Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CYFIRMA - High severity Malicious Network Indicators Associated with Malware - Block Recommended Rule

Back
Idc7c02bbf-b775-4e85-a3c7-7f8a9318fd2f
RulenameCYFIRMA - High severity Malicious Network Indicators Associated with Malware - Block Recommended Rule
Description“This analytics rule detects network-based indicators identified by CYFIRMA threat intelligence as associated with Command & Control (C2) infrastructure.

These may represent attacker-controlled endpoints used to maintain persistence, exfiltrate data, or receive commands from malware-infected hosts.”
SeverityHigh
TacticsInitialAccess
Execution
CommandAndControl
TechniquesT1566
T1189
T1204
T1071
T1090
T1059
T1568
T1566.002
T1204.001
T1071.001
T1568.002
Required data connectorsCyfirmaCyberIntelligenceDC
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/MalwareNetworkIndicatorsBlockHighSeverityRule.yaml
Version1.0.0
Arm templatec7c02bbf-b775-4e85-a3c7-7f8a9318fd2f.json
Deploy To Azure
//Network Indicators Associated with Malware - Block Recommended Rule
let timeFrame= 5m;
CyfirmaIndicators_CL 
| where ConfidenceScore >= 80
    and TimeGenerated between (ago(timeFrame) .. now())
    and pattern !contains 'file:hashes' and RecommendedActions has 'Block' and Roles has 'Malware'
| extend IPv4 = extract(@"ipv4-addr:value\s*=\s*'([^']+)'", 1, pattern)
| extend IPv6 = extract(@"ipv6-addr:value\s*=\s*'([^']+)'", 1, pattern)
| extend URL = extract(@"url:value\s*=\s*'([^']+)'", 1, pattern)
| extend Domain = extract(@"domain-name:value\s*=\s*'([^']+)'", 1, pattern)
| extend parsed = parse_json(extensions)
| extend extensionKeys = bag_keys(parsed)
| mv-expand extensionKeys
| extend extensionKeyStr = tostring(extensionKeys)
| extend ext = parsed[extensionKeyStr]
| extend props = ext.properties
| extend 
    extension_id = extensionKeyStr,
    ASN_Owner = props.asn_owner,
    ASN = props.asn,
    ProviderName = 'CYFIRMA',
    ProductName = 'DeCYFIR/DeTCT'
| project
    IPv4,
    IPv6,
    URL,
    Domain,
    ThreatActors,
    RecommendedActions,
    Sources,
    Roles,
    Country,
    IPAbuse,
    name,
    Description,
    ConfidenceScore,
    IndicatorID,
    created,
    modified,
    valid_from,
    Tags,
    ThreatType,
    TimeGenerated,
    SecurityVendors,
    ProductName,
    ProviderName
entityMappings:
- fieldMappings:
  - columnName: IPv4
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: IPv6
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: Domain
    identifier: DomainName
  entityType: DNS
- fieldMappings:
  - columnName: URL
    identifier: Url
  entityType: URL
triggerThreshold: 0
severity: High
suppressionDuration: 5m
queryFrequency: 5m
queryPeriod: 5m
enabled: false
customDetails:
  TimeGenerated: TimeGenerated
  Country: Country
  Sources: Sources
  RecommendedActions: RecommendedActions
  SecurityVendors: SecurityVendors
  ConfidenceScore: ConfidenceScore
  ThreatActors: ThreatActors
  ValidFrom: valid_from
  IndicatorID: IndicatorID
  Tags: Tags
  Roles: Roles
  ThreatType: ThreatType
  IPAbuse: IPAbuse
  Description: Description
  Modified: modified
  Created: created
relevantTechniques:
- T1566
- T1189
- T1204
- T1071
- T1090
- T1059
- T1568
- T1566.002
- T1204.001
- T1071.001
- T1568.002
alertDetailsOverride:
  alertDisplayNameFormat: 'High-Confidence Malicious Network Indicators Associated with Malware - Block Recommended - {{name}} '
  alertDescriptionFormat: '{{Description}} - {{name}} '
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
triggerOperator: GreaterThan
id: c7c02bbf-b775-4e85-a3c7-7f8a9318fd2f
suppressionEnabled: true
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: 5m
    enabled: false
    matchingMethod: AllEntities
    reopenClosedIncident: false
requiredDataConnectors:
- connectorId: CyfirmaCyberIntelligenceDC
  dataTypes:
  - CyfirmaIndicators_CL
version: 1.0.0
name: CYFIRMA - High severity Malicious Network Indicators Associated with Malware - Block Recommended Rule
eventGroupingSettings:
  aggregationKind: AlertPerResult
description: |
  "This analytics rule detects network-based indicators identified by CYFIRMA threat intelligence as associated with Command & Control (C2) infrastructure.
  These may represent attacker-controlled endpoints used to maintain persistence, exfiltrate data, or receive commands from malware-infected hosts."  
query: |
  //Network Indicators Associated with Malware - Block Recommended Rule
  let timeFrame= 5m;
  CyfirmaIndicators_CL 
  | where ConfidenceScore >= 80
      and TimeGenerated between (ago(timeFrame) .. now())
      and pattern !contains 'file:hashes' and RecommendedActions has 'Block' and Roles has 'Malware'
  | extend IPv4 = extract(@"ipv4-addr:value\s*=\s*'([^']+)'", 1, pattern)
  | extend IPv6 = extract(@"ipv6-addr:value\s*=\s*'([^']+)'", 1, pattern)
  | extend URL = extract(@"url:value\s*=\s*'([^']+)'", 1, pattern)
  | extend Domain = extract(@"domain-name:value\s*=\s*'([^']+)'", 1, pattern)
  | extend parsed = parse_json(extensions)
  | extend extensionKeys = bag_keys(parsed)
  | mv-expand extensionKeys
  | extend extensionKeyStr = tostring(extensionKeys)
  | extend ext = parsed[extensionKeyStr]
  | extend props = ext.properties
  | extend 
      extension_id = extensionKeyStr,
      ASN_Owner = props.asn_owner,
      ASN = props.asn,
      ProviderName = 'CYFIRMA',
      ProductName = 'DeCYFIR/DeTCT'
  | project
      IPv4,
      IPv6,
      URL,
      Domain,
      ThreatActors,
      RecommendedActions,
      Sources,
      Roles,
      Country,
      IPAbuse,
      name,
      Description,
      ConfidenceScore,
      IndicatorID,
      created,
      modified,
      valid_from,
      Tags,
      ThreatType,
      TimeGenerated,
      SecurityVendors,
      ProductName,
      ProviderName  
tactics:
- InitialAccess
- Execution
- CommandAndControl
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/MalwareNetworkIndicatorsBlockHighSeverityRule.yaml
kind: Scheduled
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c7c02bbf-b775-4e85-a3c7-7f8a9318fd2f')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c7c02bbf-b775-4e85-a3c7-7f8a9318fd2f')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{Description}} - {{name}} ",
          "alertDisplayNameFormat": "High-Confidence Malicious Network Indicators Associated with Malware - Block Recommended - {{name}} ",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProductName",
              "value": "ProductName"
            },
            {
              "alertProperty": "ProviderName",
              "value": "ProviderName"
            }
          ]
        },
        "alertRuleTemplateName": "c7c02bbf-b775-4e85-a3c7-7f8a9318fd2f",
        "customDetails": {
          "ConfidenceScore": "ConfidenceScore",
          "Country": "Country",
          "Created": "created",
          "Description": "Description",
          "IndicatorID": "IndicatorID",
          "IPAbuse": "IPAbuse",
          "Modified": "modified",
          "RecommendedActions": "RecommendedActions",
          "Roles": "Roles",
          "SecurityVendors": "SecurityVendors",
          "Sources": "Sources",
          "Tags": "Tags",
          "ThreatActors": "ThreatActors",
          "ThreatType": "ThreatType",
          "TimeGenerated": "TimeGenerated",
          "ValidFrom": "valid_from"
        },
        "description": "\"This analytics rule detects network-based indicators identified by CYFIRMA threat intelligence as associated with Command & Control (C2) infrastructure.\nThese may represent attacker-controlled endpoints used to maintain persistence, exfiltrate data, or receive commands from malware-infected hosts.\"\n",
        "displayName": "CYFIRMA - High severity Malicious Network Indicators Associated with Malware - Block Recommended Rule",
        "enabled": false,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPv4",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPv6",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "DNS",
            "fieldMappings": [
              {
                "columnName": "Domain",
                "identifier": "DomainName"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "URL",
                "identifier": "Url"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5M",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/MalwareNetworkIndicatorsBlockHighSeverityRule.yaml",
        "query": "//Network Indicators Associated with Malware - Block Recommended Rule\nlet timeFrame= 5m;\nCyfirmaIndicators_CL \n| where ConfidenceScore >= 80\n    and TimeGenerated between (ago(timeFrame) .. now())\n    and pattern !contains 'file:hashes' and RecommendedActions has 'Block' and Roles has 'Malware'\n| extend IPv4 = extract(@\"ipv4-addr:value\\s*=\\s*'([^']+)'\", 1, pattern)\n| extend IPv6 = extract(@\"ipv6-addr:value\\s*=\\s*'([^']+)'\", 1, pattern)\n| extend URL = extract(@\"url:value\\s*=\\s*'([^']+)'\", 1, pattern)\n| extend Domain = extract(@\"domain-name:value\\s*=\\s*'([^']+)'\", 1, pattern)\n| extend parsed = parse_json(extensions)\n| extend extensionKeys = bag_keys(parsed)\n| mv-expand extensionKeys\n| extend extensionKeyStr = tostring(extensionKeys)\n| extend ext = parsed[extensionKeyStr]\n| extend props = ext.properties\n| extend \n    extension_id = extensionKeyStr,\n    ASN_Owner = props.asn_owner,\n    ASN = props.asn,\n    ProviderName = 'CYFIRMA',\n    ProductName = 'DeCYFIR/DeTCT'\n| project\n    IPv4,\n    IPv6,\n    URL,\n    Domain,\n    ThreatActors,\n    RecommendedActions,\n    Sources,\n    Roles,\n    Country,\n    IPAbuse,\n    name,\n    Description,\n    ConfidenceScore,\n    IndicatorID,\n    created,\n    modified,\n    valid_from,\n    Tags,\n    ThreatType,\n    TimeGenerated,\n    SecurityVendors,\n    ProductName,\n    ProviderName\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "subTechniques": [
          "T1566.002",
          "T1204.001",
          "T1071.001",
          "T1568.002"
        ],
        "suppressionDuration": "PT5M",
        "suppressionEnabled": true,
        "tactics": [
          "CommandAndControl",
          "Execution",
          "InitialAccess"
        ],
        "techniques": [
          "T1059",
          "T1071",
          "T1090",
          "T1189",
          "T1204",
          "T1566",
          "T1568"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}