CYFIRMA - High severity File Hash Indicators with Block Action and Malware
| Id | 990fc0dc-e7a5-4f6d-bc24-8569652cd773 |
| Rulename | CYFIRMA - High severity File Hash Indicators with Block Action and Malware |
| Description | “This KQL query retrieves file hash indicators (MD5, SHA1, SHA256) from the CyfirmaIndicators_CL table within the last 5 minutes. It filters records with a confidence score of 80 or higher, containing file hash patterns, a recommended action of ‘Block’, and roles marked as ‘Malware’. Extracted hashes and key threat intelligence details are projected for Blocking and investigation.” |
| Severity | High |
| Tactics | InitialAccess Execution Persistence PrivilegeEscalation DefenseEvasion CredentialAccess Discovery LateralMovement Collection Impact |
| Techniques | T1566 T1203 T1059 T1204 T1547 T1053 T1055 T1027 T1562 T1036 T1003 T1555 T1082 T1057 T1021 T1113 T1486 T1566.001 T1059.001 T1059.003 T1547.001 T1053.005 T1562.001 T1003.001 T1555.003 T1021.002 |
| Required data connectors | CyfirmaCyberIntelligenceDC |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | GreaterThan |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/MalwareFileHashIndicatorsBlockHighSeverityRule.yaml |
| Version | 1.0.1 |
| Arm template | 990fc0dc-e7a5-4f6d-bc24-8569652cd773.json |
// File Hash Indicators with Block Action and Malware
let timeFrame = 5m;
CyfirmaIndicators_CL
| where ConfidenceScore >= 80
and TimeGenerated between (ago(timeFrame) .. now())
and pattern contains 'file:hashes' and RecommendedActions has 'Block' and (Roles contains "Malware")
| extend MD5 = extract(@"file:hashes\.md5\s*=\s*'([a-fA-F0-9]{32})'", 1, pattern)
| extend SHA1 = extract(@"file:hashes\.'SHA-1'\s*=\s*'([a-fA-F0-9]{40})'", 1, pattern)
| extend SHA256 = extract(@"file:hashes\.'SHA-256'\s*=\s*'([a-fA-F0-9]{64})'", 1, pattern)
| extend
Algo_MD5='md5',
Algo_SHA1= 'SHA1',
Algo_SHA256='SHA256',
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| project
MD5,
Algo_MD5,
SHA1,
Algo_SHA1,
SHA256,
Algo_SHA256,
ThreatActors,
Sources,
RecommendedActions,
Roles,
Country,
name,
Description,
ConfidenceScore,
SecurityVendors,
IndicatorID,
created,
modified,
valid_from,
Tags,
ThreatType,
TimeGenerated,
ProductName,
ProviderName
description: |
"This KQL query retrieves file hash indicators (MD5, SHA1, SHA256) from the CyfirmaIndicators_CL table within the last 5 minutes.
It filters records with a confidence score of 80 or higher, containing file hash patterns, a recommended action of 'Block', and roles marked as 'Malware'.
Extracted hashes and key threat intelligence details are projected for Blocking and investigation."
tactics:
- InitialAccess
- Execution
- Persistence
- PrivilegeEscalation
- DefenseEvasion
- CredentialAccess
- Discovery
- LateralMovement
- Collection
- Impact
suppressionEnabled: true
suppressionDuration: 5m
requiredDataConnectors:
- dataTypes:
- CyfirmaIndicators_CL
connectorId: CyfirmaCyberIntelligenceDC
alertDetailsOverride:
alertDisplayNameFormat: 'High-Confidence File Hash Indicators with Block Action and Malware - {{name}} '
alertDescriptionFormat: '{{Description}} - {{name}} '
alertDynamicProperties:
- value: ProviderName
alertProperty: ProviderName
- value: ProductName
alertProperty: ProductName
incidentConfiguration:
groupingConfiguration:
enabled: false
lookbackDuration: PT5H
reopenClosedIncident: false
matchingMethod: AllEntities
createIncident: true
id: 990fc0dc-e7a5-4f6d-bc24-8569652cd773
severity: High
eventGroupingSettings:
aggregationKind: AlertPerResult
customDetails:
Tags: Tags
TimeGenerated: TimeGenerated
SecurityVendors: SecurityVendors
Country: Country
ThreatActors: ThreatActors
valid_from: valid_from
Roles: Roles
ThreatType: ThreatType
IndicatorID: IndicatorID
RecommendedActions: RecommendedActions
Sources: Sources
Description: Description
ConfidenceScore: ConfidenceScore
created: created
modified: modified
query: |
// File Hash Indicators with Block Action and Malware
let timeFrame = 5m;
CyfirmaIndicators_CL
| where ConfidenceScore >= 80
and TimeGenerated between (ago(timeFrame) .. now())
and pattern contains 'file:hashes' and RecommendedActions has 'Block' and (Roles contains "Malware")
| extend MD5 = extract(@"file:hashes\.md5\s*=\s*'([a-fA-F0-9]{32})'", 1, pattern)
| extend SHA1 = extract(@"file:hashes\.'SHA-1'\s*=\s*'([a-fA-F0-9]{40})'", 1, pattern)
| extend SHA256 = extract(@"file:hashes\.'SHA-256'\s*=\s*'([a-fA-F0-9]{64})'", 1, pattern)
| extend
Algo_MD5='md5',
Algo_SHA1= 'SHA1',
Algo_SHA256='SHA256',
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| project
MD5,
Algo_MD5,
SHA1,
Algo_SHA1,
SHA256,
Algo_SHA256,
ThreatActors,
Sources,
RecommendedActions,
Roles,
Country,
name,
Description,
ConfidenceScore,
SecurityVendors,
IndicatorID,
created,
modified,
valid_from,
Tags,
ThreatType,
TimeGenerated,
ProductName,
ProviderName
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/MalwareFileHashIndicatorsBlockHighSeverityRule.yaml
kind: Scheduled
queryPeriod: 5m
enabled: false
name: CYFIRMA - High severity File Hash Indicators with Block Action and Malware
queryFrequency: 5m
triggerThreshold: 0
relevantTechniques:
- T1566
- T1203
- T1059
- T1204
- T1547
- T1053
- T1055
- T1027
- T1562
- T1036
- T1003
- T1555
- T1082
- T1057
- T1021
- T1113
- T1486
- T1566.001
- T1059.001
- T1059.003
- T1547.001
- T1053.005
- T1562.001
- T1003.001
- T1555.003
- T1021.002
version: 1.0.1
entityMappings:
- entityType: FileHash
fieldMappings:
- identifier: Algorithm
columnName: Algo_MD5
- identifier: Value
columnName: MD5
- entityType: FileHash
fieldMappings:
- identifier: Algorithm
columnName: Algo_SHA1
- identifier: Value
columnName: SHA1
- entityType: FileHash
fieldMappings:
- identifier: Algorithm
columnName: Algo_SHA256
- identifier: Value
columnName: SHA256
triggerOperator: GreaterThan