Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CYFIRMA - High severity File Hash Indicators with Monitor Action and Malware

Back
Idc919c911-8b01-44f8-9c3b-60b1edfc417f
RulenameCYFIRMA - High severity File Hash Indicators with Monitor Action and Malware
Description“This KQL query retrieves file hash indicators (MD5, SHA1, SHA256) from the CyfirmaIndicators_CL table within the last 5 minutes.

It filters records with a confidence score of 80 or higher, containing file hash patterns, a recommended action of ‘Monitor’, and roles marked as ‘Malware’.

Extracted hashes and key threat intelligence details are projected for monitoring and investigation.”
SeverityHigh
TacticsDefenseEvasion
InitialAccess
Impact
Execution
TechniquesT1027
T1486
T1204
T1485
T1218
T1566.001
Required data connectorsCyfirmaCyberIntelligenceDC
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/MalwareFileHashIndicatorsMonitorHighSeverityRule.yaml
Version1.0.1
Arm templatec919c911-8b01-44f8-9c3b-60b1edfc417f.json
Deploy To Azure
// File Hash Indicators with Monitor Action and Malware
let timeFrame = 5m;
CyfirmaIndicators_CL 
| where ConfidenceScore >= 80
    and TimeGenerated between (ago(timeFrame) .. now())
    and pattern contains 'file:hashes' and RecommendedActions has 'Monitor' and (Roles contains 'Malware')
| extend MD5 = extract(@"file:hashes\.md5\s*=\s*'([a-fA-F0-9]{32})'", 1, pattern)
| extend SHA1 = extract(@"file:hashes\.'SHA-1'\s*=\s*'([a-fA-F0-9]{40})'", 1, pattern)
| extend SHA256 = extract(@"file:hashes\.'SHA-256'\s*=\s*'([a-fA-F0-9]{64})'", 1, pattern)
| extend
    Algo_MD5='md5',
    Algo_SHA1= 'SHA1',
    Algo_SHA256='SHA256',
    ProviderName = 'CYFIRMA',
    ProductName = 'DeCYFIR/DeTCT'
| project  
    MD5,
    Algo_MD5,
    SHA1,
    Algo_SHA1,
    SHA256,
    Algo_SHA256,
    ThreatActors,
    Sources,
    RecommendedActions,
    Roles,
    Country,
    name,
    Description,
    ConfidenceScore,
    SecurityVendors,
    IndicatorID,
    created,
    modified,
    valid_from,
    Tags,
    ThreatType,
    TimeGenerated,
    ProductName,
    ProviderName
description: |
  "This KQL query retrieves file hash indicators (MD5, SHA1, SHA256) from the CyfirmaIndicators_CL table within the last 5 minutes. 
  It filters records with a confidence score of 80 or higher, containing file hash patterns, a recommended action of 'Monitor', and roles marked as 'Malware'. 
  Extracted hashes and key threat intelligence details are projected for monitoring and investigation."  
tactics:
- DefenseEvasion
- InitialAccess
- Impact
- Execution
suppressionEnabled: true
suppressionDuration: 5m
requiredDataConnectors:
- dataTypes:
  - CyfirmaIndicators_CL
  connectorId: CyfirmaCyberIntelligenceDC
alertDetailsOverride:
  alertDisplayNameFormat: 'High-Confidence File Hash Indicators with Monitor Action and Malware - {{name}} '
  alertDescriptionFormat: '{{Description}} - {{name}} '
  alertDynamicProperties:
  - value: ProviderName
    alertProperty: ProviderName
  - value: ProductName
    alertProperty: ProductName
incidentConfiguration:
  groupingConfiguration:
    enabled: false
    lookbackDuration: PT5H
    reopenClosedIncident: false
    matchingMethod: AllEntities
  createIncident: true
id: c919c911-8b01-44f8-9c3b-60b1edfc417f
severity: High
eventGroupingSettings:
  aggregationKind: AlertPerResult
customDetails:
  Tags: Tags
  TimeGenerated: TimeGenerated
  SecurityVendors: SecurityVendors
  Country: Country
  ThreatActors: ThreatActors
  valid_from: valid_from
  Roles: Roles
  ThreatType: ThreatType
  IndicatorID: IndicatorID
  RecommendedActions: RecommendedActions
  Sources: Sources
  Description: Description
  ConfidenceScore: ConfidenceScore
  created: created
  modified: modified
query: |
  // File Hash Indicators with Monitor Action and Malware
  let timeFrame = 5m;
  CyfirmaIndicators_CL 
  | where ConfidenceScore >= 80
      and TimeGenerated between (ago(timeFrame) .. now())
      and pattern contains 'file:hashes' and RecommendedActions has 'Monitor' and (Roles contains 'Malware')
  | extend MD5 = extract(@"file:hashes\.md5\s*=\s*'([a-fA-F0-9]{32})'", 1, pattern)
  | extend SHA1 = extract(@"file:hashes\.'SHA-1'\s*=\s*'([a-fA-F0-9]{40})'", 1, pattern)
  | extend SHA256 = extract(@"file:hashes\.'SHA-256'\s*=\s*'([a-fA-F0-9]{64})'", 1, pattern)
  | extend
      Algo_MD5='md5',
      Algo_SHA1= 'SHA1',
      Algo_SHA256='SHA256',
      ProviderName = 'CYFIRMA',
      ProductName = 'DeCYFIR/DeTCT'
  | project  
      MD5,
      Algo_MD5,
      SHA1,
      Algo_SHA1,
      SHA256,
      Algo_SHA256,
      ThreatActors,
      Sources,
      RecommendedActions,
      Roles,
      Country,
      name,
      Description,
      ConfidenceScore,
      SecurityVendors,
      IndicatorID,
      created,
      modified,
      valid_from,
      Tags,
      ThreatType,
      TimeGenerated,
      ProductName,
      ProviderName  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/MalwareFileHashIndicatorsMonitorHighSeverityRule.yaml
kind: Scheduled
queryPeriod: 5m
enabled: false
name: CYFIRMA - High severity File Hash Indicators with Monitor Action and Malware
queryFrequency: 5m
triggerThreshold: 0
relevantTechniques:
- T1027
- T1486
- T1204
- T1485
- T1218
- T1566.001
version: 1.0.1
entityMappings:
- entityType: FileHash
  fieldMappings:
  - identifier: Algorithm
    columnName: Algo_MD5
  - identifier: Value
    columnName: MD5
- entityType: FileHash
  fieldMappings:
  - identifier: Algorithm
    columnName: Algo_SHA1
  - identifier: Value
    columnName: SHA1
- entityType: FileHash
  fieldMappings:
  - identifier: Algorithm
    columnName: Algo_SHA256
  - identifier: Value
    columnName: SHA256
triggerOperator: GreaterThan