Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. TI map File Hash to Security Event

TI map File Hash to Security Event

Back
Ida7427ed7-04b4-4e3b-b323-08b981b9b4bf
RulenameTI map File Hash to Security Event
DescriptionIdentifies a match in Security Event data from any File Hash IOC from TI
SeverityMedium
TacticsImpact
Required data connectorsSecurityEvents
ThreatIntelligence
ThreatIntelligenceTaxii
WindowsForwardedEvents
WindowsSecurityEvents
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/FileHashEntity_SecurityEvent.yaml
Version1.4.1
Arm templatea7427ed7-04b4-4e3b-b323-08b981b9b4bf.json
Deploy To Azure
let dt_lookBack = 1h;
 let ioc_lookBack = 14d;
 ThreatIntelligenceIndicator
 | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
 | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
 | where Active == true
 | where isnotempty(FileHashValue)
 | extend FileHashValue = toupper(FileHashValue)
 // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
 | join kind=innerunique ( union isfuzzy=true
   (SecurityEvent | where TimeGenerated >= ago(dt_lookBack)
       | where EventID in ("8003","8002","8005")
       | where isnotempty(FileHash)
       | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(FileHash)
   ),
   (WindowsEvent | where TimeGenerated >= ago(dt_lookBack)
       | where EventID in ("8003","8002","8005")
       | where isnotempty(EventData.FileHash)
       | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(EventData.FileHash)
   )
 )
 on $left.FileHashValue == $right.FileHash
 | where SecurityEvent_TimeGenerated < ExpirationDateTime
 | summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, FileHash
 | project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,
 Process, FileHash, Computer, Account, Event, FileHashValue, FileHashType
 | extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url

version: 1.4.1
queryFrequency: 1h
requiredDataConnectors:
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: WindowsSecurityEvents
  dataTypes:
  - SecurityEvents
- connectorId: WindowsForwardedEvents
  dataTypes:
  - WindowsEvent
- connectorId: ThreatIntelligence
  dataTypes:
  - ThreatIntelligenceIndicator
- connectorId: ThreatIntelligenceTaxii
  dataTypes:
  - ThreatIntelligenceIndicator
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: HostCustomEntity
    identifier: FullName
  entityType: Host
- fieldMappings:
  - columnName: URLCustomEntity
    identifier: Url
  entityType: URL
- fieldMappings:
  - columnName: FileHashValue
    identifier: Value
  - columnName: FileHashType
    identifier: Algorithm
  entityType: FileHash
kind: Scheduled
queryPeriod: 14d
severity: Medium
query: |
  let dt_lookBack = 1h;
   let ioc_lookBack = 14d;
   ThreatIntelligenceIndicator
   | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
   | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
   | where Active == true
   | where isnotempty(FileHashValue)
   | extend FileHashValue = toupper(FileHashValue)
   // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
   | join kind=innerunique ( union isfuzzy=true
     (SecurityEvent | where TimeGenerated >= ago(dt_lookBack)
         | where EventID in ("8003","8002","8005")
         | where isnotempty(FileHash)
         | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(FileHash)
     ),
     (WindowsEvent | where TimeGenerated >= ago(dt_lookBack)
         | where EventID in ("8003","8002","8005")
         | where isnotempty(EventData.FileHash)
         | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(EventData.FileHash)
     )
   )
   on $left.FileHashValue == $right.FileHash
   | where SecurityEvent_TimeGenerated < ExpirationDateTime
   | summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, FileHash
   | project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,
   Process, FileHash, Computer, Account, Event, FileHashValue, FileHashType
   | extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url  
triggerOperator: gt
id: a7427ed7-04b4-4e3b-b323-08b981b9b4bf
description: |
    'Identifies a match in Security Event data from any File Hash IOC from TI'
triggerThreshold: 0
name: TI map File Hash to Security Event
tactics:
- Impact
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/FileHashEntity_SecurityEvent.yaml

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a7427ed7-04b4-4e3b-b323-08b981b9b4bf')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a7427ed7-04b4-4e3b-b323-08b981b9b4bf')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "TI map File Hash to Security Event",
        "description": "'Identifies a match in Security Event data from any File Hash IOC from TI'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let dt_lookBack = 1h;\n let ioc_lookBack = 14d;\n ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true\n | where isnotempty(FileHashValue)\n | extend FileHashValue = toupper(FileHashValue)\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n | join kind=innerunique ( union isfuzzy=true\n   (SecurityEvent | where TimeGenerated >= ago(dt_lookBack)\n       | where EventID in (\"8003\",\"8002\",\"8005\")\n       | where isnotempty(FileHash)\n       | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(FileHash)\n   ),\n   (WindowsEvent | where TimeGenerated >= ago(dt_lookBack)\n       | where EventID in (\"8003\",\"8002\",\"8005\")\n       | where isnotempty(EventData.FileHash)\n       | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(EventData.FileHash)\n   )\n )\n on $left.FileHashValue == $right.FileHash\n | where SecurityEvent_TimeGenerated < ExpirationDateTime\n | summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, FileHash\n | project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\n Process, FileHash, Computer, Account, Event, FileHashValue, FileHashType\n | extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "alertRuleTemplateName": "a7427ed7-04b4-4e3b-b323-08b981b9b4bf",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "AccountCustomEntity"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "HostCustomEntity"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "identifier": "Url",
                "columnName": "URLCustomEntity"
              }
            ]
          },
          {
            "entityType": "FileHash",
            "fieldMappings": [
              {
                "identifier": "Value",
                "columnName": "FileHashValue"
              },
              {
                "identifier": "Algorithm",
                "columnName": "FileHashType"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/FileHashEntity_SecurityEvent.yaml",
        "templateVersion": "1.4.1"
      }
    }
  ]
}