Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CYFIRMA - High severity File Hash Indicators with Monitor Action Rule

Back
Id952b7d77-a848-4888-a638-62fe877eb55d
RulenameCYFIRMA - High severity File Hash Indicators with Monitor Action Rule
Description“This query retrieves file hash indicators marked for Monitoring, with no assigned role, from the CyfirmaIndicators_CL table.

It extracts MD5, SHA1, and SHA256 hashes and includes threat metadata for use in preventive security controls such as EDRs, threat intel platforms.”
SeverityHigh
TacticsExecution
InitialAccess
DefenseEvasion
Impact
TechniquesT1204
T1566
T1027
T1486
T1566.001
Required data connectorsCyfirmaCyberIntelligenceDC
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/FileHashIndicatorsMonitorHighSeverityRule.yaml
Version1.0.0
Arm template952b7d77-a848-4888-a638-62fe877eb55d.json
Deploy To Azure
// File Hash Indicators with Monitor Action
let timeFrame = 5m;
CyfirmaIndicators_CL 
| where ConfidenceScore >= 80
    and TimeGenerated between (ago(timeFrame) .. now())
    and pattern contains 'file:hashes' and RecommendedActions has 'Monitor' and (isempty(Roles) or not(Roles has_any ('Malware', 'Trojan')))
| extend MD5 = extract(@"file:hashes\.md5\s*=\s*'([a-fA-F0-9]{32})'", 1, pattern)
| extend SHA1 = extract(@"file:hashes\.'SHA-1'\s*=\s*'([a-fA-F0-9]{40})'", 1, pattern)
| extend SHA256 = extract(@"file:hashes\.'SHA-256'\s*=\s*'([a-fA-F0-9]{64})'", 1, pattern)
| extend
    Algo_MD5='MD5',
    Algo_SHA1= 'SHA1',
    Algo_SHA256='SHA256',
    ProviderName = 'CYFIRMA',
    ProductName = 'DeCYFIR/DeTCT'
| project  
    MD5,
    SHA1,
    SHA256,
    Algo_MD5,
    Algo_SHA1,
    Algo_SHA256,
    ThreatActors,
    Sources,
    RecommendedActions,
    Roles,
    Country,
    name,
    Description,
    ConfidenceScore,
    SecurityVendors,
    IndicatorID,
    created,
    modified,
    valid_from,
    Tags,
    ThreatType,
    TimeGenerated,
    ProductName,
    ProviderName
tactics:
- Execution
- InitialAccess
- DefenseEvasion
- Impact
enabled: false
id: 952b7d77-a848-4888-a638-62fe877eb55d
requiredDataConnectors:
- connectorId: CyfirmaCyberIntelligenceDC
  dataTypes:
  - CyfirmaIndicators_CL
query: |
  // File Hash Indicators with Monitor Action
  let timeFrame = 5m;
  CyfirmaIndicators_CL 
  | where ConfidenceScore >= 80
      and TimeGenerated between (ago(timeFrame) .. now())
      and pattern contains 'file:hashes' and RecommendedActions has 'Monitor' and (isempty(Roles) or not(Roles has_any ('Malware', 'Trojan')))
  | extend MD5 = extract(@"file:hashes\.md5\s*=\s*'([a-fA-F0-9]{32})'", 1, pattern)
  | extend SHA1 = extract(@"file:hashes\.'SHA-1'\s*=\s*'([a-fA-F0-9]{40})'", 1, pattern)
  | extend SHA256 = extract(@"file:hashes\.'SHA-256'\s*=\s*'([a-fA-F0-9]{64})'", 1, pattern)
  | extend
      Algo_MD5='MD5',
      Algo_SHA1= 'SHA1',
      Algo_SHA256='SHA256',
      ProviderName = 'CYFIRMA',
      ProductName = 'DeCYFIR/DeTCT'
  | project  
      MD5,
      SHA1,
      SHA256,
      Algo_MD5,
      Algo_SHA1,
      Algo_SHA256,
      ThreatActors,
      Sources,
      RecommendedActions,
      Roles,
      Country,
      name,
      Description,
      ConfidenceScore,
      SecurityVendors,
      IndicatorID,
      created,
      modified,
      valid_from,
      Tags,
      ThreatType,
      TimeGenerated,
      ProductName,
      ProviderName  
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1204
- T1566
- T1027
- T1486
- T1566.001
name: CYFIRMA - High severity File Hash Indicators with Monitor Action Rule
description: |
  "This query retrieves file hash indicators marked for Monitoring, with no assigned role, from the CyfirmaIndicators_CL table. 
  It extracts MD5, SHA1, and SHA256 hashes and includes threat metadata for use in preventive security controls such as EDRs, threat intel platforms."  
triggerOperator: GreaterThan
queryPeriod: 5m
suppressionDuration: 5m
severity: High
entityMappings:
- fieldMappings:
  - identifier: Algorithm
    columnName: Algo_MD5
  - identifier: Value
    columnName: MD5
  entityType: FileHash
- fieldMappings:
  - identifier: Algorithm
    columnName: Algo_SHA1
  - identifier: Value
    columnName: SHA1
  entityType: FileHash
- fieldMappings:
  - identifier: Algorithm
    columnName: Algo_SHA256
  - identifier: Value
    columnName: SHA256
  entityType: FileHash
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/FileHashIndicatorsMonitorHighSeverityRule.yaml
version: 1.0.0
alertDetailsOverride:
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
  alertDisplayNameFormat: 'High-Confidence File Hash Indicators with Monitor Action - {{name}} '
  alertDescriptionFormat: '{{Description}} - {{name}} '
triggerThreshold: 0
suppressionEnabled: true
queryFrequency: 5m
kind: Scheduled
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AllEntities
    reopenClosedIncident: false
    lookbackDuration: 5m
    enabled: false
customDetails:
  Modified: modified
  ConfidenceScore: ConfidenceScore
  RecommendedActions: RecommendedActions
  Created: created
  ThreatActors: ThreatActors
  ValidFrom: valid_from
  Description: Description
  SecurityVendors: SecurityVendors
  IndicatorID: IndicatorID
  TimeGenerated: TimeGenerated
  Tags: Tags
  Sources: Sources
  Country: Country
  ThreatType: ThreatType
  Roles: Roles
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/952b7d77-a848-4888-a638-62fe877eb55d')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/952b7d77-a848-4888-a638-62fe877eb55d')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{Description}} - {{name}} ",
          "alertDisplayNameFormat": "High-Confidence File Hash Indicators with Monitor Action - {{name}} ",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProductName",
              "value": "ProductName"
            },
            {
              "alertProperty": "ProviderName",
              "value": "ProviderName"
            }
          ]
        },
        "alertRuleTemplateName": "952b7d77-a848-4888-a638-62fe877eb55d",
        "customDetails": {
          "ConfidenceScore": "ConfidenceScore",
          "Country": "Country",
          "Created": "created",
          "Description": "Description",
          "IndicatorID": "IndicatorID",
          "Modified": "modified",
          "RecommendedActions": "RecommendedActions",
          "Roles": "Roles",
          "SecurityVendors": "SecurityVendors",
          "Sources": "Sources",
          "Tags": "Tags",
          "ThreatActors": "ThreatActors",
          "ThreatType": "ThreatType",
          "TimeGenerated": "TimeGenerated",
          "ValidFrom": "valid_from"
        },
        "description": "\"This query retrieves file hash indicators marked for Monitoring, with no assigned role, from the CyfirmaIndicators_CL table. \nIt extracts MD5, SHA1, and SHA256 hashes and includes threat metadata for use in preventive security controls such as EDRs, threat intel platforms.\"\n",
        "displayName": "CYFIRMA - High severity File Hash Indicators with Monitor Action Rule",
        "enabled": false,
        "entityMappings": [
          {
            "entityType": "FileHash",
            "fieldMappings": [
              {
                "columnName": "Algo_MD5",
                "identifier": "Algorithm"
              },
              {
                "columnName": "MD5",
                "identifier": "Value"
              }
            ]
          },
          {
            "entityType": "FileHash",
            "fieldMappings": [
              {
                "columnName": "Algo_SHA1",
                "identifier": "Algorithm"
              },
              {
                "columnName": "SHA1",
                "identifier": "Value"
              }
            ]
          },
          {
            "entityType": "FileHash",
            "fieldMappings": [
              {
                "columnName": "Algo_SHA256",
                "identifier": "Algorithm"
              },
              {
                "columnName": "SHA256",
                "identifier": "Value"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5M",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/FileHashIndicatorsMonitorHighSeverityRule.yaml",
        "query": "// File Hash Indicators with Monitor Action\nlet timeFrame = 5m;\nCyfirmaIndicators_CL \n| where ConfidenceScore >= 80\n    and TimeGenerated between (ago(timeFrame) .. now())\n    and pattern contains 'file:hashes' and RecommendedActions has 'Monitor' and (isempty(Roles) or not(Roles has_any ('Malware', 'Trojan')))\n| extend MD5 = extract(@\"file:hashes\\.md5\\s*=\\s*'([a-fA-F0-9]{32})'\", 1, pattern)\n| extend SHA1 = extract(@\"file:hashes\\.'SHA-1'\\s*=\\s*'([a-fA-F0-9]{40})'\", 1, pattern)\n| extend SHA256 = extract(@\"file:hashes\\.'SHA-256'\\s*=\\s*'([a-fA-F0-9]{64})'\", 1, pattern)\n| extend\n    Algo_MD5='MD5',\n    Algo_SHA1= 'SHA1',\n    Algo_SHA256='SHA256',\n    ProviderName = 'CYFIRMA',\n    ProductName = 'DeCYFIR/DeTCT'\n| project  \n    MD5,\n    SHA1,\n    SHA256,\n    Algo_MD5,\n    Algo_SHA1,\n    Algo_SHA256,\n    ThreatActors,\n    Sources,\n    RecommendedActions,\n    Roles,\n    Country,\n    name,\n    Description,\n    ConfidenceScore,\n    SecurityVendors,\n    IndicatorID,\n    created,\n    modified,\n    valid_from,\n    Tags,\n    ThreatType,\n    TimeGenerated,\n    ProductName,\n    ProviderName\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "subTechniques": [
          "T1566.001"
        ],
        "suppressionDuration": "PT5M",
        "suppressionEnabled": true,
        "tactics": [
          "DefenseEvasion",
          "Execution",
          "Impact",
          "InitialAccess"
        ],
        "techniques": [
          "T1027",
          "T1204",
          "T1486",
          "T1566"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}