CYFIRMA - High severity TOR Node Network Indicators - Block Recommended Rule

//TOR Node Network Indicators - Block Recommended
let timeFrame= 5m;
CyfirmaIndicators_CL 
| where ConfidenceScore >= 80
    and TimeGenerated between (ago(timeFrame) .. now())
    and pattern !contains 'file:hashes' and RecommendedActions has 'Block' and Roles has 'TOR'
| extend IPv4 = extract(@"ipv4-addr:value\s*=\s*'([^']+)'", 1, pattern)
| extend IPv6 = extract(@"ipv6-addr:value\s*=\s*'([^']+)'", 1, pattern)
| extend URL = extract(@"url:value\s*=\s*'([^']+)'", 1, pattern)
| extend Domain = extract(@"domain-name:value\s*=\s*'([^']+)'", 1, pattern)
| extend parsed = parse_json(extensions)
| extend extensionKeys = bag_keys(parsed)
| mv-expand extensionKeys
| extend extensionKeyStr = tostring(extensionKeys)
| extend ext = parsed[extensionKeyStr]
| extend props = ext.properties
| extend 
    extension_id = extensionKeyStr,
    ASN_Owner = props.asn_owner,
    ASN = props.asn,
    ProviderName = 'CYFIRMA',
    ProductName = 'DeCYFIR/DeTCT'
| project
    IPv4,
    IPv6,
    URL,
    Domain,
    ThreatActors,
    RecommendedActions,
    Sources,
    Roles,
    Country,
    IPAbuse,
    name,
    Description,
    ConfidenceScore,
    IndicatorID,
    created,
    modified,
    valid_from,
    Tags,
    ThreatType,
    TimeGenerated,
    SecurityVendors,
    ProductName,
    ProviderName

requiredDataConnectors:
- dataTypes:
  - CyfirmaIndicators_CL
  connectorId: CyfirmaCyberIntelligenceDC
queryPeriod: 5m
triggerThreshold: 0
queryFrequency: 5m
suppressionDuration: 5m
severity: High
eventGroupingSettings:
  aggregationKind: AlertPerResult
enabled: false
description: |
  "This KQL query identifies network-based indicators from CYFIRMA intelligence that are associated with the role 'TOR'. 
  These indicators may include IP addresses, domains, and URLs related to Tor network activity. 
  Threat actors often use Tor for anonymous communication, command and control, data exfiltration, and evasion of network defenses."  
customDetails:
  Tags: Tags
  SecurityVendors: SecurityVendors
  TimeGenerated: TimeGenerated
  Sources: Sources
  ThreatType: ThreatType
  Roles: Roles
  ValidFrom: valid_from
  Modified: modified
  Created: created
  ThreatActors: ThreatActors
  IPAbuse: IPAbuse
  RecommendedActions: RecommendedActions
  Description: Description
  ConfidenceScore: ConfidenceScore
  IndicatorID: IndicatorID
  Country: Country
name: CYFIRMA - High severity TOR Node Network Indicators - Block Recommended Rule
version: 1.0.1
triggerOperator: GreaterThan
id: fa53ac37-a646-4106-91b6-ce478a1b5323
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: PT5H
    matchingMethod: AllEntities
    enabled: false
    reopenClosedIncident: false
tactics:
- CommandAndControl
- Exfiltration
- InitialAccess
- Persistence
- Reconnaissance
relevantTechniques:
- T1090
- T1572
- T1048
- T1071
- T1189
- T1505
- T1595
- T1090.003
- T1048.002
- T1071.001
- T1505.003
- T1595.002
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: IPv4
  entityType: IP
- fieldMappings:
  - identifier: Address
    columnName: IPv6
  entityType: IP
- fieldMappings:
  - identifier: DomainName
    columnName: Domain
  entityType: DNS
- fieldMappings:
  - identifier: Url
    columnName: URL
  entityType: URL
kind: Scheduled
suppressionEnabled: true
alertDetailsOverride:
  alertDisplayNameFormat: 'High-Confidence TOR Node Network Indicators - Block Recommended - {{name}} '
  alertDynamicProperties:
  - value: ProductName
    alertProperty: ProductName
  - value: ProviderName
    alertProperty: ProviderName
  alertDescriptionFormat: '{{Description}} - {{name}} '
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/TORNodeNetworkIndicatorsBlockHighSeverityRule.yaml
query: |
  //TOR Node Network Indicators - Block Recommended
  let timeFrame= 5m;
  CyfirmaIndicators_CL 
  | where ConfidenceScore >= 80
      and TimeGenerated between (ago(timeFrame) .. now())
      and pattern !contains 'file:hashes' and RecommendedActions has 'Block' and Roles has 'TOR'
  | extend IPv4 = extract(@"ipv4-addr:value\s*=\s*'([^']+)'", 1, pattern)
  | extend IPv6 = extract(@"ipv6-addr:value\s*=\s*'([^']+)'", 1, pattern)
  | extend URL = extract(@"url:value\s*=\s*'([^']+)'", 1, pattern)
  | extend Domain = extract(@"domain-name:value\s*=\s*'([^']+)'", 1, pattern)
  | extend parsed = parse_json(extensions)
  | extend extensionKeys = bag_keys(parsed)
  | mv-expand extensionKeys
  | extend extensionKeyStr = tostring(extensionKeys)
  | extend ext = parsed[extensionKeyStr]
  | extend props = ext.properties
  | extend 
      extension_id = extensionKeyStr,
      ASN_Owner = props.asn_owner,
      ASN = props.asn,
      ProviderName = 'CYFIRMA',
      ProductName = 'DeCYFIR/DeTCT'
  | project
      IPv4,
      IPv6,
      URL,
      Domain,
      ThreatActors,
      RecommendedActions,
      Sources,
      Roles,
      Country,
      IPAbuse,
      name,
      Description,
      ConfidenceScore,
      IndicatorID,
      created,
      modified,
      valid_from,
      Tags,
      ThreatType,
      TimeGenerated,
      SecurityVendors,
      ProductName,
      ProviderName