CYFIRMA - High severity TOR Node Network Indicators - Block Recommended Rule
| Id | fa53ac37-a646-4106-91b6-ce478a1b5323 |
| Rulename | CYFIRMA - High severity TOR Node Network Indicators - Block Recommended Rule |
| Description | “This KQL query identifies network-based indicators from CYFIRMA intelligence that are associated with the role ‘TOR’. These indicators may include IP addresses, domains, and URLs related to Tor network activity. Threat actors often use Tor for anonymous communication, command and control, data exfiltration, and evasion of network defenses.” |
| Severity | High |
| Tactics | CommandAndControl Exfiltration InitialAccess Persistence Reconnaissance |
| Techniques | T1090 T1572 T1048 T1071 T1189 T1505 T1595 T1090.003 T1048.002 T1071.001 T1505.003 T1595.002 |
| Required data connectors | CyfirmaCyberIntelligenceDC |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | GreaterThan |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/TORNodeNetworkIndicatorsBlockHighSeverityRule.yaml |
| Version | 1.0.1 |
| Arm template | fa53ac37-a646-4106-91b6-ce478a1b5323.json |
//TOR Node Network Indicators - Block Recommended
let timeFrame= 5m;
CyfirmaIndicators_CL
| where ConfidenceScore >= 80
and TimeGenerated between (ago(timeFrame) .. now())
and pattern !contains 'file:hashes' and RecommendedActions has 'Block' and Roles has 'TOR'
| extend IPv4 = extract(@"ipv4-addr:value\s*=\s*'([^']+)'", 1, pattern)
| extend IPv6 = extract(@"ipv6-addr:value\s*=\s*'([^']+)'", 1, pattern)
| extend URL = extract(@"url:value\s*=\s*'([^']+)'", 1, pattern)
| extend Domain = extract(@"domain-name:value\s*=\s*'([^']+)'", 1, pattern)
| extend parsed = parse_json(extensions)
| extend extensionKeys = bag_keys(parsed)
| mv-expand extensionKeys
| extend extensionKeyStr = tostring(extensionKeys)
| extend ext = parsed[extensionKeyStr]
| extend props = ext.properties
| extend
extension_id = extensionKeyStr,
ASN_Owner = props.asn_owner,
ASN = props.asn,
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| project
IPv4,
IPv6,
URL,
Domain,
ThreatActors,
RecommendedActions,
Sources,
Roles,
Country,
IPAbuse,
name,
Description,
ConfidenceScore,
IndicatorID,
created,
modified,
valid_from,
Tags,
ThreatType,
TimeGenerated,
SecurityVendors,
ProductName,
ProviderName
name: CYFIRMA - High severity TOR Node Network Indicators - Block Recommended Rule
query: |
//TOR Node Network Indicators - Block Recommended
let timeFrame= 5m;
CyfirmaIndicators_CL
| where ConfidenceScore >= 80
and TimeGenerated between (ago(timeFrame) .. now())
and pattern !contains 'file:hashes' and RecommendedActions has 'Block' and Roles has 'TOR'
| extend IPv4 = extract(@"ipv4-addr:value\s*=\s*'([^']+)'", 1, pattern)
| extend IPv6 = extract(@"ipv6-addr:value\s*=\s*'([^']+)'", 1, pattern)
| extend URL = extract(@"url:value\s*=\s*'([^']+)'", 1, pattern)
| extend Domain = extract(@"domain-name:value\s*=\s*'([^']+)'", 1, pattern)
| extend parsed = parse_json(extensions)
| extend extensionKeys = bag_keys(parsed)
| mv-expand extensionKeys
| extend extensionKeyStr = tostring(extensionKeys)
| extend ext = parsed[extensionKeyStr]
| extend props = ext.properties
| extend
extension_id = extensionKeyStr,
ASN_Owner = props.asn_owner,
ASN = props.asn,
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| project
IPv4,
IPv6,
URL,
Domain,
ThreatActors,
RecommendedActions,
Sources,
Roles,
Country,
IPAbuse,
name,
Description,
ConfidenceScore,
IndicatorID,
created,
modified,
valid_from,
Tags,
ThreatType,
TimeGenerated,
SecurityVendors,
ProductName,
ProviderName
queryFrequency: 5m
triggerOperator: GreaterThan
requiredDataConnectors:
- dataTypes:
- CyfirmaIndicators_CL
connectorId: CyfirmaCyberIntelligenceDC
relevantTechniques:
- T1090
- T1572
- T1048
- T1071
- T1189
- T1505
- T1595
- T1090.003
- T1048.002
- T1071.001
- T1505.003
- T1595.002
alertDetailsOverride:
alertDescriptionFormat: '{{Description}} - {{name}} '
alertDynamicProperties:
- alertProperty: ProductName
value: ProductName
- alertProperty: ProviderName
value: ProviderName
alertDisplayNameFormat: 'High-Confidence TOR Node Network Indicators - Block Recommended - {{name}} '
tactics:
- CommandAndControl
- Exfiltration
- InitialAccess
- Persistence
- Reconnaissance
incidentConfiguration:
createIncident: true
groupingConfiguration:
matchingMethod: AllEntities
reopenClosedIncident: false
lookbackDuration: PT5H
enabled: false
enabled: false
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPv4
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPv6
- entityType: DNS
fieldMappings:
- identifier: DomainName
columnName: Domain
- entityType: URL
fieldMappings:
- identifier: Url
columnName: URL
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/TORNodeNetworkIndicatorsBlockHighSeverityRule.yaml
description: |
"This KQL query identifies network-based indicators from CYFIRMA intelligence that are associated with the role 'TOR'.
These indicators may include IP addresses, domains, and URLs related to Tor network activity.
Threat actors often use Tor for anonymous communication, command and control, data exfiltration, and evasion of network defenses."
version: 1.0.1
customDetails:
IPAbuse: IPAbuse
ConfidenceScore: ConfidenceScore
SecurityVendors: SecurityVendors
Tags: Tags
Created: created
ThreatType: ThreatType
RecommendedActions: RecommendedActions
TimeGenerated: TimeGenerated
Description: Description
IndicatorID: IndicatorID
ThreatActors: ThreatActors
Modified: modified
Country: Country
Roles: Roles
Sources: Sources
ValidFrom: valid_from
kind: Scheduled
suppressionEnabled: true
suppressionDuration: 5m
eventGroupingSettings:
aggregationKind: AlertPerResult
severity: High
id: fa53ac37-a646-4106-91b6-ce478a1b5323
queryPeriod: 5m