Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

alert rules that correlate to Threat Intelligence #24

Open
ssi0202 opened this issue Nov 19, 2019 · 0 comments
Open

alert rules that correlate to Threat Intelligence #24

ssi0202 opened this issue Nov 19, 2019 · 0 comments

Comments

@ssi0202
Copy link

ssi0202 commented Nov 19, 2019
edited

hi

the default alert rules in sentinel for Threat Intelligence uses the security event 4688 as a source, woudl it be possible to rewrite this rule so i can use sysmon eventId 1 instead. from our tests using security events with azure sentinel even with the lowest setting generates a huge amount of logs and thus costs.

below is the original query that relies on eventid 4688

let dt_lookBack = 1h;
let ioc_lookBack = 14d;
ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
| where Active == true
| where isnotempty(FileHashValue)
|  join (
  SecurityEvent | where TimeGenerated >= ago(dt_lookBack)
      | where EventID in ("8003","8002","8005")
      | where isnotempty(FileHash)
      | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID
)
on $left.FileHashValue == $right.FileHash
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SecurityEvent_TimeGenerated, Process, FileHash, Computer, Account, Event
| extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer

in the eventID 1 of the sysmon the hashes are not expilicitly seperated out, can this be "handled" or will I need to amend the sysmon_OSSEM function first / also

below is the result from the azure sentinel log query for eventID 1

TimeGenerated [UTC] | 2019-11-19T12:30:41.82Z
-- | --
  | Source | Microsoft-Windows-Sysmon
  | EventID | 1
  | Computer | XXXXX
  | UserName | NT AUTHORITY\SYSTEM
  | RenderedDescription | Process Create
  | event_creation_time | 2019-11-19T12:30:41.7500000Z
  | process_guid | {817354A9-E071-5DD3-0100-00102DD1DA40}
  | process_id | 11828
  | process_path | CXXXXXXXXXXX
  | file_version | 10.0.14393.0 (rs1_release.160715-1616)
  | file_description | Windows Command Processor
  | file_product | Microsoft® Windows® Operating System
  | file_company | Microsoft Corporation
  | process_commandline | Cmd.Exe
  | file_directory | cmd XXXXXXXXXXXXXXXXXXXX
  | user_name | C:\Program Files\XXXXXXXXXXXXXXXXXXXXXXX
  | user_logon_guid | NT AUTHORITY\SYSTEM
  | user_logon_id | {817354A9-2040-5DB2-0000-0020E7030000}
  | user_session_id | 0x3e7
  | process_integrity_level | 0
  | process_parent_guid | SHA1=99AE9C73E9BEE6F9C76D6F4093A9882DF06832CF,MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A
  | process_parent_id | {817354A9-E06A-5DD3-0100-001012D1D840}
  | process_parent_path | 8608
  | process_parent_command_line | C:\Windows\System32\XXXXXXXXXXXXXXX
  | technique_id | T1059
  | technique_name | Command-Line Interface
  | phase_name | Execution

it seems to me there is something off here with the process parent guid containing the file hashes ?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ssi0202