Detection rules › Kusto
CYFIRMA - Attack Surface - Malicious Domain/IP Reputation High Rule
This is a third-party alert feed, not a detection over modeled telemetry. The vendor product raised the finding; this rule forwards it into the SIEM. It is searchable for reference but is excluded from the detection-rule browse and the ATT&CK coverage matrix.
"This alert is raised when CYFIRMA detects a critical reputation score for an IP address linked to your infrastructure. The IP has been previously associated with hacking activity and web application attacks. Denied outbound traffic to a foreign country from a known Microsoft data center IP suggests potential misuse or compromise of cloud infrastructure."
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Reconnaissance | T1595.002 Active Scanning: Vulnerability Scanning |
| Initial Access | T1566.002 Phishing: Spearphishing Link |
| Stealth | T1036.005 Masquerading: Match Legitimate Resource Name or Location |
| Command & Control | T1071.001 Application Layer Protocol: Web Protocols, T1090.002 Proxy: External Proxy |
| Exfiltration | T1041 Exfiltration Over C2 Channel |
| Impact | T1499 Endpoint Denial of Service |
Rule body kusto
id: 7ff6f6d7-9672-4567-99fc-cb8a58c3bce7
name: CYFIRMA - Attack Surface - Malicious Domain/IP Reputation High Rule
description: |
"This alert is raised when CYFIRMA detects a critical reputation score for an IP address linked to your infrastructure.
The IP has been previously associated with hacking activity and web application attacks.
Denied outbound traffic to a foreign country from a known Microsoft data center IP suggests potential misuse or compromise of cloud infrastructure."
version: 1.0.1
kind: Scheduled
severity: High
requiredDataConnectors:
- connectorId: CyfirmaAttackSurfaceAlertsConnector
dataTypes:
- CyfirmaASDomainIPReputationAlerts_CL
queryFrequency: 5m
queryPeriod: 5m
triggerOperator: gt
triggerThreshold: 0
status: Available
tactics:
- InitialAccess
- CommandAndControl
- Reconnaissance
- Impact
- DefenseEvasion
- Exfiltration
relevantTechniques:
- T1566.002
- T1071.001
- T1090.002
- T1595.002
- T1036.005
- T1499
- T1041
query: |
// High Severity - Malicious Domain/IP Reputation Detected
let timeFrame = 5m;
CyfirmaASDomainIPReputationAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
Domain=sub_domain,
TopDomain=top_domain,
NetworkIP=ip,
AlertUID=alert_uid,
UID=uid,
Categories=categories,
IPversion=ip_version,
ISP=isp,
ThreatActors=threat_actors,
Country=country,
LastUsersReported=last_users_reported,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT'
| project
TimeGenerated,
Domain,
TopDomain,
RiskScore,
FirstSeen,
LastSeen,
NetworkIP,
AlertUID,
UID,
Categories,
IPversion,
ISP,
ThreatActors,
Country,
LastUsersReported,
ProviderName,
ProductName
entityMappings:
- entityType: DNS
fieldMappings:
- identifier: DomainName
columnName: Domain
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: TopDomain
- identifier: DnsDomain
columnName: Domain
- entityType: IP
fieldMappings:
- identifier: Address
columnName: NetworkIP
customDetails:
TimeGenerated: TimeGenerated
RiskScore: RiskScore
FirstSeen: FirstSeen
LastSeen: LastSeen
LastUsersReported: LastUsersReported
AlertUID: AlertUID
UID: UID
Categories: Categories
IPversion: IPversion
ThreatActors: ThreatActors
Country: Country
ISP: ISP
alertDetailsOverride:
alertDisplayNameFormat: "CYFIRMA - High Severity Malicious Domain/IP Reputation Alert - Domain: {{Domain}}, IP: {{NetworkIP}} "
alertDescriptionFormat: "CYFIRMA - High Severity Malicious Domain/IP Reputation Alert - Domain: {{Domain}}, IP: {{NetworkIP}} "
alertDynamicProperties:
- alertProperty: ProductName
value: ProductName
- alertProperty: ProviderName
value: ProviderName
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: false
reopenClosedIncident: false
lookbackDuration: PT5H
matchingMethod: AllEntities
eventGroupingSettings:
aggregationKind: AlertPerResult
Stages and Predicates
Parameters
let timeFrame = 5m;
Stage 1: source
CyfirmaASDomainIPReputationAlerts_CL
Stage 2: where
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
Stage 3: extend
| extend
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
Domain=sub_domain,
TopDomain=top_domain,
NetworkIP=ip,
AlertUID=alert_uid,
UID=uid,
Categories=categories,
IPversion=ip_version,
ISP=isp,
ThreatActors=threat_actors,
Country=country,
LastUsersReported=last_users_reported,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT'
Stage 4: project
| project
TimeGenerated,
Domain,
TopDomain,
RiskScore,
FirstSeen,
LastSeen,
NetworkIP,
AlertUID,
UID,
Categories,
IPversion,
ISP,
ThreatActors,
Country,
LastUsersReported,
ProviderName,
ProductName
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
severity | eq |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
AlertUID | project |
Categories | project |
Country | project |
Domain | project |
FirstSeen | project |
IPversion | project |
ISP | project |
LastSeen | project |
LastUsersReported | project |
NetworkIP | project |
ProductName | project |
ProviderName | project |
RiskScore | project |
ThreatActors | project |
TimeGenerated | project |
TopDomain | project |
UID | project |