CYFIRMA - Medium severity Trojan File Hash Indicators with Monitor Action Rule
| Id | b89c893e-650f-4569-afc3-c487efee2472 |
| Rulename | CYFIRMA - Medium severity Trojan File Hash Indicators with Monitor Action Rule |
| Description | “This KQL query extracts file hash indicators associated with Trojan activity from the CyfirmaIndicators_CL table. It specifically targets indicators containing file hashes linked to Trojan behavior and retrieves MD5, SHA1, and SHA256 values. The query also includes contextual threat intelligence such as threat actors, tags, sources, and geolocation information.” |
| Severity | Medium |
| Tactics | InitialAccess Execution Persistence DefenseEvasion CommandAndControl CredentialAccess |
| Techniques | T1566 T1204 T1547 T1027 T1071 T1003 T1566.001 T1547.001 |
| Required data connectors | CyfirmaCyberIntelligenceDC |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | GreaterThan |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/TrojanFileHashIndicatorsMonitorMediumSeverityRule.yaml |
| Version | 1.0.1 |
| Arm template | b89c893e-650f-4569-afc3-c487efee2472.json |
//Trojan File Hash Indicators with Monitor Action
let timeFrame = 5m;
CyfirmaIndicators_CL
| where (ConfidenceScore < 80 and ConfidenceScore >= 50)
and TimeGenerated between (ago(timeFrame) .. now())
and pattern contains 'file:hashes' and RecommendedActions has 'Monitor' and (Roles contains 'Trojan')
| extend MD5 = extract(@"file:hashes\.md5\s*=\s*'([a-fA-F0-9]{32})'", 1, pattern)
| extend SHA1 = extract(@"file:hashes\.'SHA-1'\s*=\s*'([a-fA-F0-9]{40})'", 1, pattern)
| extend SHA256 = extract(@"file:hashes\.'SHA-256'\s*=\s*'([a-fA-F0-9]{64})'", 1, pattern)
| extend
Algo_MD5='md5',
Algo_SHA1= 'SHA1',
Algo_SHA256='SHA256',
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| project
MD5,
Algo_MD5,
SHA1,
Algo_SHA1,
SHA256,
Algo_SHA256,
ThreatActors,
Sources,
RecommendedActions,
Roles,
Country,
name,
Description,
ConfidenceScore,
SecurityVendors,
IndicatorID,
created,
modified,
valid_from,
Tags,
ThreatType,
TimeGenerated,
ProductName,
ProviderName
kind: Scheduled
customDetails:
Description: Description
SecurityVendors: SecurityVendors
ConfidenceScore: ConfidenceScore
created: created
Sources: Sources
modified: modified
ThreatActors: ThreatActors
RecommendedActions: RecommendedActions
Country: Country
ThreatType: ThreatType
ValidFrom: valid_from
Tags: Tags
TimeGenerated: TimeGenerated
IndicatorID: IndicatorID
Roles: Roles
suppressionDuration: 5m
entityMappings:
- entityType: FileHash
fieldMappings:
- columnName: Algo_MD5
identifier: Algorithm
- columnName: MD5
identifier: Value
- entityType: FileHash
fieldMappings:
- columnName: Algo_SHA1
identifier: Algorithm
- columnName: SHA1
identifier: Value
- entityType: FileHash
fieldMappings:
- columnName: Algo_SHA256
identifier: Algorithm
- columnName: SHA256
identifier: Value
description: |
"This KQL query extracts file hash indicators associated with Trojan activity from the CyfirmaIndicators_CL table.
It specifically targets indicators containing file hashes linked to Trojan behavior and retrieves MD5, SHA1, and SHA256 values.
The query also includes contextual threat intelligence such as threat actors, tags, sources, and geolocation information."
severity: Medium
queryFrequency: 5m
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
matchingMethod: AllEntities
lookbackDuration: PT5H
enabled: false
createIncident: true
triggerThreshold: 0
relevantTechniques:
- T1566
- T1204
- T1547
- T1027
- T1071
- T1003
- T1566.001
- T1547.001
eventGroupingSettings:
aggregationKind: AlertPerResult
suppressionEnabled: true
version: 1.0.1
name: CYFIRMA - Medium severity Trojan File Hash Indicators with Monitor Action Rule
id: b89c893e-650f-4569-afc3-c487efee2472
query: |
//Trojan File Hash Indicators with Monitor Action
let timeFrame = 5m;
CyfirmaIndicators_CL
| where (ConfidenceScore < 80 and ConfidenceScore >= 50)
and TimeGenerated between (ago(timeFrame) .. now())
and pattern contains 'file:hashes' and RecommendedActions has 'Monitor' and (Roles contains 'Trojan')
| extend MD5 = extract(@"file:hashes\.md5\s*=\s*'([a-fA-F0-9]{32})'", 1, pattern)
| extend SHA1 = extract(@"file:hashes\.'SHA-1'\s*=\s*'([a-fA-F0-9]{40})'", 1, pattern)
| extend SHA256 = extract(@"file:hashes\.'SHA-256'\s*=\s*'([a-fA-F0-9]{64})'", 1, pattern)
| extend
Algo_MD5='md5',
Algo_SHA1= 'SHA1',
Algo_SHA256='SHA256',
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| project
MD5,
Algo_MD5,
SHA1,
Algo_SHA1,
SHA256,
Algo_SHA256,
ThreatActors,
Sources,
RecommendedActions,
Roles,
Country,
name,
Description,
ConfidenceScore,
SecurityVendors,
IndicatorID,
created,
modified,
valid_from,
Tags,
ThreatType,
TimeGenerated,
ProductName,
ProviderName
requiredDataConnectors:
- dataTypes:
- CyfirmaIndicators_CL
connectorId: CyfirmaCyberIntelligenceDC
tactics:
- InitialAccess
- Execution
- Persistence
- DefenseEvasion
- CommandAndControl
- CredentialAccess
enabled: false
alertDetailsOverride:
alertDisplayNameFormat: 'High-Confidence Trojan File Hash Indicators with Monitor Action - {{name}} '
alertDescriptionFormat: '{{Description}} - {{name}} '
alertDynamicProperties:
- value: ProductName
alertProperty: ProductName
- value: ProviderName
alertProperty: ProviderName
triggerOperator: GreaterThan
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/TrojanFileHashIndicatorsMonitorMediumSeverityRule.yaml
queryPeriod: 5m
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b89c893e-650f-4569-afc3-c487efee2472')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b89c893e-650f-4569-afc3-c487efee2472')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{Description}} - {{name}} ",
"alertDisplayNameFormat": "High-Confidence Trojan File Hash Indicators with Monitor Action - {{name}} ",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "ProviderName",
"value": "ProviderName"
}
]
},
"alertRuleTemplateName": "b89c893e-650f-4569-afc3-c487efee2472",
"customDetails": {
"ConfidenceScore": "ConfidenceScore",
"Country": "Country",
"created": "created",
"Description": "Description",
"IndicatorID": "IndicatorID",
"modified": "modified",
"RecommendedActions": "RecommendedActions",
"Roles": "Roles",
"SecurityVendors": "SecurityVendors",
"Sources": "Sources",
"Tags": "Tags",
"ThreatActors": "ThreatActors",
"ThreatType": "ThreatType",
"TimeGenerated": "TimeGenerated",
"ValidFrom": "valid_from"
},
"description": "\"This KQL query extracts file hash indicators associated with Trojan activity from the CyfirmaIndicators_CL table. \nIt specifically targets indicators containing file hashes linked to Trojan behavior and retrieves MD5, SHA1, and SHA256 values. \nThe query also includes contextual threat intelligence such as threat actors, tags, sources, and geolocation information.\"\n",
"displayName": "CYFIRMA - Medium severity Trojan File Hash Indicators with Monitor Action Rule",
"enabled": false,
"entityMappings": [
{
"entityType": "FileHash",
"fieldMappings": [
{
"columnName": "Algo_MD5",
"identifier": "Algorithm"
},
{
"columnName": "MD5",
"identifier": "Value"
}
]
},
{
"entityType": "FileHash",
"fieldMappings": [
{
"columnName": "Algo_SHA1",
"identifier": "Algorithm"
},
{
"columnName": "SHA1",
"identifier": "Value"
}
]
},
{
"entityType": "FileHash",
"fieldMappings": [
{
"columnName": "Algo_SHA256",
"identifier": "Algorithm"
},
{
"columnName": "SHA256",
"identifier": "Value"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/TrojanFileHashIndicatorsMonitorMediumSeverityRule.yaml",
"query": "//Trojan File Hash Indicators with Monitor Action\nlet timeFrame = 5m;\nCyfirmaIndicators_CL \n| where (ConfidenceScore < 80 and ConfidenceScore >= 50)\n and TimeGenerated between (ago(timeFrame) .. now())\n and pattern contains 'file:hashes' and RecommendedActions has 'Monitor' and (Roles contains 'Trojan')\n| extend MD5 = extract(@\"file:hashes\\.md5\\s*=\\s*'([a-fA-F0-9]{32})'\", 1, pattern)\n| extend SHA1 = extract(@\"file:hashes\\.'SHA-1'\\s*=\\s*'([a-fA-F0-9]{40})'\", 1, pattern)\n| extend SHA256 = extract(@\"file:hashes\\.'SHA-256'\\s*=\\s*'([a-fA-F0-9]{64})'\", 1, pattern)\n| extend\n Algo_MD5='md5',\n Algo_SHA1= 'SHA1',\n Algo_SHA256='SHA256',\n ProviderName = 'CYFIRMA',\n ProductName = 'DeCYFIR/DeTCT'\n| project \n MD5,\n Algo_MD5,\n SHA1,\n Algo_SHA1,\n SHA256,\n Algo_SHA256,\n ThreatActors,\n Sources,\n RecommendedActions,\n Roles,\n Country,\n name,\n Description,\n ConfidenceScore,\n SecurityVendors,\n IndicatorID,\n created,\n modified,\n valid_from,\n Tags,\n ThreatType,\n TimeGenerated,\n ProductName,\n ProviderName\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Medium",
"subTechniques": [
"T1566.001",
"T1547.001"
],
"suppressionDuration": "PT5M",
"suppressionEnabled": true,
"tactics": [
"CommandAndControl",
"CredentialAccess",
"DefenseEvasion",
"Execution",
"InitialAccess",
"Persistence"
],
"techniques": [
"T1003",
"T1027",
"T1071",
"T1204",
"T1547",
"T1566"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}