Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CYFIRMA - Attack Surface - Malicious DomainIP Reputation High Rule

Back
Id7ff6f6d7-9672-4567-99fc-cb8a58c3bce7
RulenameCYFIRMA - Attack Surface - Malicious Domain/IP Reputation High Rule
Description“This alert is raised when CYFIRMA detects a critical reputation score for an IP address linked to your infrastructure.

The IP has been previously associated with hacking activity and web application attacks.

Denied outbound traffic to a foreign country from a known Microsoft data center IP suggests potential misuse or compromise of cloud infrastructure.”
SeverityHigh
TacticsInitialAccess
CommandAndControl
Reconnaissance
Impact
DefenseEvasion
Exfiltration
TechniquesT1566.002
T1071.001
T1090.002
T1595.002
T1036.005
T1499
T1041
Required data connectorsCyfirmaAttackSurfaceAlertsConnector
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASDomainIPreputationsHighRule.yaml
Version1.0.0
Arm template7ff6f6d7-9672-4567-99fc-cb8a58c3bce7.json
Deploy To Azure
// High Severity - Malicious Domain/IP Reputation Detected
let timeFrame = 5m;
CyfirmaASDomainIPReputationAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    Domain=sub_domain,
    TopDomain=top_domain,
    NetworkIP=ip,
    AlertUID=alert_uid,
    UID=uid,
    Categories=categories,
    IPversion=ip_version,
    ISP=isp,
    ThreatActors=threat_actors,
    Country=country,
    LastUsersReported=last_users_reported,
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT'
| project
    TimeGenerated,
    Domain,
    TopDomain,
    RiskScore,
    FirstSeen,
    LastSeen,
    NetworkIP,
    AlertUID,
    UID,
    Categories,
    IPversion,
    ISP,
    ThreatActors,
    Country,
    LastUsersReported,
    ProviderName,
    ProductName
entityMappings:
- fieldMappings:
  - columnName: Domain
    identifier: DomainName
  entityType: DNS
- fieldMappings:
  - columnName: TopDomain
    identifier: HostName
  - columnName: Domain
    identifier: DnsDomain
  entityType: Host
- fieldMappings:
  - columnName: NetworkIP
    identifier: Address
  entityType: IP
triggerThreshold: 0
severity: High
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: 5h
    enabled: false
    matchingMethod: AllEntities
    reopenClosedIncident: false
queryFrequency: 5m
status: Available
customDetails:
  TimeGenerated: TimeGenerated
  FirstSeen: FirstSeen
  LastUsersReported: LastUsersReported
  RiskScore: RiskScore
  Country: Country
  ISP: ISP
  IPversion: IPversion
  ThreatActors: ThreatActors
  AlertUID: AlertUID
  Categories: Categories
  LastSeen: LastSeen
  UID: UID
relevantTechniques:
- T1566.002
- T1071.001
- T1090.002
- T1595.002
- T1036.005
- T1499
- T1041
alertDetailsOverride:
  alertDisplayNameFormat: 'CYFIRMA - High Severity Malicious Domain/IP Reputation Alert - Domain: {{Domain}}, IP: {{NetworkIP}} '
  alertDescriptionFormat: 'CYFIRMA - High Severity Malicious Domain/IP Reputation Alert - Domain: {{Domain}}, IP: {{NetworkIP}} '
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASDomainIPreputationsHighRule.yaml
triggerOperator: gt
id: 7ff6f6d7-9672-4567-99fc-cb8a58c3bce7
requiredDataConnectors:
- connectorId: CyfirmaAttackSurfaceAlertsConnector
  dataTypes:
  - CyfirmaASDomainIPReputationAlerts_CL
version: 1.0.0
name: CYFIRMA - Attack Surface - Malicious Domain/IP Reputation High Rule
eventGroupingSettings:
  aggregationKind: AlertPerResult
description: |
  "This alert is raised when CYFIRMA detects a critical reputation score for an IP address linked to your infrastructure. 
  The IP has been previously associated with hacking activity and web application attacks. 
  Denied outbound traffic to a foreign country from a known Microsoft data center IP suggests potential misuse or compromise of cloud infrastructure."  
query: |
  // High Severity - Malicious Domain/IP Reputation Detected
  let timeFrame = 5m;
  CyfirmaASDomainIPReputationAlerts_CL
  | where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      Domain=sub_domain,
      TopDomain=top_domain,
      NetworkIP=ip,
      AlertUID=alert_uid,
      UID=uid,
      Categories=categories,
      IPversion=ip_version,
      ISP=isp,
      ThreatActors=threat_actors,
      Country=country,
      LastUsersReported=last_users_reported,
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT'
  | project
      TimeGenerated,
      Domain,
      TopDomain,
      RiskScore,
      FirstSeen,
      LastSeen,
      NetworkIP,
      AlertUID,
      UID,
      Categories,
      IPversion,
      ISP,
      ThreatActors,
      Country,
      LastUsersReported,
      ProviderName,
      ProductName  
tactics:
- InitialAccess
- CommandAndControl
- Reconnaissance
- Impact
- DefenseEvasion
- Exfiltration
queryPeriod: 5m
kind: Scheduled
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7ff6f6d7-9672-4567-99fc-cb8a58c3bce7')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7ff6f6d7-9672-4567-99fc-cb8a58c3bce7')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "CYFIRMA - High Severity Malicious Domain/IP Reputation Alert - Domain: {{Domain}}, IP: {{NetworkIP}} ",
          "alertDisplayNameFormat": "CYFIRMA - High Severity Malicious Domain/IP Reputation Alert - Domain: {{Domain}}, IP: {{NetworkIP}} ",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProductName",
              "value": "ProductName"
            },
            {
              "alertProperty": "ProviderName",
              "value": "ProviderName"
            }
          ]
        },
        "alertRuleTemplateName": "7ff6f6d7-9672-4567-99fc-cb8a58c3bce7",
        "customDetails": {
          "AlertUID": "AlertUID",
          "Categories": "Categories",
          "Country": "Country",
          "FirstSeen": "FirstSeen",
          "IPversion": "IPversion",
          "ISP": "ISP",
          "LastSeen": "LastSeen",
          "LastUsersReported": "LastUsersReported",
          "RiskScore": "RiskScore",
          "ThreatActors": "ThreatActors",
          "TimeGenerated": "TimeGenerated",
          "UID": "UID"
        },
        "description": "\"This alert is raised when CYFIRMA detects a critical reputation score for an IP address linked to your infrastructure. \nThe IP has been previously associated with hacking activity and web application attacks. \nDenied outbound traffic to a foreign country from a known Microsoft data center IP suggests potential misuse or compromise of cloud infrastructure.\"\n",
        "displayName": "CYFIRMA - Attack Surface - Malicious Domain/IP Reputation High Rule",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "DNS",
            "fieldMappings": [
              {
                "columnName": "Domain",
                "identifier": "DomainName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "TopDomain",
                "identifier": "HostName"
              },
              {
                "columnName": "Domain",
                "identifier": "DnsDomain"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "NetworkIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASDomainIPreputationsHighRule.yaml",
        "query": "// High Severity - Malicious Domain/IP Reputation Detected\nlet timeFrame = 5m;\nCyfirmaASDomainIPReputationAlerts_CL\n| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())\n| extend\n    FirstSeen=first_seen,\n    LastSeen=last_seen,\n    RiskScore=risk_score,\n    Domain=sub_domain,\n    TopDomain=top_domain,\n    NetworkIP=ip,\n    AlertUID=alert_uid,\n    UID=uid,\n    Categories=categories,\n    IPversion=ip_version,\n    ISP=isp,\n    ThreatActors=threat_actors,\n    Country=country,\n    LastUsersReported=last_users_reported,\n    ProviderName='CYFIRMA',\n    ProductName='DeCYFIR/DeTCT'\n| project\n    TimeGenerated,\n    Domain,\n    TopDomain,\n    RiskScore,\n    FirstSeen,\n    LastSeen,\n    NetworkIP,\n    AlertUID,\n    UID,\n    Categories,\n    IPversion,\n    ISP,\n    ThreatActors,\n    Country,\n    LastUsersReported,\n    ProviderName,\n    ProductName\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [
          "T1566.002",
          "T1071.001",
          "T1090.002",
          "T1595.002",
          "T1036.005"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "DefenseEvasion",
          "Exfiltration",
          "Impact",
          "InitialAccess",
          "Reconnaissance"
        ],
        "techniques": [
          "T1036",
          "T1041",
          "T1071",
          "T1090",
          "T1499",
          "T1566",
          "T1595"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}