[Deprecated] - Midnight Blizzard - Domain Hash and IP IOCs - May 2021
| Id | 677da133-e487-4108-a150-5b926591a92b |
| Rulename | [Deprecated] - Midnight Blizzard - Domain, Hash and IP IOCs - May 2021 |
| Description | This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft’s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy |
| Severity | Medium |
| Tactics | CommandAndControl Execution |
| Techniques | T1102.002 T1204.001 |
| Required data connectors | AWSS3 AzureFirewall AzureMonitor(VMInsights) CEF CheckPoint CiscoASA CiscoUmbrellaDataConnector Corelight DNS F5 Fortinet GCPDNSDataConnector InfobloxNIOS MicrosoftSysmonForLinux MicrosoftThreatProtection NXLogDnsLogs Office365 PaloAltoNetworks SecurityEvents SquidProxy WindowsFirewall WindowsForwardedEvents Zscaler |
| Kind | Scheduled |
| Query frequency | 6h |
| Query period | 6h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/MidnightBlizzard_IOCsMay2021.yaml |
| Version | 2.0.0 |
| Arm template | 677da133-e487-4108-a150-5b926591a92b.json |
let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)
[@"https://raw.githubusercontent.com/microsoft/mstic/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv"] with (format="csv", ignoreFirstRecord=True);
let sha256s = (iocs | where Type =~ "SHA256"| project IoC);
let ips = (iocs | where Type =~ "IP"| project IoC);
let IPList = dynamic(["192.99.221.77","83.171.237.173"]);
let ips_list=toscalar(ips | summarize makeset(IoC));
let full_ip_list= array_concat(ips_list, IPList);
let domains = (iocs | where Type =~ "Domain"| project IoC);
let domain_list=toscalar(domains | summarize make_set(IoC));
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let sha256Hashes = dynamic(["2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252",
"d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142",
"94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916",
"48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0",
"ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c",
"ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330"]);
(union isfuzzy=true
(CommonSecurityLog
| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (domains) or RequestURL has_any (domains) or Message has_any (IPList)
| parse Message with * '(' DNSName ')' *
| extend MessageIP = extract(IPRegex, 0, Message)
| extend IPMatch = case(SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP", MessageIP in (IPList), "Message", RequestURL in (domains), "RequestUrl", SourceIP in (ips), "SourceIP", DestinationIP in (ips), "DestinationIP", MessageIP in (IPList), "Message", "NoMatch")
| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, IPMatch == "Message", MessageIP, "NoMatch"), AccountCustomEntity = SourceUserID
),
(_Im_Dns (domain_has_any=todynamic(domain_list))
| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc
| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host
),
(_Im_Dns (response_has_any_prefix=todynamic(full_ip_list))
| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc
| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host
),
(VMConnection
| where SourceIp in (IPList) or DestinationIp in (IPList) or SourceIp in (ips) or DestinationIp in (ips) or RemoteDnsCanonicalNames has_any (domains)
| parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
| extend IPMatch = case( SourceIp in (IPList), "SourceIP", DestinationIp in (IPList), "DestinationIP", SourceIp in (ips), "SourceIP", DestinationIp in (ips), "DestinationIP", "None")
| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == "SourceIP", SourceIp, IPMatch == "DestinationIP", DestinationIp, "NoMatch"), HostCustomEntity = Computer
),
(OfficeActivity
| where ClientIP in (IPList) or ClientIP in (ips)
| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId
),
(WindowsFirewall
| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)
| extend IPMatch = case( SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP", SourceIP in (ips), "SourceIP", DestinationIP in (ips), "DestinationIP", "None")
),
(_Im_NetworkSession(srcipaddr_has_any_prefix=full_ip_list)
| extend IPMatch = "SourceIP"
| extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = SrcIpAddr //, AccountCustomEntity =User
),
(_Im_NetworkSession(dstipaddr_has_any_prefix=full_ip_list)
| extend IPMatch = "DestinationIP"
| extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = DstIpAddr //, AccountCustomEntity =User
),
(_Im_WebSession(url_has_any=domains)
| extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)["Host"]), AccountCustomEntity=User
),
(_Im_WebSession(srcipaddr_has_any_prefix=full_ip_list)
| extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)["Host"]), AccountCustomEntity=User
),
(AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallApplicationRule"
| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
| where isnotempty(DestinationHost)
| where DestinationHost has_any (domains)
| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost
),
(AZFWApplicationRule
| where isnotempty(Fqdn)
| where Fqdn has_any (domains)
| extend timestamp = TimeGenerated
| extend DNSName = Fqdn
| extend IPCustomEntity = SourceIp
),
(AZFWDnsQuery
| where isnotempty(QueryName)
| where QueryName has_any (domains)
| extend timestamp = TimeGenerated
| extend DNSName = QueryName
| extend IPCustomEntity = SourceIp
),
(Event
//This query uses sysmon data depending on table name used this may need updating
| where Source == "Microsoft-Windows-Sysmon"
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| where EventDetail has_any (sha256Hashes) or EventDetail has_any (sha256s)
| parse EventDetail with * 'SHA256=' SHA256 '",' *
| extend Type = strcat(Type, ": ", Source), Account = UserName, FileHash = SHA256
| project Type, TimeGenerated, Computer, Account, FileHash
),
(DeviceFileEvents
| where SHA256 in~ (sha256Hashes) or SHA256 in~ (sha256s)
| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256
| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash
),
(imFileEvent
| where TargetFileSHA256 in~ (sha256Hashes) or TargetFileSHA256 in~ (sha256s)
| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256
| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash
),
(CommonSecurityLog
| where FileHash in (sha256Hashes) or FileHash in (sha256s)
| extend timestamp = TimeGenerated
)
)
triggerOperator: gt
queryFrequency: 6h
description: |
'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'
status: Available
kind: Scheduled
triggerThreshold: 0
requiredDataConnectors:
- connectorId: AWSS3
datatypes:
- AWSVPCFlow
- connectorId: WindowsForwardedEvents
dataTypes:
- WindowsEvent
- connectorId: SquidProxy
dataTypes:
- SquidProxy_CL
- connectorId: MicrosoftSysmonForLinux
dataTypes:
- Syslog
- connectorId: DNS
dataTypes:
- DnsEvents
- connectorId: AzureMonitor(VMInsights)
dataTypes:
- VMConnection
- connectorId: F5
dataTypes:
- CommonSecurityLog
- connectorId: CiscoASA
dataTypes:
- CommonSecurityLog
- connectorId: PaloAltoNetworks
dataTypes:
- CommonSecurityLog
- connectorId: Fortinet
dataTypes:
- CommonSecurityLog
- connectorId: CheckPoint
dataTypes:
- CommonSecurityLog
- connectorId: CEF
dataTypes:
- CommonSecurityLog
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
- DeviceFileEvents
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
- connectorId: Office365
dataTypes:
- OfficeActivity
- connectorId: AzureFirewall
dataTypes:
- AzureDiagnostics
- AZFWApplicationRule
- AZFWDnsQuery
- connectorId: WindowsFirewall
dataTypes:
- WindowsFirewall
- connectorId: Zscaler
dataTypes:
- CommonSecurityLog
- connectorId: InfobloxNIOS
dataTypes:
- Syslog
- connectorId: GCPDNSDataConnector
dataTypes:
- GCP_DNS_CL
- connectorId: NXLogDnsLogs
dataTypes:
- NXLog_DNS_Server_CL
- connectorId: CiscoUmbrellaDataConnector
dataTypes:
- Cisco_Umbrella_dns_CL
- connectorId: Corelight
dataTypes:
- Corelight_CL
version: 2.0.0
queryPeriod: 6h
name: '[Deprecated] - Midnight Blizzard - Domain, Hash and IP IOCs - May 2021'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/MidnightBlizzard_IOCsMay2021.yaml
id: 677da133-e487-4108-a150-5b926591a92b
tags:
- Midnight Blizzard
- Schema: ASIMFileEvent
SchemaVersion: 0.1.0
tactics:
- CommandAndControl
- Execution
relevantTechniques:
- T1102.002
- T1204.001
severity: Medium
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
entityType: Account
- fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
entityType: Host
- fieldMappings:
- identifier: Address
columnName: IPCustomEntity
entityType: IP
- fieldMappings:
- identifier: DomainName
columnName: DNSName
entityType: DNS
query: |
let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)
[@"https://raw.githubusercontent.com/microsoft/mstic/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv"] with (format="csv", ignoreFirstRecord=True);
let sha256s = (iocs | where Type =~ "SHA256"| project IoC);
let ips = (iocs | where Type =~ "IP"| project IoC);
let IPList = dynamic(["192.99.221.77","83.171.237.173"]);
let ips_list=toscalar(ips | summarize makeset(IoC));
let full_ip_list= array_concat(ips_list, IPList);
let domains = (iocs | where Type =~ "Domain"| project IoC);
let domain_list=toscalar(domains | summarize make_set(IoC));
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let sha256Hashes = dynamic(["2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252",
"d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142",
"94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916",
"48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0",
"ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c",
"ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330"]);
(union isfuzzy=true
(CommonSecurityLog
| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (domains) or RequestURL has_any (domains) or Message has_any (IPList)
| parse Message with * '(' DNSName ')' *
| extend MessageIP = extract(IPRegex, 0, Message)
| extend IPMatch = case(SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP", MessageIP in (IPList), "Message", RequestURL in (domains), "RequestUrl", SourceIP in (ips), "SourceIP", DestinationIP in (ips), "DestinationIP", MessageIP in (IPList), "Message", "NoMatch")
| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, IPMatch == "Message", MessageIP, "NoMatch"), AccountCustomEntity = SourceUserID
),
(_Im_Dns (domain_has_any=todynamic(domain_list))
| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc
| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host
),
(_Im_Dns (response_has_any_prefix=todynamic(full_ip_list))
| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc
| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host
),
(VMConnection
| where SourceIp in (IPList) or DestinationIp in (IPList) or SourceIp in (ips) or DestinationIp in (ips) or RemoteDnsCanonicalNames has_any (domains)
| parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
| extend IPMatch = case( SourceIp in (IPList), "SourceIP", DestinationIp in (IPList), "DestinationIP", SourceIp in (ips), "SourceIP", DestinationIp in (ips), "DestinationIP", "None")
| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == "SourceIP", SourceIp, IPMatch == "DestinationIP", DestinationIp, "NoMatch"), HostCustomEntity = Computer
),
(OfficeActivity
| where ClientIP in (IPList) or ClientIP in (ips)
| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId
),
(WindowsFirewall
| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)
| extend IPMatch = case( SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP", SourceIP in (ips), "SourceIP", DestinationIP in (ips), "DestinationIP", "None")
),
(_Im_NetworkSession(srcipaddr_has_any_prefix=full_ip_list)
| extend IPMatch = "SourceIP"
| extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = SrcIpAddr //, AccountCustomEntity =User
),
(_Im_NetworkSession(dstipaddr_has_any_prefix=full_ip_list)
| extend IPMatch = "DestinationIP"
| extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = DstIpAddr //, AccountCustomEntity =User
),
(_Im_WebSession(url_has_any=domains)
| extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)["Host"]), AccountCustomEntity=User
),
(_Im_WebSession(srcipaddr_has_any_prefix=full_ip_list)
| extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)["Host"]), AccountCustomEntity=User
),
(AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallApplicationRule"
| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
| where isnotempty(DestinationHost)
| where DestinationHost has_any (domains)
| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost
),
(AZFWApplicationRule
| where isnotempty(Fqdn)
| where Fqdn has_any (domains)
| extend timestamp = TimeGenerated
| extend DNSName = Fqdn
| extend IPCustomEntity = SourceIp
),
(AZFWDnsQuery
| where isnotempty(QueryName)
| where QueryName has_any (domains)
| extend timestamp = TimeGenerated
| extend DNSName = QueryName
| extend IPCustomEntity = SourceIp
),
(Event
//This query uses sysmon data depending on table name used this may need updating
| where Source == "Microsoft-Windows-Sysmon"
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| where EventDetail has_any (sha256Hashes) or EventDetail has_any (sha256s)
| parse EventDetail with * 'SHA256=' SHA256 '",' *
| extend Type = strcat(Type, ": ", Source), Account = UserName, FileHash = SHA256
| project Type, TimeGenerated, Computer, Account, FileHash
),
(DeviceFileEvents
| where SHA256 in~ (sha256Hashes) or SHA256 in~ (sha256s)
| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256
| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash
),
(imFileEvent
| where TargetFileSHA256 in~ (sha256Hashes) or TargetFileSHA256 in~ (sha256s)
| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256
| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash
),
(CommonSecurityLog
| where FileHash in (sha256Hashes) or FileHash in (sha256s)
| extend timestamp = TimeGenerated
)
)
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2023-02-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/677da133-e487-4108-a150-5b926591a92b')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/677da133-e487-4108-a150-5b926591a92b')]",
"properties": {
"alertRuleTemplateName": "677da133-e487-4108-a150-5b926591a92b",
"customDetails": null,
"description": "'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'\n",
"displayName": "[Deprecated] - Midnight Blizzard - Domain, Hash and IP IOCs - May 2021",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "HostCustomEntity",
"identifier": "FullName"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPCustomEntity",
"identifier": "Address"
}
]
},
{
"entityType": "DNS",
"fieldMappings": [
{
"columnName": "DNSName",
"identifier": "DomainName"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/MidnightBlizzard_IOCsMay2021.yaml",
"query": "let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\n[@\"https://raw.githubusercontent.com/microsoft/mstic/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet sha256s = (iocs | where Type =~ \"SHA256\"| project IoC);\nlet ips = (iocs | where Type =~ \"IP\"| project IoC);\nlet IPList = dynamic([\"192.99.221.77\",\"83.171.237.173\"]);\nlet ips_list=toscalar(ips | summarize makeset(IoC));\nlet full_ip_list= array_concat(ips_list, IPList);\nlet domains = (iocs | where Type =~ \"Domain\"| project IoC);\nlet domain_list=toscalar(domains | summarize make_set(IoC));\nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\nlet sha256Hashes = dynamic([\"2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252\",\n\"d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142\",\n\"94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\",\n\"48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\",\n\"ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\",\n\"ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\"]);\n(union isfuzzy=true\n(CommonSecurityLog\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (domains) or RequestURL has_any (domains) or Message has_any (IPList)\n| parse Message with * '(' DNSName ')' * \n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", MessageIP in (IPList), \"Message\", RequestURL in (domains), \"RequestUrl\", SourceIP in (ips), \"SourceIP\", DestinationIP in (ips), \"DestinationIP\", MessageIP in (IPList), \"Message\", \"NoMatch\") \n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, IPMatch == \"Message\", MessageIP, \"NoMatch\"), AccountCustomEntity = SourceUserID\n),\n(_Im_Dns (domain_has_any=todynamic(domain_list))\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\n),\n(_Im_Dns (response_has_any_prefix=todynamic(full_ip_list))\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\n),\n(VMConnection\n| where SourceIp in (IPList) or DestinationIp in (IPList) or SourceIp in (ips) or DestinationIp in (ips) or RemoteDnsCanonicalNames has_any (domains)\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", SourceIp in (ips), \"SourceIP\", DestinationIp in (ips), \"DestinationIP\", \"None\") \n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"NoMatch\"), HostCustomEntity = Computer\n),\n(OfficeActivity\n| where ClientIP in (IPList) or ClientIP in (ips)\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\n),\n(WindowsFirewall\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", SourceIP in (ips), \"SourceIP\", DestinationIP in (ips), \"DestinationIP\", \"None\")\n),\n(_Im_NetworkSession(srcipaddr_has_any_prefix=full_ip_list)\n | extend IPMatch = \"SourceIP\"\n | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = SrcIpAddr //, AccountCustomEntity =User\n),\n(_Im_NetworkSession(dstipaddr_has_any_prefix=full_ip_list)\n | extend IPMatch = \"DestinationIP\"\n | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = DstIpAddr //, AccountCustomEntity =User\n),\n(_Im_WebSession(url_has_any=domains)\n | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)[\"Host\"]), AccountCustomEntity=User\n),\n(_Im_WebSession(srcipaddr_has_any_prefix=full_ip_list)\n | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)[\"Host\"]), AccountCustomEntity=User\n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (domains) \n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\n),\n(AZFWApplicationRule\n| where isnotempty(Fqdn)\n| where Fqdn has_any (domains)\n| extend timestamp = TimeGenerated\n| extend DNSName = Fqdn\n| extend IPCustomEntity = SourceIp\n),\n(AZFWDnsQuery\n| where isnotempty(QueryName)\n| where QueryName has_any (domains)\n| extend timestamp = TimeGenerated\n| extend DNSName = QueryName\n| extend IPCustomEntity = SourceIp\n),\n(Event\n//This query uses sysmon data depending on table name used this may need updating\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| where EventDetail has_any (sha256Hashes) or EventDetail has_any (sha256s)\n| parse EventDetail with * 'SHA256=' SHA256 '\",' *\n| extend Type = strcat(Type, \": \", Source), Account = UserName, FileHash = SHA256\n| project Type, TimeGenerated, Computer, Account, FileHash\n),\n(DeviceFileEvents\n| where SHA256 in~ (sha256Hashes) or SHA256 in~ (sha256s)\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(imFileEvent\n| where TargetFileSHA256 in~ (sha256Hashes) or TargetFileSHA256 in~ (sha256s)\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(CommonSecurityLog\n| where FileHash in (sha256Hashes) or FileHash in (sha256s)\n| extend timestamp = TimeGenerated\n)\n)\n",
"queryFrequency": "PT6H",
"queryPeriod": "PT6H",
"severity": "Medium",
"status": "Available",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl",
"Execution"
],
"tags": [
"Midnight Blizzard",
{
"Schema": "ASIMFileEvent",
"SchemaVersion": "0.1.0"
}
],
"techniques": [
"T1102",
"T1204"
],
"templateVersion": "2.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}