CYFIRMA - Medium severity File Hash Indicators with Monitor Action and Malware

Back


Id	ca16daff-28dd-499d-93fe-0bb232d76d4f
Rulename	CYFIRMA - Medium severity File Hash Indicators with Monitor Action and Malware
Description	“This KQL query retrieves file hash indicators (MD5, SHA1, SHA256) from the CyfirmaIndicators_CL table within the last 5 minutes. It filters records with a confidence score of 80 or higher, containing file hash patterns, a recommended action of ‘Monitor’, and roles marked as ‘Malware’. Extracted hashes and key threat intelligence details are projected for monitoring and investigation.”
Severity	Medium
Tactics	DefenseEvasion InitialAccess Impact Execution
Techniques	T1027 T1486 T1204 T1485 T1218 T1566.001
Required data connectors	CyfirmaCyberIntelligenceDC
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	GreaterThan
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/MalwareFileHashIndicatorsMonitorMediumSeverityRule.yaml
Version	1.0.1
Arm template	ca16daff-28dd-499d-93fe-0bb232d76d4f.json

KQL

// File Hash Indicators with Monitor Action and Malware
let timeFrame = 5m;
CyfirmaIndicators_CL 
| where  (ConfidenceScore < 80 and ConfidenceScore >= 50)
    and TimeGenerated between (ago(timeFrame) .. now())
    and pattern contains 'file:hashes' and RecommendedActions has 'Monitor' and (Roles contains 'Malware')
| extend MD5 = extract(@"file:hashes\.md5\s*=\s*'([a-fA-F0-9]{32})'", 1, pattern)
| extend SHA1 = extract(@"file:hashes\.'SHA-1'\s*=\s*'([a-fA-F0-9]{40})'", 1, pattern)
| extend SHA256 = extract(@"file:hashes\.'SHA-256'\s*=\s*'([a-fA-F0-9]{64})'", 1, pattern)
| extend
    Algo_MD5='md5',
    Algo_SHA1= 'SHA1',
    Algo_SHA256='SHA256',
    ProviderName = 'CYFIRMA',
    ProductName = 'DeCYFIR/DeTCT'
| project  
    MD5,
    Algo_MD5,
    SHA1,
    Algo_SHA1,
    SHA256,
    Algo_SHA256,
    ThreatActors,
    Sources,
    RecommendedActions,
    Roles,
    Country,
    name,
    Description,
    ConfidenceScore,
    SecurityVendors,
    IndicatorID,
    created,
    modified,
    valid_from,
    Tags,
    ThreatType,
    TimeGenerated,
    ProductName,
    ProviderName

YAML

id: ca16daff-28dd-499d-93fe-0bb232d76d4f
alertDetailsOverride:
  alertDisplayNameFormat: 'High-Confidence File Hash Indicators with Monitor Action and Malware - {{name}} '
  alertDynamicProperties:
  - alertProperty: ProviderName
    value: ProviderName
  - alertProperty: ProductName
    value: ProductName
  alertDescriptionFormat: '{{Description}} - {{name}} '
customDetails:
  RecommendedActions: RecommendedActions
  TimeGenerated: TimeGenerated
  valid_from: valid_from
  Description: Description
  Tags: Tags
  Sources: Sources
  Roles: Roles
  IndicatorID: IndicatorID
  modified: modified
  ThreatActors: ThreatActors
  ThreatType: ThreatType
  SecurityVendors: SecurityVendors
  Country: Country
  ConfidenceScore: ConfidenceScore
  created: created
triggerThreshold: 0
description: |
  "This KQL query retrieves file hash indicators (MD5, SHA1, SHA256) from the CyfirmaIndicators_CL table within the last 5 minutes. 
  It filters records with a confidence score of 80 or higher, containing file hash patterns, a recommended action of 'Monitor', and roles marked as 'Malware'. 
  Extracted hashes and key threat intelligence details are projected for monitoring and investigation."  
suppressionDuration: 5m
enabled: false
requiredDataConnectors:
- connectorId: CyfirmaCyberIntelligenceDC
  dataTypes:
  - CyfirmaIndicators_CL
queryPeriod: 5m
version: 1.0.1
severity: Medium
tactics:
- DefenseEvasion
- InitialAccess
- Impact
- Execution
queryFrequency: 5m
kind: Scheduled
eventGroupingSettings:
  aggregationKind: AlertPerResult
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: PT5H
    reopenClosedIncident: false
    matchingMethod: AllEntities
    enabled: false
entityMappings:
- entityType: FileHash
  fieldMappings:
  - columnName: Algo_MD5
    identifier: Algorithm
  - columnName: MD5
    identifier: Value
- entityType: FileHash
  fieldMappings:
  - columnName: Algo_SHA1
    identifier: Algorithm
  - columnName: SHA1
    identifier: Value
- entityType: FileHash
  fieldMappings:
  - columnName: Algo_SHA256
    identifier: Algorithm
  - columnName: SHA256
    identifier: Value
name: CYFIRMA - Medium severity File Hash Indicators with Monitor Action and Malware
relevantTechniques:
- T1027
- T1486
- T1204
- T1485
- T1218
- T1566.001
triggerOperator: GreaterThan
query: |
  // File Hash Indicators with Monitor Action and Malware
  let timeFrame = 5m;
  CyfirmaIndicators_CL 
  | where  (ConfidenceScore < 80 and ConfidenceScore >= 50)
      and TimeGenerated between (ago(timeFrame) .. now())
      and pattern contains 'file:hashes' and RecommendedActions has 'Monitor' and (Roles contains 'Malware')
  | extend MD5 = extract(@"file:hashes\.md5\s*=\s*'([a-fA-F0-9]{32})'", 1, pattern)
  | extend SHA1 = extract(@"file:hashes\.'SHA-1'\s*=\s*'([a-fA-F0-9]{40})'", 1, pattern)
  | extend SHA256 = extract(@"file:hashes\.'SHA-256'\s*=\s*'([a-fA-F0-9]{64})'", 1, pattern)
  | extend
      Algo_MD5='md5',
      Algo_SHA1= 'SHA1',
      Algo_SHA256='SHA256',
      ProviderName = 'CYFIRMA',
      ProductName = 'DeCYFIR/DeTCT'
  | project  
      MD5,
      Algo_MD5,
      SHA1,
      Algo_SHA1,
      SHA256,
      Algo_SHA256,
      ThreatActors,
      Sources,
      RecommendedActions,
      Roles,
      Country,
      name,
      Description,
      ConfidenceScore,
      SecurityVendors,
      IndicatorID,
      created,
      modified,
      valid_from,
      Tags,
      ThreatType,
      TimeGenerated,
      ProductName,
      ProviderName  
suppressionEnabled: true
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/MalwareFileHashIndicatorsMonitorMediumSeverityRule.yaml

ARM