Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

TI map File Hash to DeviceFileEvents Event

Back
Idbc0eca2e-db50-44e6-8fa3-b85f91ff5ee7
RulenameTI map File Hash to DeviceFileEvents Event
DescriptionIdentifies a match in DeviceFileEvents Event data from any FileHash IOC from TI
SeverityMedium
TacticsCommandAndControl
TechniquesT1071
Required data connectorsMicrosoftDefenderThreatIntelligence
MicrosoftThreatProtection
ThreatIntelligence
ThreatIntelligenceTaxii
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/FileHashEntity_DeviceFileEvents.yaml
Version1.0.1
Arm templatebc0eca2e-db50-44e6-8fa3-b85f91ff5ee7.json
Deploy To Azure
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
let DeviceFileEvents_ = (union
(DeviceFileEvents | where TimeGenerated > ago(dt_lookBack) | where isnotempty(SHA1) | extend FileHashValue = SHA1),
(DeviceFileEvents | where TimeGenerated > ago(dt_lookBack) | where isnotempty(SHA256) | extend FileHashValue = SHA256));
let Hashes = DeviceFileEvents_ | distinct FileHashValue;
ThreatIntelligenceIndicator
| where isnotempty(FileHashValue)
| where TimeGenerated > ago(ioc_lookBack)
| where FileHashValue in (Hashes)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| where Active == true and ExpirationDateTime > now()
| where Description !contains_cs "State: inactive;" and Description !contains_cs "State: falsepos;"
| join kind=innerunique (DeviceFileEvents_) on $left.FileHashValue == $right.FileHashValue
| where TimeGenerated < ExpirationDateTime
| summarize TimeGenerated = arg_max(TimeGenerated, *) by  IndicatorId, DeviceId
| project TimeGenerated, TrafficLightProtocolLevel, Description, ActivityGroupNames, IndicatorId, ThreatType, FileHashValue, FileHashType, ExpirationDateTime, ConfidenceScore, ActionType, DeviceId, DeviceName, FolderPath, RequestAccountDomain, RequestAccountName, RequestAccountSid, MachineGroup
| extend timestamp = TimeGenerated
queryFrequency: 1h
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceFileEvents
- connectorId: ThreatIntelligence
  dataTypes:
  - ThreatIntelligenceIndicator
- connectorId: ThreatIntelligenceTaxii
  dataTypes:
  - ThreatIntelligenceIndicator
- connectorId: MicrosoftDefenderThreatIntelligence
  dataTypes:
  - ThreatIntelligenceIndicator
relevantTechniques:
- T1071
triggerOperator: gt
triggerThreshold: 0
id: bc0eca2e-db50-44e6-8fa3-b85f91ff5ee7
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/FileHashEntity_DeviceFileEvents.yaml
description: |
    'Identifies a match in DeviceFileEvents Event data from any FileHash IOC from TI'
tactics:
- CommandAndControl
queryPeriod: 14d
version: 1.0.1
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: RequestAccountName
  - identifier: Sid
    columnName: RequestAccountSid
  - identifier: NTDomain
    columnName: RequestAccountDomain
- entityType: FileHash
  fieldMappings:
  - identifier: Value
    columnName: FileHashValue
  - identifier: Algorithm
    columnName: FileHashType
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: DeviceName
severity: Medium
kind: Scheduled
name: TI map File Hash to DeviceFileEvents Event
query: |
  let dt_lookBack = 1h;
  let ioc_lookBack = 14d;
  let DeviceFileEvents_ = (union
  (DeviceFileEvents | where TimeGenerated > ago(dt_lookBack) | where isnotempty(SHA1) | extend FileHashValue = SHA1),
  (DeviceFileEvents | where TimeGenerated > ago(dt_lookBack) | where isnotempty(SHA256) | extend FileHashValue = SHA256));
  let Hashes = DeviceFileEvents_ | distinct FileHashValue;
  ThreatIntelligenceIndicator
  | where isnotempty(FileHashValue)
  | where TimeGenerated > ago(ioc_lookBack)
  | where FileHashValue in (Hashes)
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
  | where Active == true and ExpirationDateTime > now()
  | where Description !contains_cs "State: inactive;" and Description !contains_cs "State: falsepos;"
  | join kind=innerunique (DeviceFileEvents_) on $left.FileHashValue == $right.FileHashValue
  | where TimeGenerated < ExpirationDateTime
  | summarize TimeGenerated = arg_max(TimeGenerated, *) by  IndicatorId, DeviceId
  | project TimeGenerated, TrafficLightProtocolLevel, Description, ActivityGroupNames, IndicatorId, ThreatType, FileHashValue, FileHashType, ExpirationDateTime, ConfidenceScore, ActionType, DeviceId, DeviceName, FolderPath, RequestAccountDomain, RequestAccountName, RequestAccountSid, MachineGroup
  | extend timestamp = TimeGenerated  
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bc0eca2e-db50-44e6-8fa3-b85f91ff5ee7')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bc0eca2e-db50-44e6-8fa3-b85f91ff5ee7')]",
      "properties": {
        "alertRuleTemplateName": "bc0eca2e-db50-44e6-8fa3-b85f91ff5ee7",
        "customDetails": null,
        "description": "'Identifies a match in DeviceFileEvents Event data from any FileHash IOC from TI'\n",
        "displayName": "TI map File Hash to DeviceFileEvents Event",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "RequestAccountName",
                "identifier": "Name"
              },
              {
                "columnName": "RequestAccountSid",
                "identifier": "Sid"
              },
              {
                "columnName": "RequestAccountDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "FileHash",
            "fieldMappings": [
              {
                "columnName": "FileHashValue",
                "identifier": "Value"
              },
              {
                "columnName": "FileHashType",
                "identifier": "Algorithm"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/FileHashEntity_DeviceFileEvents.yaml",
        "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet DeviceFileEvents_ = (union\n(DeviceFileEvents | where TimeGenerated > ago(dt_lookBack) | where isnotempty(SHA1) | extend FileHashValue = SHA1),\n(DeviceFileEvents | where TimeGenerated > ago(dt_lookBack) | where isnotempty(SHA256) | extend FileHashValue = SHA256));\nlet Hashes = DeviceFileEvents_ | distinct FileHashValue;\nThreatIntelligenceIndicator\n| where isnotempty(FileHashValue)\n| where TimeGenerated > ago(ioc_lookBack)\n| where FileHashValue in (Hashes)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| where Description !contains_cs \"State: inactive;\" and Description !contains_cs \"State: falsepos;\"\n| join kind=innerunique (DeviceFileEvents_) on $left.FileHashValue == $right.FileHashValue\n| where TimeGenerated < ExpirationDateTime\n| summarize TimeGenerated = arg_max(TimeGenerated, *) by  IndicatorId, DeviceId\n| project TimeGenerated, TrafficLightProtocolLevel, Description, ActivityGroupNames, IndicatorId, ThreatType, FileHashValue, FileHashType, ExpirationDateTime, ConfidenceScore, ActionType, DeviceId, DeviceName, FolderPath, RequestAccountDomain, RequestAccountName, RequestAccountSid, MachineGroup\n| extend timestamp = TimeGenerated\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "techniques": [
          "T1071"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}