Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

[Deprecated] - Exchange Server Vulnerabilities Disclosed March 2021 IoC Match

Back
Idd804b39c-03a4-417c-a949-bdbf21fa3305
Rulename[Deprecated] - Exchange Server Vulnerabilities Disclosed March 2021 IoC Match
DescriptionThis query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft’s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy
SeverityMedium
TacticsInitialAccess
TechniquesT1190
Required data connectorsAWSS3
AzureMonitor(IIS)
AzureMonitor(WireData)
CEF
CheckPoint
CiscoASA
CiscoUmbrellaDataConnector
Corelight
DNS
F5
Fortinet
GCPDNSDataConnector
InfobloxNIOS
MicrosoftSysmonForLinux
NXLogDnsLogs
PaloAltoNetworks
SecurityEvents
WindowsFirewall
WindowsForwardedEvents
Zscaler
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml
Version2.0.0
Arm templated804b39c-03a4-417c-a949-bdbf21fa3305.json
Deploy To Azure
let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)
[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv"] with (format="csv", ignoreFirstRecord=True);
let file_paths = (iocs | where Type =~ "filepath" | project IoC);
let sha256s = (iocs | where Type =~ "sha256" | project IoC);
let ips = (iocs | where Type =~ "ip" | project IoC);
let domains = (iocs | where Type =~ "domainname" | project IoC);
let dyndomains = todynamic(toscalar((domains | summarize make_set(IoC))));
union isfuzzy=true
(SecurityEvent
| where EventID == 4663
| where ObjectName in (file_paths)
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
),
(WindowsEvent
| where EventID == 4663 and EventData has_any (file_paths)
| extend ObjectName = tostring(EventData.ObjectName) 
| where ObjectName in (file_paths)
| extend Account = strcat(tostring(EventData.SubjectDomainName), "\\", tostring(EventData.SubjectUserName))
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
),
(imFileEvent
| where TargetFileName in (file_paths)
  or
  TargetFileSHA256 in (sha256s)
| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname
),
(DeviceFileEvents
| where FolderPath in (file_paths)
| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName
),
(DeviceEvents
| where InitiatingProcessSHA256 in (sha256s)
| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName
),
  (CommonSecurityLog
| where FileHash in (sha256s)
| extend timestamp = TimeGenerated
),
(Event // File iocs
//This query uses sysmon data depending on table name used this may need updating
| where Source == "Microsoft-Windows-Sysmon"
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| extend Hashes = EventDetail.[16].["#text"]
| where isnotempty(Hashes)
| parse Hashes with * 'SHA256=' SHA256 ',' *
| where SHA256 in~ (sha256s)
| extend Type = strcat(Type, ": ", Source), Account = UserName, FileHash = Hashes
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
),
(CommonSecurityLog
| where isnotempty(SourceIP) or isnotempty(DestinationIP)
| where (SourceIP in (ips) or DestinationIP in (ips) or Message has_any (ips)) or (RequestURL has_any (domains))
| extend IPMatch = case(SourceIP in (ips), "SourceIP", DestinationIP in (ips), "DestinationIP", "Message")
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch
| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, "IP in Message Field")
),
(Event
| where Source == "Microsoft-Windows-Sysmon"
| where EventID == 3
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| extend SourceIP = EventDetail.[9].["#text"], DestinationIP = EventDetail.[14].["#text"]
| where SourceIP in (ips) or DestinationIP in (ips)
| extend IPMatch = case( SourceIP in (ips), "SourceIP", DestinationIP in (ips), "DestinationIP", "None")
| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, "None")
),
(WireData
| where isnotempty(RemoteIP)
| where RemoteIP in (ips)
| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer
),
(W3CIISLog
| where isnotempty(cIP)
| where cIP in (ips)
| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName
),
(
WindowsFirewall
| where SourceIP in (ips) or DestinationIP in (ips)
| extend IPMatch = case( SourceIP in (ips), "SourceIP", DestinationIP in (ips), "DestinationIP", "None")
),
(
  _Im_NetworkSession(srcipaddr_has_any_prefix=ips) 
  | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname
),
  (
  _Im_NetworkSession(dstipaddr_has_any_prefix=ips) 
  | extend IPCustomEntity = DstIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname
),
(_Im_Dns(domain_has_any=dyndomains)
| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc
)
triggerOperator: gt
queryFrequency: 1h
description: |
    'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'
status: Available
kind: Scheduled
triggerThreshold: 0
requiredDataConnectors:
- connectorId: AWSS3
  datatypes:
  - AWSVPCFlow
- connectorId: WindowsForwardedEvents
  dataTypes:
  - WindowsEvent
- connectorId: AzureMonitor(IIS)
  dataTypes:
  - W3CIISLog
- connectorId: AzureMonitor(WireData)
  dataTypes:
  - WireData
- connectorId: CheckPoint
  dataTypes:
  - CommonSecurityLog (CheckPoint)
- connectorId: CiscoASA
  dataTypes:
  - CommonSecurityLog (Cisco)
- connectorId: CEF
  dataTypes:
  - CommonSecurityLog
- connectorId: F5
  dataTypes:
  - CommonSecurityLog (F5)
- connectorId: Fortinet
  dataTypes:
  - CommonSecurityLog (Fortinet)
- connectorId: PaloAltoNetworks
  dataTypes:
  - CommonSecurityLog (PaloAlto)
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvents
- connectorId: WindowsFirewall
  dataTypes:
  - WindowsFirewall
- connectorId: DNS
  dataTypes:
  - DnsEvents
- connectorId: Zscaler
  dataTypes:
  - CommonSecurityLog
- connectorId: InfobloxNIOS
  dataTypes:
  - Syslog
- connectorId: MicrosoftSysmonForLinux
  dataTypes:
  - Syslog
- connectorId: GCPDNSDataConnector
  dataTypes:
  - GCP_DNS_CL
- connectorId: WindowsForwardedEvents
  dataTypes:
  - WindowsEvent
- connectorId: NXLogDnsLogs
  dataTypes:
  - NXLog_DNS_Server_CL
- connectorId: CiscoUmbrellaDataConnector
  dataTypes:
  - Cisco_Umbrella_dns_CL
- connectorId: Corelight
  dataTypes:
  - Corelight_CL
version: 2.0.0
queryPeriod: 1h
name: '[Deprecated] - Exchange Server Vulnerabilities Disclosed March 2021 IoC Match'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml
id: d804b39c-03a4-417c-a949-bdbf21fa3305
tags:
- Schema: ASIMDns
  SchemaVersion: 0.1.1
- Schema: ASIMFileEvent
  SchemaVersion: 0.1.0
tactics:
- InitialAccess
relevantTechniques:
- T1190
severity: Medium
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
- fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
  entityType: Account
- fieldMappings:
  - identifier: FullName
    columnName: HostCustomEntity
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
query: |
  let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)
  [@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv"] with (format="csv", ignoreFirstRecord=True);
  let file_paths = (iocs | where Type =~ "filepath" | project IoC);
  let sha256s = (iocs | where Type =~ "sha256" | project IoC);
  let ips = (iocs | where Type =~ "ip" | project IoC);
  let domains = (iocs | where Type =~ "domainname" | project IoC);
  let dyndomains = todynamic(toscalar((domains | summarize make_set(IoC))));
  union isfuzzy=true
  (SecurityEvent
  | where EventID == 4663
  | where ObjectName in (file_paths)
  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
  ),
  (WindowsEvent
  | where EventID == 4663 and EventData has_any (file_paths)
  | extend ObjectName = tostring(EventData.ObjectName) 
  | where ObjectName in (file_paths)
  | extend Account = strcat(tostring(EventData.SubjectDomainName), "\\", tostring(EventData.SubjectUserName))
  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
  ),
  (imFileEvent
  | where TargetFileName in (file_paths)
    or
    TargetFileSHA256 in (sha256s)
  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname
  ),
  (DeviceFileEvents
  | where FolderPath in (file_paths)
  | extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName
  ),
  (DeviceEvents
  | where InitiatingProcessSHA256 in (sha256s)
  | extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName
  ),
    (CommonSecurityLog
  | where FileHash in (sha256s)
  | extend timestamp = TimeGenerated
  ),
  (Event // File iocs
  //This query uses sysmon data depending on table name used this may need updating
  | where Source == "Microsoft-Windows-Sysmon"
  | extend EvData = parse_xml(EventData)
  | extend EventDetail = EvData.DataItem.EventData.Data
  | extend Hashes = EventDetail.[16].["#text"]
  | where isnotempty(Hashes)
  | parse Hashes with * 'SHA256=' SHA256 ',' *
  | where SHA256 in~ (sha256s)
  | extend Type = strcat(Type, ": ", Source), Account = UserName, FileHash = Hashes
  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
  ),
  (CommonSecurityLog
  | where isnotempty(SourceIP) or isnotempty(DestinationIP)
  | where (SourceIP in (ips) or DestinationIP in (ips) or Message has_any (ips)) or (RequestURL has_any (domains))
  | extend IPMatch = case(SourceIP in (ips), "SourceIP", DestinationIP in (ips), "DestinationIP", "Message")
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch
  | extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, "IP in Message Field")
  ),
  (Event
  | where Source == "Microsoft-Windows-Sysmon"
  | where EventID == 3
  | extend EvData = parse_xml(EventData)
  | extend EventDetail = EvData.DataItem.EventData.Data
  | extend SourceIP = EventDetail.[9].["#text"], DestinationIP = EventDetail.[14].["#text"]
  | where SourceIP in (ips) or DestinationIP in (ips)
  | extend IPMatch = case( SourceIP in (ips), "SourceIP", DestinationIP in (ips), "DestinationIP", "None")
  | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, "None")
  ),
  (WireData
  | where isnotempty(RemoteIP)
  | where RemoteIP in (ips)
  | extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer
  ),
  (W3CIISLog
  | where isnotempty(cIP)
  | where cIP in (ips)
  | extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName
  ),
  (
  WindowsFirewall
  | where SourceIP in (ips) or DestinationIP in (ips)
  | extend IPMatch = case( SourceIP in (ips), "SourceIP", DestinationIP in (ips), "DestinationIP", "None")
  ),
  (
    _Im_NetworkSession(srcipaddr_has_any_prefix=ips) 
    | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname
  ),
    (
    _Im_NetworkSession(dstipaddr_has_any_prefix=ips) 
    | extend IPCustomEntity = DstIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname
  ),
  (_Im_Dns(domain_has_any=dyndomains)
  | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc
  )  
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d804b39c-03a4-417c-a949-bdbf21fa3305')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d804b39c-03a4-417c-a949-bdbf21fa3305')]",
      "properties": {
        "alertRuleTemplateName": "d804b39c-03a4-417c-a949-bdbf21fa3305",
        "customDetails": null,
        "description": "'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'\n",
        "displayName": "[Deprecated] - Exchange Server Vulnerabilities Disclosed March 2021 IoC Match",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml",
        "query": "let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\n[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet file_paths = (iocs | where Type =~ \"filepath\" | project IoC);\nlet sha256s = (iocs | where Type =~ \"sha256\" | project IoC);\nlet ips = (iocs | where Type =~ \"ip\" | project IoC);\nlet domains = (iocs | where Type =~ \"domainname\" | project IoC);\nlet dyndomains = todynamic(toscalar((domains | summarize make_set(IoC))));\nunion isfuzzy=true\n(SecurityEvent\n| where EventID == 4663\n| where ObjectName in (file_paths)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n),\n(WindowsEvent\n| where EventID == 4663 and EventData has_any (file_paths)\n| extend ObjectName = tostring(EventData.ObjectName) \n| where ObjectName in (file_paths)\n| extend Account = strcat(tostring(EventData.SubjectDomainName), \"\\\\\", tostring(EventData.SubjectUserName))\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n),\n(imFileEvent\n| where TargetFileName in (file_paths)\n  or\n  TargetFileSHA256 in (sha256s)\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\n),\n(DeviceFileEvents\n| where FolderPath in (file_paths)\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\n),\n(DeviceEvents\n| where InitiatingProcessSHA256 in (sha256s)\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\n),\n  (CommonSecurityLog\n| where FileHash in (sha256s)\n| extend timestamp = TimeGenerated\n),\n(Event // File iocs\n//This query uses sysmon data depending on table name used this may need updating\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend Hashes = EventDetail.[16].[\"#text\"]\n| where isnotempty(Hashes)\n| parse Hashes with * 'SHA256=' SHA256 ',' *\n| where SHA256 in~ (sha256s)\n| extend Type = strcat(Type, \": \", Source), Account = UserName, FileHash = Hashes\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n),\n(CommonSecurityLog\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\n| where (SourceIP in (ips) or DestinationIP in (ips) or Message has_any (ips)) or (RequestURL has_any (domains))\n| extend IPMatch = case(SourceIP in (ips), \"SourceIP\", DestinationIP in (ips), \"DestinationIP\", \"Message\")\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"IP in Message Field\")\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 3\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend SourceIP = EventDetail.[9].[\"#text\"], DestinationIP = EventDetail.[14].[\"#text\"]\n| where SourceIP in (ips) or DestinationIP in (ips)\n| extend IPMatch = case( SourceIP in (ips), \"SourceIP\", DestinationIP in (ips), \"DestinationIP\", \"None\")\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n),\n(WireData\n| where isnotempty(RemoteIP)\n| where RemoteIP in (ips)\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer\n),\n(W3CIISLog\n| where isnotempty(cIP)\n| where cIP in (ips)\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\n),\n(\nWindowsFirewall\n| where SourceIP in (ips) or DestinationIP in (ips)\n| extend IPMatch = case( SourceIP in (ips), \"SourceIP\", DestinationIP in (ips), \"DestinationIP\", \"None\")\n),\n(\n  _Im_NetworkSession(srcipaddr_has_any_prefix=ips) \n  | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\n),\n  (\n  _Im_NetworkSession(dstipaddr_has_any_prefix=ips) \n  | extend IPCustomEntity = DstIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\n),\n(_Im_Dns(domain_has_any=dyndomains)\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\n)\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "tags": [
          {
            "Schema": "ASIMDns",
            "SchemaVersion": "0.1.1"
          },
          {
            "Schema": "ASIMFileEvent",
            "SchemaVersion": "0.1.0"
          }
        ],
        "techniques": [
          "T1190"
        ],
        "templateVersion": "2.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}