CYFIRMA - Medium severity TOR Node Network Indicators - Block Recommended Rule
| Id | aba36dc3-af43-4ab6-9349-3d1e37f1d4f3 |
| Rulename | CYFIRMA - Medium severity TOR Node Network Indicators - Block Recommended Rule |
| Description | “This KQL query identifies network-based indicators from CYFIRMA intelligence that are associated with the role ‘TOR’. These indicators may include IP addresses, domains, and URLs related to Tor network activity. Threat actors often use Tor for anonymous communication, command and control, data exfiltration, and evasion of network defenses.” |
| Severity | Medium |
| Tactics | CommandAndControl Exfiltration InitialAccess Persistence Reconnaissance |
| Techniques | T1090 T1572 T1048 T1071 T1189 T1505 T1595 T1090.003 T1048.002 T1071.001 T1505.003 T1595.002 |
| Required data connectors | CyfirmaCyberIntelligenceDC |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | GreaterThan |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/TORNodeNetworkIndicatorsBlockMediumSeverityRule.yaml |
| Version | 1.0.1 |
| Arm template | aba36dc3-af43-4ab6-9349-3d1e37f1d4f3.json |
//TOR Node Network Indicators - Block Recommended
let timeFrame= 5m;
CyfirmaIndicators_CL
| where (ConfidenceScore < 80 and ConfidenceScore >= 50)
and TimeGenerated between (ago(timeFrame) .. now())
and pattern !contains 'file:hashes' and RecommendedActions has 'Block' and Roles has 'TOR'
| extend IPv4 = extract(@"ipv4-addr:value\s*=\s*'([^']+)'", 1, pattern)
| extend IPv6 = extract(@"ipv6-addr:value\s*=\s*'([^']+)'", 1, pattern)
| extend URL = extract(@"url:value\s*=\s*'([^']+)'", 1, pattern)
| extend Domain = extract(@"domain-name:value\s*=\s*'([^']+)'", 1, pattern)
| extend parsed = parse_json(extensions)
| extend extensionKeys = bag_keys(parsed)
| mv-expand extensionKeys
| extend extensionKeyStr = tostring(extensionKeys)
| extend ext = parsed[extensionKeyStr]
| extend props = ext.properties
| extend
extension_id = extensionKeyStr,
ASN_Owner = props.asn_owner,
ASN = props.asn,
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| project
IPv4,
IPv6,
URL,
Domain,
ThreatActors,
RecommendedActions,
Sources,
Roles,
Country,
IPAbuse,
name,
Description,
ConfidenceScore,
IndicatorID,
created,
modified,
valid_from,
Tags,
ThreatType,
TimeGenerated,
SecurityVendors,
ProductName,
ProviderName
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
enabled: false
matchingMethod: AllEntities
lookbackDuration: PT5H
createIncident: true
description: |
"This KQL query identifies network-based indicators from CYFIRMA intelligence that are associated with the role 'TOR'.
These indicators may include IP addresses, domains, and URLs related to Tor network activity.
Threat actors often use Tor for anonymous communication, command and control, data exfiltration, and evasion of network defenses."
alertDetailsOverride:
alertDisplayNameFormat: 'High-Confidence TOR Node Network Indicators - Block Recommended - {{name}} '
alertDynamicProperties:
- alertProperty: ProductName
value: ProductName
- alertProperty: ProviderName
value: ProviderName
alertDescriptionFormat: '{{Description}} - {{name}} '
query: |
//TOR Node Network Indicators - Block Recommended
let timeFrame= 5m;
CyfirmaIndicators_CL
| where (ConfidenceScore < 80 and ConfidenceScore >= 50)
and TimeGenerated between (ago(timeFrame) .. now())
and pattern !contains 'file:hashes' and RecommendedActions has 'Block' and Roles has 'TOR'
| extend IPv4 = extract(@"ipv4-addr:value\s*=\s*'([^']+)'", 1, pattern)
| extend IPv6 = extract(@"ipv6-addr:value\s*=\s*'([^']+)'", 1, pattern)
| extend URL = extract(@"url:value\s*=\s*'([^']+)'", 1, pattern)
| extend Domain = extract(@"domain-name:value\s*=\s*'([^']+)'", 1, pattern)
| extend parsed = parse_json(extensions)
| extend extensionKeys = bag_keys(parsed)
| mv-expand extensionKeys
| extend extensionKeyStr = tostring(extensionKeys)
| extend ext = parsed[extensionKeyStr]
| extend props = ext.properties
| extend
extension_id = extensionKeyStr,
ASN_Owner = props.asn_owner,
ASN = props.asn,
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| project
IPv4,
IPv6,
URL,
Domain,
ThreatActors,
RecommendedActions,
Sources,
Roles,
Country,
IPAbuse,
name,
Description,
ConfidenceScore,
IndicatorID,
created,
modified,
valid_from,
Tags,
ThreatType,
TimeGenerated,
SecurityVendors,
ProductName,
ProviderName
eventGroupingSettings:
aggregationKind: AlertPerResult
requiredDataConnectors:
- dataTypes:
- CyfirmaIndicators_CL
connectorId: CyfirmaCyberIntelligenceDC
name: CYFIRMA - Medium severity TOR Node Network Indicators - Block Recommended Rule
relevantTechniques:
- T1090
- T1572
- T1048
- T1071
- T1189
- T1505
- T1595
- T1090.003
- T1048.002
- T1071.001
- T1505.003
- T1595.002
suppressionDuration: 5m
enabled: false
entityMappings:
- entityType: IP
fieldMappings:
- columnName: IPv4
identifier: Address
- entityType: IP
fieldMappings:
- columnName: IPv6
identifier: Address
- entityType: DNS
fieldMappings:
- columnName: Domain
identifier: DomainName
- entityType: URL
fieldMappings:
- columnName: URL
identifier: Url
tactics:
- CommandAndControl
- Exfiltration
- InitialAccess
- Persistence
- Reconnaissance
queryPeriod: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/TORNodeNetworkIndicatorsBlockMediumSeverityRule.yaml
triggerThreshold: 0
severity: Medium
kind: Scheduled
suppressionEnabled: true
queryFrequency: 5m
id: aba36dc3-af43-4ab6-9349-3d1e37f1d4f3
version: 1.0.1
customDetails:
TimeGenerated: TimeGenerated
Description: Description
IndicatorID: IndicatorID
RecommendedActions: RecommendedActions
ConfidenceScore: ConfidenceScore
SecurityVendors: SecurityVendors
Created: created
ValidFrom: valid_from
Sources: Sources
ThreatType: ThreatType
Country: Country
Modified: modified
IPAbuse: IPAbuse
Roles: Roles
Tags: Tags
ThreatActors: ThreatActors
triggerOperator: GreaterThan