Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CYFIRMA - Medium severity TOR Node Network Indicators - Block Recommended Rule

Back
Idaba36dc3-af43-4ab6-9349-3d1e37f1d4f3
RulenameCYFIRMA - Medium severity TOR Node Network Indicators - Block Recommended Rule
Description“This KQL query identifies network-based indicators from CYFIRMA intelligence that are associated with the role ‘TOR’.

These indicators may include IP addresses, domains, and URLs related to Tor network activity.

Threat actors often use Tor for anonymous communication, command and control, data exfiltration, and evasion of network defenses.”
SeverityMedium
TacticsCommandAndControl
Exfiltration
InitialAccess
Persistence
Reconnaissance
TechniquesT1090
T1572
T1048
T1071
T1189
T1505
T1595
T1090.003
T1048.002
T1071.001
T1505.003
T1595.002
Required data connectorsCyfirmaCyberIntelligenceDC
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/TORNodeNetworkIndicatorsBlockMediumSeverityRule.yaml
Version1.0.0
Arm templateaba36dc3-af43-4ab6-9349-3d1e37f1d4f3.json
Deploy To Azure
//TOR Node Network Indicators - Block Recommended
let timeFrame= 5m;
CyfirmaIndicators_CL 
| where (ConfidenceScore < 80 and ConfidenceScore >= 50)
    and TimeGenerated between (ago(timeFrame) .. now())
    and pattern !contains 'file:hashes' and RecommendedActions has 'Block' and Roles has 'TOR'
| extend IPv4 = extract(@"ipv4-addr:value\s*=\s*'([^']+)'", 1, pattern)
| extend IPv6 = extract(@"ipv6-addr:value\s*=\s*'([^']+)'", 1, pattern)
| extend URL = extract(@"url:value\s*=\s*'([^']+)'", 1, pattern)
| extend Domain = extract(@"domain-name:value\s*=\s*'([^']+)'", 1, pattern)
| extend parsed = parse_json(extensions)
| extend extensionKeys = bag_keys(parsed)
| mv-expand extensionKeys
| extend extensionKeyStr = tostring(extensionKeys)
| extend ext = parsed[extensionKeyStr]
| extend props = ext.properties
| extend 
    extension_id = extensionKeyStr,
    ASN_Owner = props.asn_owner,
    ASN = props.asn,
    ProviderName = 'CYFIRMA',
    ProductName = 'DeCYFIR/DeTCT'
| project
    IPv4,
    IPv6,
    URL,
    Domain,
    ThreatActors,
    RecommendedActions,
    Sources,
    Roles,
    Country,
    IPAbuse,
    name,
    Description,
    ConfidenceScore,
    IndicatorID,
    created,
    modified,
    valid_from,
    Tags,
    ThreatType,
    TimeGenerated,
    SecurityVendors,
    ProductName,
    ProviderName
suppressionDuration: 5m
relevantTechniques:
- T1090
- T1572
- T1048
- T1071
- T1189
- T1505
- T1595
- T1090.003
- T1048.002
- T1071.001
- T1505.003
- T1595.002
description: |
  "This KQL query identifies network-based indicators from CYFIRMA intelligence that are associated with the role 'TOR'. 
  These indicators may include IP addresses, domains, and URLs related to Tor network activity. 
  Threat actors often use Tor for anonymous communication, command and control, data exfiltration, and evasion of network defenses."  
queryPeriod: 5m
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/TORNodeNetworkIndicatorsBlockMediumSeverityRule.yaml
alertDetailsOverride:
  alertDisplayNameFormat: 'High-Confidence TOR Node Network Indicators - Block Recommended - {{name}} '
  alertDescriptionFormat: '{{Description}} - {{name}} '
  alertDynamicProperties:
  - value: ProductName
    alertProperty: ProductName
  - value: ProviderName
    alertProperty: ProviderName
query: |
  //TOR Node Network Indicators - Block Recommended
  let timeFrame= 5m;
  CyfirmaIndicators_CL 
  | where (ConfidenceScore < 80 and ConfidenceScore >= 50)
      and TimeGenerated between (ago(timeFrame) .. now())
      and pattern !contains 'file:hashes' and RecommendedActions has 'Block' and Roles has 'TOR'
  | extend IPv4 = extract(@"ipv4-addr:value\s*=\s*'([^']+)'", 1, pattern)
  | extend IPv6 = extract(@"ipv6-addr:value\s*=\s*'([^']+)'", 1, pattern)
  | extend URL = extract(@"url:value\s*=\s*'([^']+)'", 1, pattern)
  | extend Domain = extract(@"domain-name:value\s*=\s*'([^']+)'", 1, pattern)
  | extend parsed = parse_json(extensions)
  | extend extensionKeys = bag_keys(parsed)
  | mv-expand extensionKeys
  | extend extensionKeyStr = tostring(extensionKeys)
  | extend ext = parsed[extensionKeyStr]
  | extend props = ext.properties
  | extend 
      extension_id = extensionKeyStr,
      ASN_Owner = props.asn_owner,
      ASN = props.asn,
      ProviderName = 'CYFIRMA',
      ProductName = 'DeCYFIR/DeTCT'
  | project
      IPv4,
      IPv6,
      URL,
      Domain,
      ThreatActors,
      RecommendedActions,
      Sources,
      Roles,
      Country,
      IPAbuse,
      name,
      Description,
      ConfidenceScore,
      IndicatorID,
      created,
      modified,
      valid_from,
      Tags,
      ThreatType,
      TimeGenerated,
      SecurityVendors,
      ProductName,
      ProviderName  
version: 1.0.0
name: CYFIRMA - Medium severity TOR Node Network Indicators - Block Recommended Rule
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: false
    lookbackDuration: 5m
    matchingMethod: AllEntities
    reopenClosedIncident: false
tactics:
- CommandAndControl
- Exfiltration
- InitialAccess
- Persistence
- Reconnaissance
eventGroupingSettings:
  aggregationKind: AlertPerResult
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: IPv4
  entityType: IP
- fieldMappings:
  - identifier: Address
    columnName: IPv6
  entityType: IP
- fieldMappings:
  - identifier: DomainName
    columnName: Domain
  entityType: DNS
- fieldMappings:
  - identifier: Url
    columnName: URL
  entityType: URL
suppressionEnabled: true
requiredDataConnectors:
- dataTypes:
  - CyfirmaIndicators_CL
  connectorId: CyfirmaCyberIntelligenceDC
severity: Medium
enabled: false
id: aba36dc3-af43-4ab6-9349-3d1e37f1d4f3
customDetails:
  ConfidenceScore: ConfidenceScore
  ThreatActors: ThreatActors
  IndicatorID: IndicatorID
  Created: created
  IPAbuse: IPAbuse
  Modified: modified
  ValidFrom: valid_from
  Tags: Tags
  Country: Country
  SecurityVendors: SecurityVendors
  TimeGenerated: TimeGenerated
  Description: Description
  ThreatType: ThreatType
  Roles: Roles
  Sources: Sources
  RecommendedActions: RecommendedActions
triggerOperator: GreaterThan
triggerThreshold: 0
queryFrequency: 5m
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/aba36dc3-af43-4ab6-9349-3d1e37f1d4f3')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/aba36dc3-af43-4ab6-9349-3d1e37f1d4f3')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{Description}} - {{name}} ",
          "alertDisplayNameFormat": "High-Confidence TOR Node Network Indicators - Block Recommended - {{name}} ",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProductName",
              "value": "ProductName"
            },
            {
              "alertProperty": "ProviderName",
              "value": "ProviderName"
            }
          ]
        },
        "alertRuleTemplateName": "aba36dc3-af43-4ab6-9349-3d1e37f1d4f3",
        "customDetails": {
          "ConfidenceScore": "ConfidenceScore",
          "Country": "Country",
          "Created": "created",
          "Description": "Description",
          "IndicatorID": "IndicatorID",
          "IPAbuse": "IPAbuse",
          "Modified": "modified",
          "RecommendedActions": "RecommendedActions",
          "Roles": "Roles",
          "SecurityVendors": "SecurityVendors",
          "Sources": "Sources",
          "Tags": "Tags",
          "ThreatActors": "ThreatActors",
          "ThreatType": "ThreatType",
          "TimeGenerated": "TimeGenerated",
          "ValidFrom": "valid_from"
        },
        "description": "\"This KQL query identifies network-based indicators from CYFIRMA intelligence that are associated with the role 'TOR'. \nThese indicators may include IP addresses, domains, and URLs related to Tor network activity. \nThreat actors often use Tor for anonymous communication, command and control, data exfiltration, and evasion of network defenses.\"\n",
        "displayName": "CYFIRMA - Medium severity TOR Node Network Indicators - Block Recommended Rule",
        "enabled": false,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPv4",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPv6",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "DNS",
            "fieldMappings": [
              {
                "columnName": "Domain",
                "identifier": "DomainName"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "URL",
                "identifier": "Url"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5M",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/TORNodeNetworkIndicatorsBlockMediumSeverityRule.yaml",
        "query": "//TOR Node Network Indicators - Block Recommended\nlet timeFrame= 5m;\nCyfirmaIndicators_CL \n| where (ConfidenceScore < 80 and ConfidenceScore >= 50)\n    and TimeGenerated between (ago(timeFrame) .. now())\n    and pattern !contains 'file:hashes' and RecommendedActions has 'Block' and Roles has 'TOR'\n| extend IPv4 = extract(@\"ipv4-addr:value\\s*=\\s*'([^']+)'\", 1, pattern)\n| extend IPv6 = extract(@\"ipv6-addr:value\\s*=\\s*'([^']+)'\", 1, pattern)\n| extend URL = extract(@\"url:value\\s*=\\s*'([^']+)'\", 1, pattern)\n| extend Domain = extract(@\"domain-name:value\\s*=\\s*'([^']+)'\", 1, pattern)\n| extend parsed = parse_json(extensions)\n| extend extensionKeys = bag_keys(parsed)\n| mv-expand extensionKeys\n| extend extensionKeyStr = tostring(extensionKeys)\n| extend ext = parsed[extensionKeyStr]\n| extend props = ext.properties\n| extend \n    extension_id = extensionKeyStr,\n    ASN_Owner = props.asn_owner,\n    ASN = props.asn,\n    ProviderName = 'CYFIRMA',\n    ProductName = 'DeCYFIR/DeTCT'\n| project\n    IPv4,\n    IPv6,\n    URL,\n    Domain,\n    ThreatActors,\n    RecommendedActions,\n    Sources,\n    Roles,\n    Country,\n    IPAbuse,\n    name,\n    Description,\n    ConfidenceScore,\n    IndicatorID,\n    created,\n    modified,\n    valid_from,\n    Tags,\n    ThreatType,\n    TimeGenerated,\n    SecurityVendors,\n    ProductName,\n    ProviderName\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "subTechniques": [
          "T1090.003",
          "T1048.002",
          "T1071.001",
          "T1505.003",
          "T1595.002"
        ],
        "suppressionDuration": "PT5M",
        "suppressionEnabled": true,
        "tactics": [
          "CommandAndControl",
          "Exfiltration",
          "InitialAccess",
          "Persistence",
          "Reconnaissance"
        ],
        "techniques": [
          "T1048",
          "T1071",
          "T1090",
          "T1189",
          "T1505",
          "T1572",
          "T1595"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}