Detection rules › Kusto
Red Canary Threat Detection
This is a third-party alert feed, not a detection over modeled telemetry. The vendor product raised the finding; this rule forwards it into the SIEM. It is searchable for reference but is excluded from the detection-rule browse and the ATT&CK coverage matrix.
Triggers Incidents using detection data assembled by Red Canary.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1566 Phishing |
| Execution | T1059 Command and Scripting Interpreter |
| Persistence | T1547 Boot or Logon Autostart Execution |
| Privilege Escalation | T1547 Boot or Logon Autostart Execution, T1548 Abuse Elevation Control Mechanism |
| Stealth | T1562 Impair Defenses |
| Credential Access | T1003 OS Credential Dumping |
| Discovery | T1087 Account Discovery |
| Lateral Movement | T1021 Remote Services |
| Collection | T1119 Automated Collection |
| Command & Control | T1071 Application Layer Protocol |
| Exfiltration | T1041 Exfiltration Over C2 Channel |
| Impact | T1499 Endpoint Denial of Service |
Rule body kusto
id: 6d263abb-6445-45cc-93e9-c593d3d77b89
kind: Scheduled
name: Red Canary Threat Detection
description: Triggers Incidents using detection data assembled by Red Canary.
severity: High
requiredDataConnectors:
- connectorId: RedCanaryDataConnector
dataTypes:
- RedCanaryDetections_CL
queryPeriod: 5m
queryFrequency: 5m
triggerOperator: gt
triggerThreshold: 0
tactics:
- Collection
- CommandAndControl
- CredentialAccess
- DefenseEvasion
- Discovery
- Execution
- Exfiltration
- Impact
- InitialAccess
- LateralMovement
- Persistence
- PrivilegeEscalation
relevantTechniques:
- T1566
- T1059
- T1547
- T1548
- T1562
- T1003
- T1087
- T1021
- T1119
- T1071
- T1041
- T1499
query: |
RedCanaryDetections_CL
| extend process_ioc_array = todynamic(process_iocs_s),
child_process_ioc_array = todynamic(child_process_iocs_s),
cross_process_ioc_array = todynamic(cross_process_iocs_s),
file_mod_ioc_array = todynamic(file_modification_iocs_s),
identities_array = todynamic(identities_s)
| extend entities = array_concat(process_ioc_array, child_process_ioc_array, cross_process_ioc_array, file_mod_ioc_array, identities_array)
| mv-expand entities
| evaluate bag_unpack(entities)
| extend file_hash_array = todynamic(column_ifexists('file_hashes', '[]'))
| mv-expand file_hash_array
| evaluate bag_unpack(file_hash_array, 'file_hash_')
| project detection_id_s = column_ifexists('detection_id_s', ''),
detection_url_s = column_ifexists('detection_url_s', ''),
detection_headline_s = column_ifexists('detection_headline_s', ''),
detection_details_s = column_ifexists('detection_details_s', ''),
detection_severity_s = column_ifexists('detection_severity_s', ''),
host_name_s = column_ifexists('host_name_s', ''),
host_full_name_s = column_ifexists('host_full_name_s', ''),
host_os_family_s = column_ifexists('host_os_family_s', ''),
host_os_version_s = column_ifexists('host_os_version_s', ''),
tactics_s = column_ifexists('tactics_s', ''),
process_id = column_ifexists('process_id', ''),
process_command_line = column_ifexists('process_command_line', ''),
process_creation_time_utc = column_ifexists('process_creation_time_utc', ''),
file_hash_algorithm = column_ifexists('file_hash_algorithm', ''),
file_hash_value = column_ifexists('file_hash_value', ''),
file_directory = column_ifexists('file_directory', ''),
file_name = column_ifexists('file_name', ''),
user_name = column_ifexists('user_name', ''),
user_uid = column_ifexists('user_uid', '')
eventGroupingSettings:
aggregationKind: AlertPerResult
entityMappings:
- entityType: Process
fieldMappings:
- identifier: ProcessId
columnName: process_id
- identifier: CommandLine
columnName: process_command_line
- identifier: CreationTimeUtc
columnName: process_creation_time_utc
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: user_name
- identifier: Sid
columnName: user_uid
- identifier: Name
columnName: user_name
- entityType: File
fieldMappings:
- identifier: Directory
columnName: file_directory
- identifier: Name
columnName: file_name
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: host_name_s
- identifier: FullName
columnName: host_full_name_s
- identifier: OSFamily
columnName: host_os_family_s
- entityType: FileHash
fieldMappings:
- identifier: Algorithm
columnName: file_hash_algorithm
- identifier: Value
columnName: file_hash_value
customDetails:
detection_id: detection_id_s
alertDetailsOverride:
alertDisplayNameFormat: Red Canary has published Detection-{{detection_id_s}}
alertDescriptionFormat: |
Red Canary has published a {{detection_severity_s}} severity detection with details:
{{detection_details_s}}
View the Detection at: {{detection_url_s}}
alertTacticsColumnName: tactics_s
alertSeverityColumnName: detection_severity_s
version: 1.0.1
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 5m
matchingMethod: Selected
groupByEntities: []
groupByAlertDetails: []
groupByCustomDetails:
- detection_id
Stages and Predicates
Stage 1: source
RedCanaryDetections_CL
Stage 2: extend
| extend process_ioc_array = todynamic(process_iocs_s),
child_process_ioc_array = todynamic(child_process_iocs_s),
cross_process_ioc_array = todynamic(cross_process_iocs_s),
file_mod_ioc_array = todynamic(file_modification_iocs_s),
identities_array = todynamic(identities_s)
Stage 3: extend
| extend entities = array_concat(process_ioc_array, child_process_ioc_array, cross_process_ioc_array, file_mod_ioc_array, identities_array)
Stage 4: mv-expand
| mv-expand entities
Stage 5: evaluate
| evaluate bag_unpack(entities)
Stage 6: extend
| extend file_hash_array = todynamic(column_ifexists('file_hashes', '[]'))
Stage 7: mv-expand
| mv-expand file_hash_array
Stage 8: evaluate
| evaluate bag_unpack(file_hash_array, 'file_hash_')
Stage 9: project
| project detection_id_s = column_ifexists('detection_id_s', ''),
detection_url_s = column_ifexists('detection_url_s', ''),
detection_headline_s = column_ifexists('detection_headline_s', ''),
detection_details_s = column_ifexists('detection_details_s', ''),
detection_severity_s = column_ifexists('detection_severity_s', ''),
host_name_s = column_ifexists('host_name_s', ''),
host_full_name_s = column_ifexists('host_full_name_s', ''),
host_os_family_s = column_ifexists('host_os_family_s', ''),
host_os_version_s = column_ifexists('host_os_version_s', ''),
tactics_s = column_ifexists('tactics_s', ''),
process_id = column_ifexists('process_id', ''),
process_command_line = column_ifexists('process_command_line', ''),
process_creation_time_utc = column_ifexists('process_creation_time_utc', ''),
file_hash_algorithm = column_ifexists('file_hash_algorithm', ''),
file_hash_value = column_ifexists('file_hash_value', ''),
file_directory = column_ifexists('file_directory', ''),
file_name = column_ifexists('file_name', ''),
user_name = column_ifexists('user_name', ''),
user_uid = column_ifexists('user_uid', '')
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
detection_details_s | project |
detection_headline_s | project |
detection_id_s | project |
detection_severity_s | project |
detection_url_s | project |
file_directory | project |
file_hash_algorithm | project |
file_hash_value | project |
file_name | project |
host_full_name_s | project |
host_name_s | project |
host_os_family_s | project |
host_os_version_s | project |
process_command_line | project |
process_creation_time_utc | project |
process_id | project |
tactics_s | project |
user_name | project |
user_uid | project |