detection.wiki

Detection rules › Kusto

Medium severity malicious activity detected

Status
available
Severity
medium
Time window
1d
Group by
SourceIp, ThreatCategory
Source
github.com/Azure/Azure-Sentinel

Identifies medium severity malicious activity in Azure Firewall IDPS logs.

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1204 User Execution
StealthT1036 Masquerading
ImpactT1496 Resource Hijacking

Rule body kusto

id: dfbe3963-42fb-4ebe-a00c-1cc44e2aa9f0
name: Medium severity malicious activity detected
description: |
  Identifies medium severity malicious activity in Azure Firewall IDPS logs.
severity: Medium
status: Available
requiredDataConnectors:
  - connectorId: AzureFirewall
    dataTypes:
      - AZFWIdpsSignature
queryFrequency: 1h
queryPeriod: 24h     
triggerOperator: gt
triggerThreshold: 0
tactics:
  - InitialAccess
  - Execution
  - DefenseEvasion
  - Impact
relevantTechniques:
  - T1496
  - T1204
  - T1036
query: |
  let TimeWindow   = 90d;    
  let HitThreshold = 10;
  let MinSeverity  = 2;
  let EnableCategoryFilter    = true;
  let EnableDescriptionFilter = false;
  let EnableActionFilter      = false;
  let CategoriesOfInterest = dynamic([
      "Possibly Unwanted Program Detected",
      "Possible Social Engineering Attempted",
      "Crypto Currency Mining Activity Detected",
      "A suspicious filename was detected",
      "A system call was detected"
  ]);
  let DescriptionsOfInterest = dynamic([
      "pup-activity",
      "social-engineering",
      "coin-mining",
      "suspicious-filename-detect",
      "system-call-detect"
  ]);
  let MatchActions = dynamic(["Deny", "alert"]);
  AZFWIdpsSignature
  | where TimeGenerated >= ago(TimeWindow)
  | where Severity >= MinSeverity
  | where (EnableCategoryFilter == false) or (Category has_any (CategoriesOfInterest))
  | where (EnableDescriptionFilter == false) or (Description has_any (DescriptionsOfInterest))
  | where (EnableActionFilter == false) or (Action in~ (MatchActions))
  | summarize
      StartTime   = min(TimeGenerated),
      EndTime     = max(TimeGenerated),
      TotalHits   = count(),
      MaxSeverity = max(Severity),
      Actions     = make_set(Action, 5),
      Signatures  = make_set(SignatureId, 20),
      Description = make_set(substring(tostring(Description), 0, 120), 3)
      by SourceIp, ThreatCategory = Category
  | where TotalHits >= HitThreshold
  | project
      StartTime,
      EndTime,
      SourceIp,
      ThreatCategory,
      TotalHits,
      MaxSeverity,
      Actions,
      Signatures,
      Description
  | order by MaxSeverity desc, TotalHits desc
entityMappings:
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: SourceIp
version: 1.0.1
kind: Scheduled

Stages and Predicates

Parameters

let TimeWindow = 90d;
let HitThreshold = 10;
let MinSeverity = 2;
let EnableCategoryFilter = true;
let EnableDescriptionFilter = false;
let EnableActionFilter = false;
let MatchActions = dynamic(["Deny", "alert"]);

Let binding: CategoriesOfInterest

let CategoriesOfInterest = dynamic([
    "Possibly Unwanted Program Detected",
    "Possible Social Engineering Attempted",
    "Crypto Currency Mining Activity Detected",
    "A suspicious filename was detected",
    "A system call was detected"
]);

Let binding: DescriptionsOfInterest

let DescriptionsOfInterest = dynamic([
    "pup-activity",
    "social-engineering",
    "coin-mining",
    "suspicious-filename-detect",
    "system-call-detect"
]);

Stage 1: source

AZFWIdpsSignature

Stage 2: where

| where TimeGenerated >= ago(TimeWindow)

Stage 3: where

| where Severity >= MinSeverity

Stage 4: where

| where (EnableCategoryFilter == false) or (Category has_any (CategoriesOfInterest))

References CategoriesOfInterest (defined above).

Stage 5: where

| where (EnableDescriptionFilter == false) or (Description has_any (DescriptionsOfInterest))

References DescriptionsOfInterest (defined above).

Stage 6: where

| where (EnableActionFilter == false) or (Action in~ (MatchActions))

Stage 7: summarize

| summarize
    StartTime   = min(TimeGenerated),
    EndTime     = max(TimeGenerated),
    TotalHits   = count(),
    MaxSeverity = max(Severity),
    Actions     = make_set(Action, 5),
    Signatures  = make_set(SignatureId, 20),
    Description = make_set(substring(tostring(Description), 0, 120), 3)
    by SourceIp, ThreatCategory = Category
Threshold
ge 10

Stage 8: where

| where TotalHits >= HitThreshold

Stage 9: project

| project
    StartTime,
    EndTime,
    SourceIp,
    ThreatCategory,
    TotalHits,
    MaxSeverity,
    Actions,
    Signatures,
    Description

Stage 10: sort

| order by MaxSeverity desc, TotalHits desc

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Actionin
  • Deny
  • alert
Categorymatch
  • A suspicious filename was detected
  • A system call was detected
  • Crypto Currency Mining Activity Detected
  • Possible Social Engineering Attempted
  • Possibly Unwanted Program Detected
Descriptionmatch
  • coin-mining
  • pup-activity
  • social-engineering
  • suspicious-filename-detect
  • system-call-detect
Severityge
  • 2 transforms: cased
TotalHitsge
  • 10 transforms: cased

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

FieldSource
Actionsproject
Descriptionproject
EndTimeproject
MaxSeverityproject
Signaturesproject
SourceIpproject
StartTimeproject
ThreatCategoryproject
TotalHitsproject