sentinel-attack
sentinel-attack copied to clipboard
Published
20 hours ago •
netevert
netevert
alert rules that correlate to Threat Intelligence
trafficstars
hi
the default alert rules in sentinel for Threat Intelligence uses the security event 4688 as a source, woudl it be possible to rewrite this rule so i can use sysmon eventId 1 instead. from our tests using security events with azure sentinel even with the lowest setting generates a huge amount of logs and thus costs.
below is the original query that relies on eventid 4688
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
| where Active == true
| where isnotempty(FileHashValue)
| join (
SecurityEvent | where TimeGenerated >= ago(dt_lookBack)
| where EventID in ("8003","8002","8005")
| where isnotempty(FileHash)
| extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID
)
on $left.FileHashValue == $right.FileHash
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SecurityEvent_TimeGenerated, Process, FileHash, Computer, Account, Event
| extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
in the eventID 1 of the sysmon the hashes are not expilicitly seperated out, can this be "handled" or will I need to amend the sysmon_OSSEM function first / also
below is the result from the azure sentinel log query for eventID 1
TimeGenerated [UTC] | 2019-11-19T12:30:41.82Z
-- | --
| Source | Microsoft-Windows-Sysmon
| EventID | 1
| Computer | XXXXX
| UserName | NT AUTHORITY\SYSTEM
| RenderedDescription | Process Create
| event_creation_time | 2019-11-19T12:30:41.7500000Z
| process_guid | {817354A9-E071-5DD3-0100-00102DD1DA40}
| process_id | 11828
| process_path | CXXXXXXXXXXX
| file_version | 10.0.14393.0 (rs1_release.160715-1616)
| file_description | Windows Command Processor
| file_product | Microsoft® Windows® Operating System
| file_company | Microsoft Corporation
| process_commandline | Cmd.Exe
| file_directory | cmd XXXXXXXXXXXXXXXXXXXX
| user_name | C:\Program Files\XXXXXXXXXXXXXXXXXXXXXXX
| user_logon_guid | NT AUTHORITY\SYSTEM
| user_logon_id | {817354A9-2040-5DB2-0000-0020E7030000}
| user_session_id | 0x3e7
| process_integrity_level | 0
| process_parent_guid | SHA1=99AE9C73E9BEE6F9C76D6F4093A9882DF06832CF,MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A
| process_parent_id | {817354A9-E06A-5DD3-0100-001012D1D840}
| process_parent_path | 8608
| process_parent_command_line | C:\Windows\System32\XXXXXXXXXXXXXXX
| technique_id | T1059
| technique_name | Command-Line Interface
| phase_name | Execution
it seems to me there is something off here with the process parent guid containing the file hashes ?
