Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CYFIRMA - Medium severity File Hash Indicators with Monitor Action and Malware

Back
Idca16daff-28dd-499d-93fe-0bb232d76d4f
RulenameCYFIRMA - Medium severity File Hash Indicators with Monitor Action and Malware
Description“This KQL query retrieves file hash indicators (MD5, SHA1, SHA256) from the CyfirmaIndicators_CL table within the last 5 minutes.

It filters records with a confidence score of 80 or higher, containing file hash patterns, a recommended action of ‘Monitor’, and roles marked as ‘Malware’.

Extracted hashes and key threat intelligence details are projected for monitoring and investigation.”
SeverityMedium
TacticsDefenseEvasion
InitialAccess
Impact
Execution
TechniquesT1027
T1486
T1204
T1485
T1218
T1566.001
Required data connectorsCyfirmaCyberIntelligenceDC
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/MalwareFileHashIndicatorsMonitorMediumSeverityRule.yaml
Version1.0.0
Arm templateca16daff-28dd-499d-93fe-0bb232d76d4f.json
Deploy To Azure
// File Hash Indicators with Monitor Action and Malware
let timeFrame = 5m;
CyfirmaIndicators_CL 
| where  (ConfidenceScore < 80 and ConfidenceScore >= 50)
    and TimeGenerated between (ago(timeFrame) .. now())
    and pattern contains 'file:hashes' and RecommendedActions has 'Monitor' and (Roles contains 'Malware')
| extend MD5 = extract(@"file:hashes\.md5\s*=\s*'([a-fA-F0-9]{32})'", 1, pattern)
| extend SHA1 = extract(@"file:hashes\.'SHA-1'\s*=\s*'([a-fA-F0-9]{40})'", 1, pattern)
| extend SHA256 = extract(@"file:hashes\.'SHA-256'\s*=\s*'([a-fA-F0-9]{64})'", 1, pattern)
| extend
    Algo_MD5='md5',
    Algo_SHA1= 'SHA1',
    Algo_SHA256='SHA256',
    ProviderName = 'CYFIRMA',
    ProductName = 'DeCYFIR/DeTCT'
| project  
    MD5,
    Algo_MD5,
    SHA1,
    Algo_SHA1,
    SHA256,
    Algo_SHA256,
    ThreatActors,
    Sources,
    RecommendedActions,
    Roles,
    Country,
    name,
    Description,
    ConfidenceScore,
    SecurityVendors,
    IndicatorID,
    created,
    modified,
    valid_from,
    Tags,
    ThreatType,
    TimeGenerated,
    ProductName,
    ProviderName
entityMappings:
- fieldMappings:
  - columnName: Algo_MD5
    identifier: Algorithm
  - columnName: MD5
    identifier: Value
  entityType: FileHash
- fieldMappings:
  - columnName: Algo_SHA1
    identifier: Algorithm
  - columnName: SHA1
    identifier: Value
  entityType: FileHash
- fieldMappings:
  - columnName: Algo_SHA256
    identifier: Algorithm
  - columnName: SHA256
    identifier: Value
  entityType: FileHash
triggerThreshold: 0
severity: Medium
suppressionDuration: 5m
queryFrequency: 5m
queryPeriod: 5m
enabled: false
customDetails:
  TimeGenerated: TimeGenerated
  Country: Country
  Sources: Sources
  valid_from: valid_from
  RecommendedActions: RecommendedActions
  SecurityVendors: SecurityVendors
  ConfidenceScore: ConfidenceScore
  ThreatActors: ThreatActors
  IndicatorID: IndicatorID
  Tags: Tags
  Roles: Roles
  ThreatType: ThreatType
  Description: Description
  modified: modified
  created: created
relevantTechniques:
- T1027
- T1486
- T1204
- T1485
- T1218
- T1566.001
alertDetailsOverride:
  alertDisplayNameFormat: 'High-Confidence File Hash Indicators with Monitor Action and Malware - {{name}} '
  alertDescriptionFormat: '{{Description}} - {{name}} '
  alertDynamicProperties:
  - alertProperty: ProviderName
    value: ProviderName
  - alertProperty: ProductName
    value: ProductName
triggerOperator: GreaterThan
id: ca16daff-28dd-499d-93fe-0bb232d76d4f
suppressionEnabled: true
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: 5m
    enabled: false
    matchingMethod: AllEntities
    reopenClosedIncident: false
requiredDataConnectors:
- connectorId: CyfirmaCyberIntelligenceDC
  dataTypes:
  - CyfirmaIndicators_CL
version: 1.0.0
name: CYFIRMA - Medium severity File Hash Indicators with Monitor Action and Malware
eventGroupingSettings:
  aggregationKind: AlertPerResult
description: |
  "This KQL query retrieves file hash indicators (MD5, SHA1, SHA256) from the CyfirmaIndicators_CL table within the last 5 minutes. 
  It filters records with a confidence score of 80 or higher, containing file hash patterns, a recommended action of 'Monitor', and roles marked as 'Malware'. 
  Extracted hashes and key threat intelligence details are projected for monitoring and investigation."  
query: |
  // File Hash Indicators with Monitor Action and Malware
  let timeFrame = 5m;
  CyfirmaIndicators_CL 
  | where  (ConfidenceScore < 80 and ConfidenceScore >= 50)
      and TimeGenerated between (ago(timeFrame) .. now())
      and pattern contains 'file:hashes' and RecommendedActions has 'Monitor' and (Roles contains 'Malware')
  | extend MD5 = extract(@"file:hashes\.md5\s*=\s*'([a-fA-F0-9]{32})'", 1, pattern)
  | extend SHA1 = extract(@"file:hashes\.'SHA-1'\s*=\s*'([a-fA-F0-9]{40})'", 1, pattern)
  | extend SHA256 = extract(@"file:hashes\.'SHA-256'\s*=\s*'([a-fA-F0-9]{64})'", 1, pattern)
  | extend
      Algo_MD5='md5',
      Algo_SHA1= 'SHA1',
      Algo_SHA256='SHA256',
      ProviderName = 'CYFIRMA',
      ProductName = 'DeCYFIR/DeTCT'
  | project  
      MD5,
      Algo_MD5,
      SHA1,
      Algo_SHA1,
      SHA256,
      Algo_SHA256,
      ThreatActors,
      Sources,
      RecommendedActions,
      Roles,
      Country,
      name,
      Description,
      ConfidenceScore,
      SecurityVendors,
      IndicatorID,
      created,
      modified,
      valid_from,
      Tags,
      ThreatType,
      TimeGenerated,
      ProductName,
      ProviderName  
tactics:
- DefenseEvasion
- InitialAccess
- Impact
- Execution
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/MalwareFileHashIndicatorsMonitorMediumSeverityRule.yaml
kind: Scheduled
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ca16daff-28dd-499d-93fe-0bb232d76d4f')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ca16daff-28dd-499d-93fe-0bb232d76d4f')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{Description}} - {{name}} ",
          "alertDisplayNameFormat": "High-Confidence File Hash Indicators with Monitor Action and Malware - {{name}} ",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProviderName",
              "value": "ProviderName"
            },
            {
              "alertProperty": "ProductName",
              "value": "ProductName"
            }
          ]
        },
        "alertRuleTemplateName": "ca16daff-28dd-499d-93fe-0bb232d76d4f",
        "customDetails": {
          "ConfidenceScore": "ConfidenceScore",
          "Country": "Country",
          "created": "created",
          "Description": "Description",
          "IndicatorID": "IndicatorID",
          "modified": "modified",
          "RecommendedActions": "RecommendedActions",
          "Roles": "Roles",
          "SecurityVendors": "SecurityVendors",
          "Sources": "Sources",
          "Tags": "Tags",
          "ThreatActors": "ThreatActors",
          "ThreatType": "ThreatType",
          "TimeGenerated": "TimeGenerated",
          "valid_from": "valid_from"
        },
        "description": "\"This KQL query retrieves file hash indicators (MD5, SHA1, SHA256) from the CyfirmaIndicators_CL table within the last 5 minutes. \nIt filters records with a confidence score of 80 or higher, containing file hash patterns, a recommended action of 'Monitor', and roles marked as 'Malware'. \nExtracted hashes and key threat intelligence details are projected for monitoring and investigation.\"\n",
        "displayName": "CYFIRMA - Medium severity File Hash Indicators with Monitor Action and Malware",
        "enabled": false,
        "entityMappings": [
          {
            "entityType": "FileHash",
            "fieldMappings": [
              {
                "columnName": "Algo_MD5",
                "identifier": "Algorithm"
              },
              {
                "columnName": "MD5",
                "identifier": "Value"
              }
            ]
          },
          {
            "entityType": "FileHash",
            "fieldMappings": [
              {
                "columnName": "Algo_SHA1",
                "identifier": "Algorithm"
              },
              {
                "columnName": "SHA1",
                "identifier": "Value"
              }
            ]
          },
          {
            "entityType": "FileHash",
            "fieldMappings": [
              {
                "columnName": "Algo_SHA256",
                "identifier": "Algorithm"
              },
              {
                "columnName": "SHA256",
                "identifier": "Value"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5M",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/MalwareFileHashIndicatorsMonitorMediumSeverityRule.yaml",
        "query": "// File Hash Indicators with Monitor Action and Malware\nlet timeFrame = 5m;\nCyfirmaIndicators_CL \n| where  (ConfidenceScore < 80 and ConfidenceScore >= 50)\n    and TimeGenerated between (ago(timeFrame) .. now())\n    and pattern contains 'file:hashes' and RecommendedActions has 'Monitor' and (Roles contains 'Malware')\n| extend MD5 = extract(@\"file:hashes\\.md5\\s*=\\s*'([a-fA-F0-9]{32})'\", 1, pattern)\n| extend SHA1 = extract(@\"file:hashes\\.'SHA-1'\\s*=\\s*'([a-fA-F0-9]{40})'\", 1, pattern)\n| extend SHA256 = extract(@\"file:hashes\\.'SHA-256'\\s*=\\s*'([a-fA-F0-9]{64})'\", 1, pattern)\n| extend\n    Algo_MD5='md5',\n    Algo_SHA1= 'SHA1',\n    Algo_SHA256='SHA256',\n    ProviderName = 'CYFIRMA',\n    ProductName = 'DeCYFIR/DeTCT'\n| project  \n    MD5,\n    Algo_MD5,\n    SHA1,\n    Algo_SHA1,\n    SHA256,\n    Algo_SHA256,\n    ThreatActors,\n    Sources,\n    RecommendedActions,\n    Roles,\n    Country,\n    name,\n    Description,\n    ConfidenceScore,\n    SecurityVendors,\n    IndicatorID,\n    created,\n    modified,\n    valid_from,\n    Tags,\n    ThreatType,\n    TimeGenerated,\n    ProductName,\n    ProviderName\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "subTechniques": [
          "T1566.001"
        ],
        "suppressionDuration": "PT5M",
        "suppressionEnabled": true,
        "tactics": [
          "DefenseEvasion",
          "Execution",
          "Impact",
          "InitialAccess"
        ],
        "techniques": [
          "T1027",
          "T1204",
          "T1218",
          "T1485",
          "T1486",
          "T1566"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}