Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CYFIRMA - Medium severity Trojan File Hash Indicators with Monitor Action Rule

Back
Idb89c893e-650f-4569-afc3-c487efee2472
RulenameCYFIRMA - Medium severity Trojan File Hash Indicators with Monitor Action Rule
Description“This KQL query extracts file hash indicators associated with Trojan activity from the CyfirmaIndicators_CL table.

It specifically targets indicators containing file hashes linked to Trojan behavior and retrieves MD5, SHA1, and SHA256 values.

The query also includes contextual threat intelligence such as threat actors, tags, sources, and geolocation information.”
SeverityMedium
TacticsInitialAccess
Execution
Persistence
DefenseEvasion
CommandAndControl
CredentialAccess
TechniquesT1566
T1204
T1547
T1027
T1071
T1003
T1566.001
T1547.001
Required data connectorsCyfirmaCyberIntelligenceDC
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/TrojanFileHashIndicatorsMonitorMediumSeverityRule.yaml
Version1.0.0
Arm templateb89c893e-650f-4569-afc3-c487efee2472.json
Deploy To Azure
//Trojan File Hash Indicators with Monitor Action
let timeFrame = 5m;
CyfirmaIndicators_CL 
| where (ConfidenceScore < 80 and ConfidenceScore >= 50)
    and TimeGenerated between (ago(timeFrame) .. now())
    and pattern contains 'file:hashes' and RecommendedActions has 'Monitor' and (Roles contains 'Trojan')
| extend MD5 = extract(@"file:hashes\.md5\s*=\s*'([a-fA-F0-9]{32})'", 1, pattern)
| extend SHA1 = extract(@"file:hashes\.'SHA-1'\s*=\s*'([a-fA-F0-9]{40})'", 1, pattern)
| extend SHA256 = extract(@"file:hashes\.'SHA-256'\s*=\s*'([a-fA-F0-9]{64})'", 1, pattern)
| extend
    Algo_MD5='md5',
    Algo_SHA1= 'SHA1',
    Algo_SHA256='SHA256',
    ProviderName = 'CYFIRMA',
    ProductName = 'DeCYFIR/DeTCT'
| project  
    MD5,
    Algo_MD5,
    SHA1,
    Algo_SHA1,
    SHA256,
    Algo_SHA256,
    ThreatActors,
    Sources,
    RecommendedActions,
    Roles,
    Country,
    name,
    Description,
    ConfidenceScore,
    SecurityVendors,
    IndicatorID,
    created,
    modified,
    valid_from,
    Tags,
    ThreatType,
    TimeGenerated,
    ProductName,
    ProviderName
suppressionDuration: 5m
relevantTechniques:
- T1566
- T1204
- T1547
- T1027
- T1071
- T1003
- T1566.001
- T1547.001
description: |
  "This KQL query extracts file hash indicators associated with Trojan activity from the CyfirmaIndicators_CL table. 
  It specifically targets indicators containing file hashes linked to Trojan behavior and retrieves MD5, SHA1, and SHA256 values. 
  The query also includes contextual threat intelligence such as threat actors, tags, sources, and geolocation information."  
queryPeriod: 5m
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/TrojanFileHashIndicatorsMonitorMediumSeverityRule.yaml
alertDetailsOverride:
  alertDisplayNameFormat: 'High-Confidence Trojan File Hash Indicators with Monitor Action - {{name}} '
  alertDescriptionFormat: '{{Description}} - {{name}} '
  alertDynamicProperties:
  - value: ProductName
    alertProperty: ProductName
  - value: ProviderName
    alertProperty: ProviderName
query: |
  //Trojan File Hash Indicators with Monitor Action
  let timeFrame = 5m;
  CyfirmaIndicators_CL 
  | where (ConfidenceScore < 80 and ConfidenceScore >= 50)
      and TimeGenerated between (ago(timeFrame) .. now())
      and pattern contains 'file:hashes' and RecommendedActions has 'Monitor' and (Roles contains 'Trojan')
  | extend MD5 = extract(@"file:hashes\.md5\s*=\s*'([a-fA-F0-9]{32})'", 1, pattern)
  | extend SHA1 = extract(@"file:hashes\.'SHA-1'\s*=\s*'([a-fA-F0-9]{40})'", 1, pattern)
  | extend SHA256 = extract(@"file:hashes\.'SHA-256'\s*=\s*'([a-fA-F0-9]{64})'", 1, pattern)
  | extend
      Algo_MD5='md5',
      Algo_SHA1= 'SHA1',
      Algo_SHA256='SHA256',
      ProviderName = 'CYFIRMA',
      ProductName = 'DeCYFIR/DeTCT'
  | project  
      MD5,
      Algo_MD5,
      SHA1,
      Algo_SHA1,
      SHA256,
      Algo_SHA256,
      ThreatActors,
      Sources,
      RecommendedActions,
      Roles,
      Country,
      name,
      Description,
      ConfidenceScore,
      SecurityVendors,
      IndicatorID,
      created,
      modified,
      valid_from,
      Tags,
      ThreatType,
      TimeGenerated,
      ProductName,
      ProviderName  
version: 1.0.0
name: CYFIRMA - Medium severity Trojan File Hash Indicators with Monitor Action Rule
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: false
    lookbackDuration: 5m
    matchingMethod: AllEntities
    reopenClosedIncident: false
tactics:
- InitialAccess
- Execution
- Persistence
- DefenseEvasion
- CommandAndControl
- CredentialAccess
eventGroupingSettings:
  aggregationKind: AlertPerResult
entityMappings:
- fieldMappings:
  - identifier: Algorithm
    columnName: Algo_MD5
  - identifier: Value
    columnName: MD5
  entityType: FileHash
- fieldMappings:
  - identifier: Algorithm
    columnName: Algo_SHA1
  - identifier: Value
    columnName: SHA1
  entityType: FileHash
- fieldMappings:
  - identifier: Algorithm
    columnName: Algo_SHA256
  - identifier: Value
    columnName: SHA256
  entityType: FileHash
suppressionEnabled: true
requiredDataConnectors:
- dataTypes:
  - CyfirmaIndicators_CL
  connectorId: CyfirmaCyberIntelligenceDC
severity: Medium
enabled: false
id: b89c893e-650f-4569-afc3-c487efee2472
customDetails:
  ConfidenceScore: ConfidenceScore
  ThreatActors: ThreatActors
  IndicatorID: IndicatorID
  created: created
  modified: modified
  ValidFrom: valid_from
  Tags: Tags
  Country: Country
  SecurityVendors: SecurityVendors
  TimeGenerated: TimeGenerated
  Description: Description
  ThreatType: ThreatType
  Roles: Roles
  Sources: Sources
  RecommendedActions: RecommendedActions
triggerOperator: GreaterThan
triggerThreshold: 0
queryFrequency: 5m
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b89c893e-650f-4569-afc3-c487efee2472')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b89c893e-650f-4569-afc3-c487efee2472')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{Description}} - {{name}} ",
          "alertDisplayNameFormat": "High-Confidence Trojan File Hash Indicators with Monitor Action - {{name}} ",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProductName",
              "value": "ProductName"
            },
            {
              "alertProperty": "ProviderName",
              "value": "ProviderName"
            }
          ]
        },
        "alertRuleTemplateName": "b89c893e-650f-4569-afc3-c487efee2472",
        "customDetails": {
          "ConfidenceScore": "ConfidenceScore",
          "Country": "Country",
          "created": "created",
          "Description": "Description",
          "IndicatorID": "IndicatorID",
          "modified": "modified",
          "RecommendedActions": "RecommendedActions",
          "Roles": "Roles",
          "SecurityVendors": "SecurityVendors",
          "Sources": "Sources",
          "Tags": "Tags",
          "ThreatActors": "ThreatActors",
          "ThreatType": "ThreatType",
          "TimeGenerated": "TimeGenerated",
          "ValidFrom": "valid_from"
        },
        "description": "\"This KQL query extracts file hash indicators associated with Trojan activity from the CyfirmaIndicators_CL table. \nIt specifically targets indicators containing file hashes linked to Trojan behavior and retrieves MD5, SHA1, and SHA256 values. \nThe query also includes contextual threat intelligence such as threat actors, tags, sources, and geolocation information.\"\n",
        "displayName": "CYFIRMA - Medium severity Trojan File Hash Indicators with Monitor Action Rule",
        "enabled": false,
        "entityMappings": [
          {
            "entityType": "FileHash",
            "fieldMappings": [
              {
                "columnName": "Algo_MD5",
                "identifier": "Algorithm"
              },
              {
                "columnName": "MD5",
                "identifier": "Value"
              }
            ]
          },
          {
            "entityType": "FileHash",
            "fieldMappings": [
              {
                "columnName": "Algo_SHA1",
                "identifier": "Algorithm"
              },
              {
                "columnName": "SHA1",
                "identifier": "Value"
              }
            ]
          },
          {
            "entityType": "FileHash",
            "fieldMappings": [
              {
                "columnName": "Algo_SHA256",
                "identifier": "Algorithm"
              },
              {
                "columnName": "SHA256",
                "identifier": "Value"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5M",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/TrojanFileHashIndicatorsMonitorMediumSeverityRule.yaml",
        "query": "//Trojan File Hash Indicators with Monitor Action\nlet timeFrame = 5m;\nCyfirmaIndicators_CL \n| where (ConfidenceScore < 80 and ConfidenceScore >= 50)\n    and TimeGenerated between (ago(timeFrame) .. now())\n    and pattern contains 'file:hashes' and RecommendedActions has 'Monitor' and (Roles contains 'Trojan')\n| extend MD5 = extract(@\"file:hashes\\.md5\\s*=\\s*'([a-fA-F0-9]{32})'\", 1, pattern)\n| extend SHA1 = extract(@\"file:hashes\\.'SHA-1'\\s*=\\s*'([a-fA-F0-9]{40})'\", 1, pattern)\n| extend SHA256 = extract(@\"file:hashes\\.'SHA-256'\\s*=\\s*'([a-fA-F0-9]{64})'\", 1, pattern)\n| extend\n    Algo_MD5='md5',\n    Algo_SHA1= 'SHA1',\n    Algo_SHA256='SHA256',\n    ProviderName = 'CYFIRMA',\n    ProductName = 'DeCYFIR/DeTCT'\n| project  \n    MD5,\n    Algo_MD5,\n    SHA1,\n    Algo_SHA1,\n    SHA256,\n    Algo_SHA256,\n    ThreatActors,\n    Sources,\n    RecommendedActions,\n    Roles,\n    Country,\n    name,\n    Description,\n    ConfidenceScore,\n    SecurityVendors,\n    IndicatorID,\n    created,\n    modified,\n    valid_from,\n    Tags,\n    ThreatType,\n    TimeGenerated,\n    ProductName,\n    ProviderName\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "subTechniques": [
          "T1566.001",
          "T1547.001"
        ],
        "suppressionDuration": "PT5M",
        "suppressionEnabled": true,
        "tactics": [
          "CommandAndControl",
          "CredentialAccess",
          "DefenseEvasion",
          "Execution",
          "InitialAccess",
          "Persistence"
        ],
        "techniques": [
          "T1003",
          "T1027",
          "T1071",
          "T1204",
          "T1547",
          "T1566"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}