Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. CYFIRMA - Medium severity Trojan Network Indicators - Block Recommended Rule

CYFIRMA - Medium severity Trojan Network Indicators - Block Recommended Rule

Back
Idbaa63d52-285d-43bf-a34e-8ed2fa260f9e
RulenameCYFIRMA - Medium severity Trojan Network Indicators - Block Recommended Rule
Description“This analytics rule detects network-based indicators flagged by CYFIRMA threat intelligence as associated with Command & Control (C2) infrastructure.

These indicators may represent attacker-controlled endpoints used for persistence, data exfiltration, or command delivery to compromised systems.”
SeverityMedium
TacticsImpact
Persistence
DefenseEvasion
CredentialAccess
CommandAndControl
Execution
InitialAccess
TechniquesT1496
T1053
T1555
T1090
T1071
T1204
T1189
T1053.005
T1555.003
T1071.001
T1204.001
Required data connectorsCyfirmaCyberIntelligenceDC
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/TrojanNetworkIndicatorsBlockMediumSeverityRule.yaml
Version1.0.1
Arm templatebaa63d52-285d-43bf-a34e-8ed2fa260f9e.json
Deploy To Azure
//Trojan Network Indicators - Block Recommended
let timeFrame= 5m;
CyfirmaIndicators_CL 
| where (ConfidenceScore < 80 and ConfidenceScore >= 50)
    and TimeGenerated between (ago(timeFrame) .. now())
    and pattern !contains 'file:hashes' and RecommendedActions has 'Block' and Roles has 'Trojan'
| extend IPv4 = extract(@"ipv4-addr:value\s*=\s*'([^']+)'", 1, pattern)
| extend IPv6 = extract(@"ipv6-addr:value\s*=\s*'([^']+)'", 1, pattern)
| extend URL = extract(@"url:value\s*=\s*'([^']+)'", 1, pattern)
| extend Domain = extract(@"domain-name:value\s*=\s*'([^']+)'", 1, pattern)
| extend parsed = parse_json(extensions)
| extend extensionKeys = bag_keys(parsed)
| mv-expand extensionKeys
| extend extensionKeyStr = tostring(extensionKeys)
| extend ext = parsed[extensionKeyStr]
| extend props = ext.properties
| extend 
    extension_id = extensionKeyStr,
    ASN_Owner = props.asn_owner,
    ASN = props.asn,
    ProviderName = 'CYFIRMA',
    ProductName = 'DeCYFIR/DeTCT'
| project
    IPv4,
    IPv6,
    URL,
    Domain,
    ThreatActors,
    RecommendedActions,
    Sources,
    Roles,
    Country,
    IPAbuse,
    name,
    Description,
    ConfidenceScore,
    IndicatorID,
    created,
    modified,
    valid_from,
    Tags,
    ThreatType,
    TimeGenerated,
    SecurityVendors,
    ProductName,
    ProviderName

kind: Scheduled
customDetails:
  IPAbuse: IPAbuse
  Description: Description
  SecurityVendors: SecurityVendors
  ConfidenceScore: ConfidenceScore
  Created: created
  Sources: Sources
  Modified: modified
  ThreatActors: ThreatActors
  RecommendedActions: RecommendedActions
  Country: Country
  ThreatType: ThreatType
  ValidFrom: valid_from
  Tags: Tags
  TimeGenerated: TimeGenerated
  IndicatorID: IndicatorID
  Roles: Roles
suppressionDuration: 5m
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: IPv4
    identifier: Address
- entityType: IP
  fieldMappings:
  - columnName: IPv6
    identifier: Address
- entityType: DNS
  fieldMappings:
  - columnName: Domain
    identifier: DomainName
- entityType: URL
  fieldMappings:
  - columnName: URL
    identifier: Url
description: |
  "This analytics rule detects network-based indicators flagged by CYFIRMA threat intelligence as associated with Command & Control (C2) infrastructure. 
  These indicators may represent attacker-controlled endpoints used for persistence, data exfiltration, or command delivery to compromised systems."  
severity: Medium
queryFrequency: 5m
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: PT5H
    enabled: false
  createIncident: true
triggerThreshold: 0
relevantTechniques:
- T1496
- T1053
- T1555
- T1090
- T1071
- T1204
- T1189
- T1053.005
- T1555.003
- T1071.001
- T1204.001
eventGroupingSettings:
  aggregationKind: AlertPerResult
suppressionEnabled: true
version: 1.0.1
name: CYFIRMA - Medium severity Trojan Network Indicators - Block Recommended Rule
id: baa63d52-285d-43bf-a34e-8ed2fa260f9e
query: |
  //Trojan Network Indicators - Block Recommended
  let timeFrame= 5m;
  CyfirmaIndicators_CL 
  | where (ConfidenceScore < 80 and ConfidenceScore >= 50)
      and TimeGenerated between (ago(timeFrame) .. now())
      and pattern !contains 'file:hashes' and RecommendedActions has 'Block' and Roles has 'Trojan'
  | extend IPv4 = extract(@"ipv4-addr:value\s*=\s*'([^']+)'", 1, pattern)
  | extend IPv6 = extract(@"ipv6-addr:value\s*=\s*'([^']+)'", 1, pattern)
  | extend URL = extract(@"url:value\s*=\s*'([^']+)'", 1, pattern)
  | extend Domain = extract(@"domain-name:value\s*=\s*'([^']+)'", 1, pattern)
  | extend parsed = parse_json(extensions)
  | extend extensionKeys = bag_keys(parsed)
  | mv-expand extensionKeys
  | extend extensionKeyStr = tostring(extensionKeys)
  | extend ext = parsed[extensionKeyStr]
  | extend props = ext.properties
  | extend 
      extension_id = extensionKeyStr,
      ASN_Owner = props.asn_owner,
      ASN = props.asn,
      ProviderName = 'CYFIRMA',
      ProductName = 'DeCYFIR/DeTCT'
  | project
      IPv4,
      IPv6,
      URL,
      Domain,
      ThreatActors,
      RecommendedActions,
      Sources,
      Roles,
      Country,
      IPAbuse,
      name,
      Description,
      ConfidenceScore,
      IndicatorID,
      created,
      modified,
      valid_from,
      Tags,
      ThreatType,
      TimeGenerated,
      SecurityVendors,
      ProductName,
      ProviderName  
requiredDataConnectors:
- dataTypes:
  - CyfirmaIndicators_CL
  connectorId: CyfirmaCyberIntelligenceDC
tactics:
- Impact
- Persistence
- DefenseEvasion
- CredentialAccess
- CommandAndControl
- Execution
- InitialAccess
enabled: false
alertDetailsOverride:
  alertDisplayNameFormat: 'High-Confidence Trojan Network Indicators - Block Recommended Rule - {{name}} '
  alertDescriptionFormat: '{{Description}} - {{name}} '
  alertDynamicProperties:
  - value: ProductName
    alertProperty: ProductName
  - value: ProviderName
    alertProperty: ProviderName
triggerOperator: GreaterThan
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/TrojanNetworkIndicatorsBlockMediumSeverityRule.yaml
queryPeriod: 5m

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/baa63d52-285d-43bf-a34e-8ed2fa260f9e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/baa63d52-285d-43bf-a34e-8ed2fa260f9e')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{Description}} - {{name}} ",
          "alertDisplayNameFormat": "High-Confidence Trojan Network Indicators - Block Recommended Rule - {{name}} ",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProductName",
              "value": "ProductName"
            },
            {
              "alertProperty": "ProviderName",
              "value": "ProviderName"
            }
          ]
        },
        "alertRuleTemplateName": "baa63d52-285d-43bf-a34e-8ed2fa260f9e",
        "customDetails": {
          "ConfidenceScore": "ConfidenceScore",
          "Country": "Country",
          "Created": "created",
          "Description": "Description",
          "IndicatorID": "IndicatorID",
          "IPAbuse": "IPAbuse",
          "Modified": "modified",
          "RecommendedActions": "RecommendedActions",
          "Roles": "Roles",
          "SecurityVendors": "SecurityVendors",
          "Sources": "Sources",
          "Tags": "Tags",
          "ThreatActors": "ThreatActors",
          "ThreatType": "ThreatType",
          "TimeGenerated": "TimeGenerated",
          "ValidFrom": "valid_from"
        },
        "description": "\"This analytics rule detects network-based indicators flagged by CYFIRMA threat intelligence as associated with Command & Control (C2) infrastructure. \nThese indicators may represent attacker-controlled endpoints used for persistence, data exfiltration, or command delivery to compromised systems.\"\n",
        "displayName": "CYFIRMA - Medium severity Trojan Network Indicators - Block Recommended Rule",
        "enabled": false,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPv4",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPv6",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "DNS",
            "fieldMappings": [
              {
                "columnName": "Domain",
                "identifier": "DomainName"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "URL",
                "identifier": "Url"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/TrojanNetworkIndicatorsBlockMediumSeverityRule.yaml",
        "query": "//Trojan Network Indicators - Block Recommended\nlet timeFrame= 5m;\nCyfirmaIndicators_CL \n| where (ConfidenceScore < 80 and ConfidenceScore >= 50)\n    and TimeGenerated between (ago(timeFrame) .. now())\n    and pattern !contains 'file:hashes' and RecommendedActions has 'Block' and Roles has 'Trojan'\n| extend IPv4 = extract(@\"ipv4-addr:value\\s*=\\s*'([^']+)'\", 1, pattern)\n| extend IPv6 = extract(@\"ipv6-addr:value\\s*=\\s*'([^']+)'\", 1, pattern)\n| extend URL = extract(@\"url:value\\s*=\\s*'([^']+)'\", 1, pattern)\n| extend Domain = extract(@\"domain-name:value\\s*=\\s*'([^']+)'\", 1, pattern)\n| extend parsed = parse_json(extensions)\n| extend extensionKeys = bag_keys(parsed)\n| mv-expand extensionKeys\n| extend extensionKeyStr = tostring(extensionKeys)\n| extend ext = parsed[extensionKeyStr]\n| extend props = ext.properties\n| extend \n    extension_id = extensionKeyStr,\n    ASN_Owner = props.asn_owner,\n    ASN = props.asn,\n    ProviderName = 'CYFIRMA',\n    ProductName = 'DeCYFIR/DeTCT'\n| project\n    IPv4,\n    IPv6,\n    URL,\n    Domain,\n    ThreatActors,\n    RecommendedActions,\n    Sources,\n    Roles,\n    Country,\n    IPAbuse,\n    name,\n    Description,\n    ConfidenceScore,\n    IndicatorID,\n    created,\n    modified,\n    valid_from,\n    Tags,\n    ThreatType,\n    TimeGenerated,\n    SecurityVendors,\n    ProductName,\n    ProviderName\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "subTechniques": [
          "T1053.005",
          "T1555.003",
          "T1071.001",
          "T1204.001"
        ],
        "suppressionDuration": "PT5M",
        "suppressionEnabled": true,
        "tactics": [
          "CommandAndControl",
          "CredentialAccess",
          "DefenseEvasion",
          "Execution",
          "Impact",
          "InitialAccess",
          "Persistence"
        ],
        "techniques": [
          "T1053",
          "T1071",
          "T1090",
          "T1189",
          "T1204",
          "T1496",
          "T1555"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}