CYFIRMA - Medium severity Trojan File Hash Indicators with Monitor Action Rule
| Id | b89c893e-650f-4569-afc3-c487efee2472 |
| Rulename | CYFIRMA - Medium severity Trojan File Hash Indicators with Monitor Action Rule |
| Description | “This KQL query extracts file hash indicators associated with Trojan activity from the CyfirmaIndicators_CL table. It specifically targets indicators containing file hashes linked to Trojan behavior and retrieves MD5, SHA1, and SHA256 values. The query also includes contextual threat intelligence such as threat actors, tags, sources, and geolocation information.” |
| Severity | Medium |
| Tactics | InitialAccess Execution Persistence DefenseEvasion CommandAndControl CredentialAccess |
| Techniques | T1566 T1204 T1547 T1027 T1071 T1003 T1566.001 T1547.001 |
| Required data connectors | CyfirmaCyberIntelligenceDC |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | GreaterThan |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/TrojanFileHashIndicatorsMonitorMediumSeverityRule.yaml |
| Version | 1.0.0 |
| Arm template | b89c893e-650f-4569-afc3-c487efee2472.json |
//Trojan File Hash Indicators with Monitor Action
let timeFrame = 5m;
CyfirmaIndicators_CL
| where (ConfidenceScore < 80 and ConfidenceScore >= 50)
and TimeGenerated between (ago(timeFrame) .. now())
and pattern contains 'file:hashes' and RecommendedActions has 'Monitor' and (Roles contains 'Trojan')
| extend MD5 = extract(@"file:hashes\.md5\s*=\s*'([a-fA-F0-9]{32})'", 1, pattern)
| extend SHA1 = extract(@"file:hashes\.'SHA-1'\s*=\s*'([a-fA-F0-9]{40})'", 1, pattern)
| extend SHA256 = extract(@"file:hashes\.'SHA-256'\s*=\s*'([a-fA-F0-9]{64})'", 1, pattern)
| extend
Algo_MD5='md5',
Algo_SHA1= 'SHA1',
Algo_SHA256='SHA256',
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| project
MD5,
Algo_MD5,
SHA1,
Algo_SHA1,
SHA256,
Algo_SHA256,
ThreatActors,
Sources,
RecommendedActions,
Roles,
Country,
name,
Description,
ConfidenceScore,
SecurityVendors,
IndicatorID,
created,
modified,
valid_from,
Tags,
ThreatType,
TimeGenerated,
ProductName,
ProviderName
requiredDataConnectors:
- connectorId: CyfirmaCyberIntelligenceDC
dataTypes:
- CyfirmaIndicators_CL
tactics:
- InitialAccess
- Execution
- Persistence
- DefenseEvasion
- CommandAndControl
- CredentialAccess
eventGroupingSettings:
aggregationKind: AlertPerResult
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: false
lookbackDuration: 5m
matchingMethod: AllEntities
reopenClosedIncident: false
description: |
"This KQL query extracts file hash indicators associated with Trojan activity from the CyfirmaIndicators_CL table.
It specifically targets indicators containing file hashes linked to Trojan behavior and retrieves MD5, SHA1, and SHA256 values.
The query also includes contextual threat intelligence such as threat actors, tags, sources, and geolocation information."
query: |
//Trojan File Hash Indicators with Monitor Action
let timeFrame = 5m;
CyfirmaIndicators_CL
| where (ConfidenceScore < 80 and ConfidenceScore >= 50)
and TimeGenerated between (ago(timeFrame) .. now())
and pattern contains 'file:hashes' and RecommendedActions has 'Monitor' and (Roles contains 'Trojan')
| extend MD5 = extract(@"file:hashes\.md5\s*=\s*'([a-fA-F0-9]{32})'", 1, pattern)
| extend SHA1 = extract(@"file:hashes\.'SHA-1'\s*=\s*'([a-fA-F0-9]{40})'", 1, pattern)
| extend SHA256 = extract(@"file:hashes\.'SHA-256'\s*=\s*'([a-fA-F0-9]{64})'", 1, pattern)
| extend
Algo_MD5='md5',
Algo_SHA1= 'SHA1',
Algo_SHA256='SHA256',
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| project
MD5,
Algo_MD5,
SHA1,
Algo_SHA1,
SHA256,
Algo_SHA256,
ThreatActors,
Sources,
RecommendedActions,
Roles,
Country,
name,
Description,
ConfidenceScore,
SecurityVendors,
IndicatorID,
created,
modified,
valid_from,
Tags,
ThreatType,
TimeGenerated,
ProductName,
ProviderName
id: b89c893e-650f-4569-afc3-c487efee2472
triggerOperator: GreaterThan
alertDetailsOverride:
alertDisplayNameFormat: 'High-Confidence Trojan File Hash Indicators with Monitor Action - {{name}} '
alertDynamicProperties:
- alertProperty: ProductName
value: ProductName
- alertProperty: ProviderName
value: ProviderName
alertDescriptionFormat: '{{Description}} - {{name}} '
relevantTechniques:
- T1566
- T1204
- T1547
- T1027
- T1071
- T1003
- T1566.001
- T1547.001
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/TrojanFileHashIndicatorsMonitorMediumSeverityRule.yaml
queryFrequency: 5m
enabled: false
severity: Medium
entityMappings:
- fieldMappings:
- columnName: Algo_MD5
identifier: Algorithm
- columnName: MD5
identifier: Value
entityType: FileHash
- fieldMappings:
- columnName: Algo_SHA1
identifier: Algorithm
- columnName: SHA1
identifier: Value
entityType: FileHash
- fieldMappings:
- columnName: Algo_SHA256
identifier: Algorithm
- columnName: SHA256
identifier: Value
entityType: FileHash
name: CYFIRMA - Medium severity Trojan File Hash Indicators with Monitor Action Rule
suppressionEnabled: true
suppressionDuration: 5m
queryPeriod: 5m
kind: Scheduled
triggerThreshold: 0
version: 1.0.0
customDetails:
TimeGenerated: TimeGenerated
Country: Country
ThreatType: ThreatType
RecommendedActions: RecommendedActions
Description: Description
ConfidenceScore: ConfidenceScore
ValidFrom: valid_from
created: created
ThreatActors: ThreatActors
modified: modified
Sources: Sources
IndicatorID: IndicatorID
Tags: Tags
SecurityVendors: SecurityVendors
Roles: Roles
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b89c893e-650f-4569-afc3-c487efee2472')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b89c893e-650f-4569-afc3-c487efee2472')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{Description}} - {{name}} ",
"alertDisplayNameFormat": "High-Confidence Trojan File Hash Indicators with Monitor Action - {{name}} ",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "ProviderName",
"value": "ProviderName"
}
]
},
"alertRuleTemplateName": "b89c893e-650f-4569-afc3-c487efee2472",
"customDetails": {
"ConfidenceScore": "ConfidenceScore",
"Country": "Country",
"created": "created",
"Description": "Description",
"IndicatorID": "IndicatorID",
"modified": "modified",
"RecommendedActions": "RecommendedActions",
"Roles": "Roles",
"SecurityVendors": "SecurityVendors",
"Sources": "Sources",
"Tags": "Tags",
"ThreatActors": "ThreatActors",
"ThreatType": "ThreatType",
"TimeGenerated": "TimeGenerated",
"ValidFrom": "valid_from"
},
"description": "\"This KQL query extracts file hash indicators associated with Trojan activity from the CyfirmaIndicators_CL table. \nIt specifically targets indicators containing file hashes linked to Trojan behavior and retrieves MD5, SHA1, and SHA256 values. \nThe query also includes contextual threat intelligence such as threat actors, tags, sources, and geolocation information.\"\n",
"displayName": "CYFIRMA - Medium severity Trojan File Hash Indicators with Monitor Action Rule",
"enabled": false,
"entityMappings": [
{
"entityType": "FileHash",
"fieldMappings": [
{
"columnName": "Algo_MD5",
"identifier": "Algorithm"
},
{
"columnName": "MD5",
"identifier": "Value"
}
]
},
{
"entityType": "FileHash",
"fieldMappings": [
{
"columnName": "Algo_SHA1",
"identifier": "Algorithm"
},
{
"columnName": "SHA1",
"identifier": "Value"
}
]
},
{
"entityType": "FileHash",
"fieldMappings": [
{
"columnName": "Algo_SHA256",
"identifier": "Algorithm"
},
{
"columnName": "SHA256",
"identifier": "Value"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5M",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/TrojanFileHashIndicatorsMonitorMediumSeverityRule.yaml",
"query": "//Trojan File Hash Indicators with Monitor Action\nlet timeFrame = 5m;\nCyfirmaIndicators_CL \n| where (ConfidenceScore < 80 and ConfidenceScore >= 50)\n and TimeGenerated between (ago(timeFrame) .. now())\n and pattern contains 'file:hashes' and RecommendedActions has 'Monitor' and (Roles contains 'Trojan')\n| extend MD5 = extract(@\"file:hashes\\.md5\\s*=\\s*'([a-fA-F0-9]{32})'\", 1, pattern)\n| extend SHA1 = extract(@\"file:hashes\\.'SHA-1'\\s*=\\s*'([a-fA-F0-9]{40})'\", 1, pattern)\n| extend SHA256 = extract(@\"file:hashes\\.'SHA-256'\\s*=\\s*'([a-fA-F0-9]{64})'\", 1, pattern)\n| extend\n Algo_MD5='md5',\n Algo_SHA1= 'SHA1',\n Algo_SHA256='SHA256',\n ProviderName = 'CYFIRMA',\n ProductName = 'DeCYFIR/DeTCT'\n| project \n MD5,\n Algo_MD5,\n SHA1,\n Algo_SHA1,\n SHA256,\n Algo_SHA256,\n ThreatActors,\n Sources,\n RecommendedActions,\n Roles,\n Country,\n name,\n Description,\n ConfidenceScore,\n SecurityVendors,\n IndicatorID,\n created,\n modified,\n valid_from,\n Tags,\n ThreatType,\n TimeGenerated,\n ProductName,\n ProviderName\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Medium",
"subTechniques": [
"T1566.001",
"T1547.001"
],
"suppressionDuration": "PT5M",
"suppressionEnabled": true,
"tactics": [
"CommandAndControl",
"CredentialAccess",
"DefenseEvasion",
"Execution",
"InitialAccess",
"Persistence"
],
"techniques": [
"T1003",
"T1027",
"T1071",
"T1204",
"T1547",
"T1566"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}