CYFIRMA - Medium severity TOR Node Network Indicators - Monitor Recommended Rule
| Id | e41b7640-9ba6-42d6-a4c9-1ab6932a0b14 |
| Rulename | CYFIRMA - Medium severity TOR Node Network Indicators - Monitor Recommended Rule |
| Description | “This KQL query identifies network-based indicators from CYFIRMA intelligence that are associated with the role ‘TOR’. These indicators may include IP addresses, domains, and URLs related to Tor network activity. Threat actors often use Tor for anonymous communication, command and control, data exfiltration, and evasion of network defenses.” |
| Severity | Medium |
| Tactics | CommandAndControl Exfiltration InitialAccess Persistence Reconnaissance |
| Techniques | T1090 T1572 T1048 T1071 T1189 T1505 T1595 T1090.003 T1048.002 T1071.001 T1505.003 T1595.002 |
| Required data connectors | CyfirmaCyberIntelligenceDC |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | GreaterThan |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/TORNodeNetworkIndicatorsMonitorMediumSeverityRule.yaml |
| Version | 1.0.1 |
| Arm template | e41b7640-9ba6-42d6-a4c9-1ab6932a0b14.json |
//TOR Node Network Indicators - Monitor Recommended
let timeFrame= 5m;
CyfirmaIndicators_CL
| where (ConfidenceScore < 80 and ConfidenceScore >= 50)
and TimeGenerated between (ago(timeFrame) .. now())
and pattern !contains 'file:hashes' and RecommendedActions has 'Monitor' and Roles has 'TOR'
| extend IPv4 = extract(@"ipv4-addr:value\s*=\s*'([^']+)'", 1, pattern)
| extend IPv6 = extract(@"ipv6-addr:value\s*=\s*'([^']+)'", 1, pattern)
| extend URL = extract(@"url:value\s*=\s*'([^']+)'", 1, pattern)
| extend Domain = extract(@"domain-name:value\s*=\s*'([^']+)'", 1, pattern)
| extend parsed = parse_json(extensions)
| extend extensionKeys = bag_keys(parsed)
| mv-expand extensionKeys
| extend extensionKeyStr = tostring(extensionKeys)
| extend ext = parsed[extensionKeyStr]
| extend props = ext.properties
| extend
extension_id = extensionKeyStr,
ASN_Owner = props.asn_owner,
ASN = props.asn,
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| project
IPv4,
IPv6,
URL,
Domain,
ThreatActors,
RecommendedActions,
Sources,
Roles,
Country,
IPAbuse,
name,
Description,
ConfidenceScore,
IndicatorID,
created,
modified,
valid_from,
Tags,
ThreatType,
TimeGenerated,
SecurityVendors,
ProductName,
ProviderName
queryPeriod: 5m
query: |
//TOR Node Network Indicators - Monitor Recommended
let timeFrame= 5m;
CyfirmaIndicators_CL
| where (ConfidenceScore < 80 and ConfidenceScore >= 50)
and TimeGenerated between (ago(timeFrame) .. now())
and pattern !contains 'file:hashes' and RecommendedActions has 'Monitor' and Roles has 'TOR'
| extend IPv4 = extract(@"ipv4-addr:value\s*=\s*'([^']+)'", 1, pattern)
| extend IPv6 = extract(@"ipv6-addr:value\s*=\s*'([^']+)'", 1, pattern)
| extend URL = extract(@"url:value\s*=\s*'([^']+)'", 1, pattern)
| extend Domain = extract(@"domain-name:value\s*=\s*'([^']+)'", 1, pattern)
| extend parsed = parse_json(extensions)
| extend extensionKeys = bag_keys(parsed)
| mv-expand extensionKeys
| extend extensionKeyStr = tostring(extensionKeys)
| extend ext = parsed[extensionKeyStr]
| extend props = ext.properties
| extend
extension_id = extensionKeyStr,
ASN_Owner = props.asn_owner,
ASN = props.asn,
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| project
IPv4,
IPv6,
URL,
Domain,
ThreatActors,
RecommendedActions,
Sources,
Roles,
Country,
IPAbuse,
name,
Description,
ConfidenceScore,
IndicatorID,
created,
modified,
valid_from,
Tags,
ThreatType,
TimeGenerated,
SecurityVendors,
ProductName,
ProviderName
tactics:
- CommandAndControl
- Exfiltration
- InitialAccess
- Persistence
- Reconnaissance
severity: Medium
version: 1.0.1
alertDetailsOverride:
alertDisplayNameFormat: 'High-Confidence TOR Node Network Indicators - Monitor Recommended - {{name}} '
alertDynamicProperties:
- value: ProductName
alertProperty: ProductName
- value: ProviderName
alertProperty: ProviderName
alertDescriptionFormat: '{{Description}} - {{name}} '
requiredDataConnectors:
- dataTypes:
- CyfirmaIndicators_CL
connectorId: CyfirmaCyberIntelligenceDC
customDetails:
Roles: Roles
Tags: Tags
Created: created
ConfidenceScore: ConfidenceScore
ThreatType: ThreatType
Description: Description
TimeGenerated: TimeGenerated
Country: Country
SecurityVendors: SecurityVendors
IndicatorID: IndicatorID
ValidFrom: valid_from
ThreatActors: ThreatActors
Modified: modified
Sources: Sources
RecommendedActions: RecommendedActions
IPAbuse: IPAbuse
description: |
"This KQL query identifies network-based indicators from CYFIRMA intelligence that are associated with the role 'TOR'.
These indicators may include IP addresses, domains, and URLs related to Tor network activity.
Threat actors often use Tor for anonymous communication, command and control, data exfiltration, and evasion of network defenses."
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPv4
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPv6
- entityType: DNS
fieldMappings:
- identifier: DomainName
columnName: Domain
- entityType: URL
fieldMappings:
- identifier: Url
columnName: URL
suppressionEnabled: true
eventGroupingSettings:
aggregationKind: AlertPerResult
incidentConfiguration:
groupingConfiguration:
matchingMethod: AllEntities
lookbackDuration: PT5H
enabled: false
reopenClosedIncident: false
createIncident: true
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/TORNodeNetworkIndicatorsMonitorMediumSeverityRule.yaml
suppressionDuration: 5m
kind: Scheduled
name: CYFIRMA - Medium severity TOR Node Network Indicators - Monitor Recommended Rule
enabled: false
relevantTechniques:
- T1090
- T1572
- T1048
- T1071
- T1189
- T1505
- T1595
- T1090.003
- T1048.002
- T1071.001
- T1505.003
- T1595.002
id: e41b7640-9ba6-42d6-a4c9-1ab6932a0b14
queryFrequency: 5m
triggerOperator: GreaterThan
triggerThreshold: 0