CYFIRMA - High severity TOR Node Network Indicators - Block Recommended Rule
| Id | fa53ac37-a646-4106-91b6-ce478a1b5323 |
| Rulename | CYFIRMA - High severity TOR Node Network Indicators - Block Recommended Rule |
| Description | “This KQL query identifies network-based indicators from CYFIRMA intelligence that are associated with the role ‘TOR’. These indicators may include IP addresses, domains, and URLs related to Tor network activity. Threat actors often use Tor for anonymous communication, command and control, data exfiltration, and evasion of network defenses.” |
| Severity | High |
| Tactics | CommandAndControl Exfiltration InitialAccess Persistence Reconnaissance |
| Techniques | T1090 T1572 T1048 T1071 T1189 T1505 T1595 T1090.003 T1048.002 T1071.001 T1505.003 T1595.002 |
| Required data connectors | CyfirmaCyberIntelligenceDC |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | GreaterThan |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/TORNodeNetworkIndicatorsBlockHighSeverityRule.yaml |
| Version | 1.0.0 |
| Arm template | fa53ac37-a646-4106-91b6-ce478a1b5323.json |
//TOR Node Network Indicators - Block Recommended
let timeFrame= 5m;
CyfirmaIndicators_CL
| where ConfidenceScore >= 80
and TimeGenerated between (ago(timeFrame) .. now())
and pattern !contains 'file:hashes' and RecommendedActions has 'Block' and Roles has 'TOR'
| extend IPv4 = extract(@"ipv4-addr:value\s*=\s*'([^']+)'", 1, pattern)
| extend IPv6 = extract(@"ipv6-addr:value\s*=\s*'([^']+)'", 1, pattern)
| extend URL = extract(@"url:value\s*=\s*'([^']+)'", 1, pattern)
| extend Domain = extract(@"domain-name:value\s*=\s*'([^']+)'", 1, pattern)
| extend parsed = parse_json(extensions)
| extend extensionKeys = bag_keys(parsed)
| mv-expand extensionKeys
| extend extensionKeyStr = tostring(extensionKeys)
| extend ext = parsed[extensionKeyStr]
| extend props = ext.properties
| extend
extension_id = extensionKeyStr,
ASN_Owner = props.asn_owner,
ASN = props.asn,
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| project
IPv4,
IPv6,
URL,
Domain,
ThreatActors,
RecommendedActions,
Sources,
Roles,
Country,
IPAbuse,
name,
Description,
ConfidenceScore,
IndicatorID,
created,
modified,
valid_from,
Tags,
ThreatType,
TimeGenerated,
SecurityVendors,
ProductName,
ProviderName
requiredDataConnectors:
- connectorId: CyfirmaCyberIntelligenceDC
dataTypes:
- CyfirmaIndicators_CL
tactics:
- CommandAndControl
- Exfiltration
- InitialAccess
- Persistence
- Reconnaissance
eventGroupingSettings:
aggregationKind: AlertPerResult
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: false
lookbackDuration: 5m
matchingMethod: AllEntities
reopenClosedIncident: false
description: |
"This KQL query identifies network-based indicators from CYFIRMA intelligence that are associated with the role 'TOR'.
These indicators may include IP addresses, domains, and URLs related to Tor network activity.
Threat actors often use Tor for anonymous communication, command and control, data exfiltration, and evasion of network defenses."
query: |
//TOR Node Network Indicators - Block Recommended
let timeFrame= 5m;
CyfirmaIndicators_CL
| where ConfidenceScore >= 80
and TimeGenerated between (ago(timeFrame) .. now())
and pattern !contains 'file:hashes' and RecommendedActions has 'Block' and Roles has 'TOR'
| extend IPv4 = extract(@"ipv4-addr:value\s*=\s*'([^']+)'", 1, pattern)
| extend IPv6 = extract(@"ipv6-addr:value\s*=\s*'([^']+)'", 1, pattern)
| extend URL = extract(@"url:value\s*=\s*'([^']+)'", 1, pattern)
| extend Domain = extract(@"domain-name:value\s*=\s*'([^']+)'", 1, pattern)
| extend parsed = parse_json(extensions)
| extend extensionKeys = bag_keys(parsed)
| mv-expand extensionKeys
| extend extensionKeyStr = tostring(extensionKeys)
| extend ext = parsed[extensionKeyStr]
| extend props = ext.properties
| extend
extension_id = extensionKeyStr,
ASN_Owner = props.asn_owner,
ASN = props.asn,
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| project
IPv4,
IPv6,
URL,
Domain,
ThreatActors,
RecommendedActions,
Sources,
Roles,
Country,
IPAbuse,
name,
Description,
ConfidenceScore,
IndicatorID,
created,
modified,
valid_from,
Tags,
ThreatType,
TimeGenerated,
SecurityVendors,
ProductName,
ProviderName
id: fa53ac37-a646-4106-91b6-ce478a1b5323
triggerOperator: GreaterThan
alertDetailsOverride:
alertDisplayNameFormat: 'High-Confidence TOR Node Network Indicators - Block Recommended - {{name}} '
alertDynamicProperties:
- alertProperty: ProductName
value: ProductName
- alertProperty: ProviderName
value: ProviderName
alertDescriptionFormat: '{{Description}} - {{name}} '
relevantTechniques:
- T1090
- T1572
- T1048
- T1071
- T1189
- T1505
- T1595
- T1090.003
- T1048.002
- T1071.001
- T1505.003
- T1595.002
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/TORNodeNetworkIndicatorsBlockHighSeverityRule.yaml
queryFrequency: 5m
enabled: false
severity: High
entityMappings:
- fieldMappings:
- columnName: IPv4
identifier: Address
entityType: IP
- fieldMappings:
- columnName: IPv6
identifier: Address
entityType: IP
- fieldMappings:
- columnName: Domain
identifier: DomainName
entityType: DNS
- fieldMappings:
- columnName: URL
identifier: Url
entityType: URL
name: CYFIRMA - High severity TOR Node Network Indicators - Block Recommended Rule
suppressionEnabled: true
suppressionDuration: 5m
queryPeriod: 5m
kind: Scheduled
triggerThreshold: 0
version: 1.0.0
customDetails:
TimeGenerated: TimeGenerated
IPAbuse: IPAbuse
Country: Country
ThreatType: ThreatType
RecommendedActions: RecommendedActions
Description: Description
ConfidenceScore: ConfidenceScore
ValidFrom: valid_from
Created: created
ThreatActors: ThreatActors
Modified: modified
Sources: Sources
IndicatorID: IndicatorID
Tags: Tags
SecurityVendors: SecurityVendors
Roles: Roles
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fa53ac37-a646-4106-91b6-ce478a1b5323')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fa53ac37-a646-4106-91b6-ce478a1b5323')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{Description}} - {{name}} ",
"alertDisplayNameFormat": "High-Confidence TOR Node Network Indicators - Block Recommended - {{name}} ",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "ProviderName",
"value": "ProviderName"
}
]
},
"alertRuleTemplateName": "fa53ac37-a646-4106-91b6-ce478a1b5323",
"customDetails": {
"ConfidenceScore": "ConfidenceScore",
"Country": "Country",
"Created": "created",
"Description": "Description",
"IndicatorID": "IndicatorID",
"IPAbuse": "IPAbuse",
"Modified": "modified",
"RecommendedActions": "RecommendedActions",
"Roles": "Roles",
"SecurityVendors": "SecurityVendors",
"Sources": "Sources",
"Tags": "Tags",
"ThreatActors": "ThreatActors",
"ThreatType": "ThreatType",
"TimeGenerated": "TimeGenerated",
"ValidFrom": "valid_from"
},
"description": "\"This KQL query identifies network-based indicators from CYFIRMA intelligence that are associated with the role 'TOR'. \nThese indicators may include IP addresses, domains, and URLs related to Tor network activity. \nThreat actors often use Tor for anonymous communication, command and control, data exfiltration, and evasion of network defenses.\"\n",
"displayName": "CYFIRMA - High severity TOR Node Network Indicators - Block Recommended Rule",
"enabled": false,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPv4",
"identifier": "Address"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPv6",
"identifier": "Address"
}
]
},
{
"entityType": "DNS",
"fieldMappings": [
{
"columnName": "Domain",
"identifier": "DomainName"
}
]
},
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "URL",
"identifier": "Url"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5M",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/TORNodeNetworkIndicatorsBlockHighSeverityRule.yaml",
"query": "//TOR Node Network Indicators - Block Recommended\nlet timeFrame= 5m;\nCyfirmaIndicators_CL \n| where ConfidenceScore >= 80\n and TimeGenerated between (ago(timeFrame) .. now())\n and pattern !contains 'file:hashes' and RecommendedActions has 'Block' and Roles has 'TOR'\n| extend IPv4 = extract(@\"ipv4-addr:value\\s*=\\s*'([^']+)'\", 1, pattern)\n| extend IPv6 = extract(@\"ipv6-addr:value\\s*=\\s*'([^']+)'\", 1, pattern)\n| extend URL = extract(@\"url:value\\s*=\\s*'([^']+)'\", 1, pattern)\n| extend Domain = extract(@\"domain-name:value\\s*=\\s*'([^']+)'\", 1, pattern)\n| extend parsed = parse_json(extensions)\n| extend extensionKeys = bag_keys(parsed)\n| mv-expand extensionKeys\n| extend extensionKeyStr = tostring(extensionKeys)\n| extend ext = parsed[extensionKeyStr]\n| extend props = ext.properties\n| extend \n extension_id = extensionKeyStr,\n ASN_Owner = props.asn_owner,\n ASN = props.asn,\n ProviderName = 'CYFIRMA',\n ProductName = 'DeCYFIR/DeTCT'\n| project\n IPv4,\n IPv6,\n URL,\n Domain,\n ThreatActors,\n RecommendedActions,\n Sources,\n Roles,\n Country,\n IPAbuse,\n name,\n Description,\n ConfidenceScore,\n IndicatorID,\n created,\n modified,\n valid_from,\n Tags,\n ThreatType,\n TimeGenerated,\n SecurityVendors,\n ProductName,\n ProviderName\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"subTechniques": [
"T1090.003",
"T1048.002",
"T1071.001",
"T1505.003",
"T1595.002"
],
"suppressionDuration": "PT5M",
"suppressionEnabled": true,
"tactics": [
"CommandAndControl",
"Exfiltration",
"InitialAccess",
"Persistence",
"Reconnaissance"
],
"techniques": [
"T1048",
"T1071",
"T1090",
"T1189",
"T1505",
"T1572",
"T1595"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}