CYFIRMA - High severity File Hash Indicators with Monitor Action and Malware

Back


Id	c919c911-8b01-44f8-9c3b-60b1edfc417f
Rulename	CYFIRMA - High severity File Hash Indicators with Monitor Action and Malware
Description	“This KQL query retrieves file hash indicators (MD5, SHA1, SHA256) from the CyfirmaIndicators_CL table within the last 5 minutes. It filters records with a confidence score of 80 or higher, containing file hash patterns, a recommended action of ‘Monitor’, and roles marked as ‘Malware’. Extracted hashes and key threat intelligence details are projected for monitoring and investigation.”
Severity	High
Tactics	DefenseEvasion InitialAccess Impact Execution
Techniques	T1027 T1486 T1204 T1485 T1218 T1566.001
Required data connectors	CyfirmaCyberIntelligenceDC
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	GreaterThan
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/MalwareFileHashIndicatorsMonitorHighSeverityRule.yaml
Version	1.0.1
Arm template	c919c911-8b01-44f8-9c3b-60b1edfc417f.json

KQL

// File Hash Indicators with Monitor Action and Malware
let timeFrame = 5m;
CyfirmaIndicators_CL 
| where ConfidenceScore >= 80
    and TimeGenerated between (ago(timeFrame) .. now())
    and pattern contains 'file:hashes' and RecommendedActions has 'Monitor' and (Roles contains 'Malware')
| extend MD5 = extract(@"file:hashes\.md5\s*=\s*'([a-fA-F0-9]{32})'", 1, pattern)
| extend SHA1 = extract(@"file:hashes\.'SHA-1'\s*=\s*'([a-fA-F0-9]{40})'", 1, pattern)
| extend SHA256 = extract(@"file:hashes\.'SHA-256'\s*=\s*'([a-fA-F0-9]{64})'", 1, pattern)
| extend
    Algo_MD5='md5',
    Algo_SHA1= 'SHA1',
    Algo_SHA256='SHA256',
    ProviderName = 'CYFIRMA',
    ProductName = 'DeCYFIR/DeTCT'
| project  
    MD5,
    Algo_MD5,
    SHA1,
    Algo_SHA1,
    SHA256,
    Algo_SHA256,
    ThreatActors,
    Sources,
    RecommendedActions,
    Roles,
    Country,
    name,
    Description,
    ConfidenceScore,
    SecurityVendors,
    IndicatorID,
    created,
    modified,
    valid_from,
    Tags,
    ThreatType,
    TimeGenerated,
    ProductName,
    ProviderName

YAML

customDetails:
  Tags: Tags
  Sources: Sources
  ThreatType: ThreatType
  modified: modified
  ConfidenceScore: ConfidenceScore
  ThreatActors: ThreatActors
  RecommendedActions: RecommendedActions
  created: created
  Description: Description
  Country: Country
  IndicatorID: IndicatorID
  Roles: Roles
  SecurityVendors: SecurityVendors
  valid_from: valid_from
  TimeGenerated: TimeGenerated
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/MalwareFileHashIndicatorsMonitorHighSeverityRule.yaml
alertDetailsOverride:
  alertDisplayNameFormat: 'High-Confidence File Hash Indicators with Monitor Action and Malware - {{name}} '
  alertDescriptionFormat: '{{Description}} - {{name}} '
  alertDynamicProperties:
  - value: ProviderName
    alertProperty: ProviderName
  - value: ProductName
    alertProperty: ProductName
query: |
  // File Hash Indicators with Monitor Action and Malware
  let timeFrame = 5m;
  CyfirmaIndicators_CL 
  | where ConfidenceScore >= 80
      and TimeGenerated between (ago(timeFrame) .. now())
      and pattern contains 'file:hashes' and RecommendedActions has 'Monitor' and (Roles contains 'Malware')
  | extend MD5 = extract(@"file:hashes\.md5\s*=\s*'([a-fA-F0-9]{32})'", 1, pattern)
  | extend SHA1 = extract(@"file:hashes\.'SHA-1'\s*=\s*'([a-fA-F0-9]{40})'", 1, pattern)
  | extend SHA256 = extract(@"file:hashes\.'SHA-256'\s*=\s*'([a-fA-F0-9]{64})'", 1, pattern)
  | extend
      Algo_MD5='md5',
      Algo_SHA1= 'SHA1',
      Algo_SHA256='SHA256',
      ProviderName = 'CYFIRMA',
      ProductName = 'DeCYFIR/DeTCT'
  | project  
      MD5,
      Algo_MD5,
      SHA1,
      Algo_SHA1,
      SHA256,
      Algo_SHA256,
      ThreatActors,
      Sources,
      RecommendedActions,
      Roles,
      Country,
      name,
      Description,
      ConfidenceScore,
      SecurityVendors,
      IndicatorID,
      created,
      modified,
      valid_from,
      Tags,
      ThreatType,
      TimeGenerated,
      ProductName,
      ProviderName  
requiredDataConnectors:
- dataTypes:
  - CyfirmaIndicators_CL
  connectorId: CyfirmaCyberIntelligenceDC
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    enabled: false
    matchingMethod: AllEntities
    lookbackDuration: PT5H
  createIncident: true
relevantTechniques:
- T1027
- T1486
- T1204
- T1485
- T1218
- T1566.001
kind: Scheduled
name: CYFIRMA - High severity File Hash Indicators with Monitor Action and Malware
tactics:
- DefenseEvasion
- InitialAccess
- Impact
- Execution
severity: High
suppressionDuration: 5m
enabled: false
triggerOperator: GreaterThan
description: |
  "This KQL query retrieves file hash indicators (MD5, SHA1, SHA256) from the CyfirmaIndicators_CL table within the last 5 minutes. 
  It filters records with a confidence score of 80 or higher, containing file hash patterns, a recommended action of 'Monitor', and roles marked as 'Malware'. 
  Extracted hashes and key threat intelligence details are projected for monitoring and investigation."  
queryFrequency: 5m
triggerThreshold: 0
queryPeriod: 5m
version: 1.0.1
suppressionEnabled: true
entityMappings:
- fieldMappings:
  - identifier: Algorithm
    columnName: Algo_MD5
  - identifier: Value
    columnName: MD5
  entityType: FileHash
- fieldMappings:
  - identifier: Algorithm
    columnName: Algo_SHA1
  - identifier: Value
    columnName: SHA1
  entityType: FileHash
- fieldMappings:
  - identifier: Algorithm
    columnName: Algo_SHA256
  - identifier: Value
    columnName: SHA256
  entityType: FileHash
eventGroupingSettings:
  aggregationKind: AlertPerResult
id: c919c911-8b01-44f8-9c3b-60b1edfc417f

ARM