80
    and TimeGenerated between (ago(timeFrame) .. now())
    and pattern contains 'file:hashes' and RecommendedActions has 'Block' and (isempty(Roles) or not(Roles has_any ('Malware', 'Trojan')))
| extend MD5 = extract(@"file:hashes\.md5\s*=\s*'([a-fA-F0-9]{32})'", 1, pattern)
| extend SHA1 = extract(@"file:hashes\.'SHA-1'\s*=\s*'([a-fA-F0-9]{40})'", 1, pattern)
| extend SHA256 = extract(@"file:hashes\.'SHA-256'\s*=\s*'([a-fA-F0-9]{64})'", 1, pattern)
| extend
    Algo_MD5='MD5',
    Algo_SHA1= 'SHA1',
    Algo_SHA256='SHA256',
    ProviderName = 'CYFIRMA',
    ProductName = 'DeCYFIR/DeTCT'
| project  
    MD5,
    SHA1,
    SHA256,
    Algo_MD5,
    Algo_SHA1,
    Algo_SHA256,
    ThreatActors,
    Sources,
    RecommendedActions,
    Roles,
    Country,
    name,
    Description,
    ConfidenceScore,
    SecurityVendors,
    IndicatorID,
    created,
    modified,
    valid_from,
    Tags,
    ThreatType,
    TimeGenerated,
    ProductName,
    ProviderName

description: |
  "This query retrieves file hash indicators marked for blocking, with no assigned role, from the CyfirmaIndicators_CL table. 
  It extracts MD5, SHA1, and SHA256 hashes and includes threat metadata for use in preventive security controls such as EDRs, threat intel platforms, or automated blocklists."  
kind: Scheduled
suppressionEnabled: true
queryFrequency: 5m
suppressionDuration: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/FileHashIndicatorsBlockHighSeverityRule.yaml
alertDetailsOverride:
  alertDisplayNameFormat: 'High-Confidence File Hash Indicators with Block Action - {{name}} '
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
  alertDescriptionFormat: '{{Description}} - {{name}} '
severity: High
triggerOperator: GreaterThan
triggerThreshold: 0
name: CYFIRMA - High severity File Hash Indicators with Block Action Rule
customDetails:
  Description: Description
  Created: created
  Sources: Sources
  Roles: Roles
  Country: Country
  ConfidenceScore: ConfidenceScore
  TimeGenerated: TimeGenerated
  IndicatorID: IndicatorID
  RecommendedActions: RecommendedActions
  ThreatActors: ThreatActors
  SecurityVendors: SecurityVendors
  ValidFrom: valid_from
  Tags: Tags
  ThreatType: ThreatType
  Modified: modified
entityMappings:
- fieldMappings:
  - columnName: Algo_MD5
    identifier: Algorithm
  - columnName: MD5
    identifier: Value
  entityType: FileHash
- fieldMappings:
  - columnName: Algo_SHA1
    identifier: Algorithm
  - columnName: SHA1
    identifier: Value
  entityType: FileHash
- fieldMappings:
  - columnName: Algo_SHA256
    identifier: Algorithm
  - columnName: SHA256
    identifier: Value
  entityType: FileHash
requiredDataConnectors:
- connectorId: CyfirmaCyberIntelligenceDC
  dataTypes:
  - CyfirmaIndicators_CL
enabled: false
id: 7cb829b2-915a-42c2-adb9-725e9ce9bf43
queryPeriod: 5m
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: false
    matchingMethod: AllEntities
    reopenClosedIncident: false
    lookbackDuration: PT5H
relevantTechniques:
- T1204
- T1566
- T1027
- T1486
- T1566.001
tactics:
- Execution
- InitialAccess
- DefenseEvasion
- Impact
version: 1.0.1
query: |
  // File Hash Indicators with Block Action
  let timeFrame = 5m;
  CyfirmaIndicators_CL 
  | where ConfidenceScore >= 80
      and TimeGenerated between (ago(timeFrame) .. now())
      and pattern contains 'file:hashes' and RecommendedActions has 'Block' and (isempty(Roles) or not(Roles has_any ('Malware', 'Trojan')))
  | extend MD5 = extract(@"file:hashes\.md5\s*=\s*'([a-fA-F0-9]{32})'", 1, pattern)
  | extend SHA1 = extract(@"file:hashes\.'SHA-1'\s*=\s*'([a-fA-F0-9]{40})'", 1, pattern)
  | extend SHA256 = extract(@"file:hashes\.'SHA-256'\s*=\s*'([a-fA-F0-9]{64})'", 1, pattern)
  | extend
      Algo_MD5='MD5',
      Algo_SHA1= 'SHA1',
      Algo_SHA256='SHA256',
      ProviderName = 'CYFIRMA',
      ProductName = 'DeCYFIR/DeTCT'
  | project  
      MD5,
      SHA1,
      SHA256,
      Algo_MD5,
      Algo_SHA1,
      Algo_SHA256,
      ThreatActors,
      Sources,
      RecommendedActions,
      Roles,
      Country,
      name,
      Description,
      ConfidenceScore,
      SecurityVendors,
      IndicatorID,
      created,
      modified,
      valid_from,
      Tags,
      ThreatType,
      TimeGenerated,
      ProductName,
      ProviderName  
eventGroupingSettings:
  aggregationKind: AlertPerResult