Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Known Phosphorus group domains/IP

Back
Id155f40c6-610d-497d-85fc-3cf06ec13256
RulenameKnown Phosphorus group domains/IP
DescriptionMatches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.

References: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.
SeverityHigh
TacticsCommandAndControl
TechniquesT1071
Required data connectorsAzureFirewall
AzureMonitor(VMInsights)
CiscoASA
CiscoUmbrellaDataConnector
Corelight
DNS
GCPDNSDataConnector
InfobloxNIOS
NXLogDnsLogs
Office365
PaloAltoNetworks
SquidProxy
Zscaler
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/PHOSPHORUSMarch2019IOCs.yaml
Version1.5.1
Arm template155f40c6-610d-497d-85fc-3cf06ec13256.json
Deploy To Azure
let DomainNames = dynamic(["yahoo-verification.org","support-servics.com","verification-live.com","com-mailbox.com","com-myaccuants.com","notification-accountservice.com",
"accounts-web-mail.com","customer-certificate.com","session-users-activities.com","user-profile-credentials.com","verify-linke.com","support-servics.net","verify-linkedin.net",
"yahoo-verification.net","yahoo-verify.net","outlook-verify.net","com-users.net","verifiy-account.net","te1egram.net","account-verifiy.net","myaccount-services.net",
"com-identifier-servicelog.name","microsoft-update.bid","outlook-livecom.bid","update-microsoft.bid","documentsfilesharing.cloud","com-microsoftonline.club",
"confirm-session-identifier.info","session-management.info","confirmation-service.info","document-share.info","broadcast-news.info","customize-identity.info","webemail.info",
"com-identifier-servicelog.info","documentsharing.info","notification-accountservice.info","identifier-activities.info","documentofficupdate.info","recoveryusercustomer.info",
"serverbroadcast.info","account-profile-users.info","account-service-management.info","accounts-manager.info","activity-confirmation-service.info","com-accountidentifier.info",
"com-privacy-help.info","com-sessionidentifier.info","com-useraccount.info","confirmation-users-service.info","confirm-identity.info","confirm-session-identification.info",
"continue-session-identifier.info","customer-recovery.info","customers-activities.info","elitemaildelivery.info","email-delivery.info","identify-user-session.info",
"message-serviceprovider.info","notificationapp.info","notification-manager.info","recognized-activity.info","recover-customers-service.info","recovery-session-change.info",
"service-recovery-session.info","service-session-continue.info","session-mail-customers.info","session-managment.info","session-verify-user.info","shop-sellwear.info",
"supportmailservice.info","terms-service-notification.info","user-activity-issues.info","useridentity-confirm.info","users-issue-services.info","verify-user-session.info",
"login-gov.info","notification-signal-agnecy.info","notifications-center.info","identifier-services-sessions.info","customers-manager.info","session-manager.info",
"customer-managers.info","confirmation-recovery-options.info","service-session-confirm.info","session-recovery-options.info","services-session-confirmation.info",
"notification-managers.info","activities-services-notification.info","activities-recovery-options.info","activity-session-recovery.info","customers-services.info",
"sessions-notification.info","download-teamspeak.info","services-issue-notification.info","microsoft-upgrade.mobi","broadcastnews.pro","mobile-messengerplus.network"]);
let IPList = dynamic(["51.91.200.147"]);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
(union isfuzzy=true
(CommonSecurityLog
| parse Message with * '(' DNSName ')' *
| extend MessageIP = extract(IPRegex, 0, Message)
| extend RequestURLIP = extract(IPRegex, 0, Message)
| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList))
or (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList)))
or (isnotempty(Message) and MessageIP in (IPList))
| extend IPMatch = case(SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP", MessageIP in (IPList), "Message", RequestURLIP in (IPList), "RequestUrl", "NoMatch")
| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP,IPMatch == "Message", MessageIP,
IPMatch == "RequestUrl", RequestURLIP,"NoMatch"), Account = SourceUserID, Host = DeviceName
),
(_Im_Dns (domain_has_any=DomainNames)
| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc
| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),
(_Im_Dns (response_has_any_prefix=IPList)
| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc
| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),
(_Im_WebSession(url_has_any=DomainNames)
| extend DestinationIPAddress = DstIpAddr, DNSName = tostring(parse_url(Url)["Host"]), Host = Dvc
| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),
(VMConnection
| parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
| where isnotempty(SourceIp) or isnotempty(DestinationIp) or isnotempty(DNSName)
| where SourceIp in (IPList) or DestinationIp in (IPList) or DNSName in~ (DomainNames)
| extend IPMatch = case( SourceIp in (IPList), "SourceIP", DestinationIp in (IPList), "DestinationIP", "None")
| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == "SourceIP", SourceIp, IPMatch == "DestinationIP", DestinationIp, "None"), Host = Computer),
(OfficeActivity
| extend SourceIPAddress = ClientIP, Account = UserId
| where  SourceIPAddress in (IPList)
| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account),
(AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallApplicationRule"
| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
| where isnotempty(DestinationHost)
| where DestinationHost has_any (DomainNames)  
| extend DNSName = DestinationHost 
| extend IPCustomEntity = SourceHost 
),
(AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallDnsProxy"
| project TimeGenerated,Resource, msg_s, Type
| parse msg_s with "DNS Request: " ClientIP ":" ClientPort " - " QueryID " " Request_Type " " Request_Class " " Request_Name ". " Request_Protocol " " Request_Size " " EDNSO_DO " " EDNS0_Buffersize " " Responce_Code " " Responce_Flags " " Responce_Size " " Response_Duration
| where  Request_Name  has_any (DomainNames)
| extend DNSName = Request_Name 
| extend IPCustomEntity = ClientIP
),
(AZFWApplicationRule
| where isnotempty(Fqdn)
| where Fqdn has_any (DomainNames)  
| extend DNSName = Fqdn 
| extend IPCustomEntity = SourceIp
),
(AZFWDnsQuery
| where isnotempty(QueryName)
| where QueryName has_any (DomainNames)
| extend DNSName = QueryName
| extend IPCustomEntity = SourceIp
)
)
tactics:
- CommandAndControl
severity: High
requiredDataConnectors:
- connectorId: SquidProxy
  dataTypes:
  - SquidProxy_CL
- connectorId: DNS
  dataTypes:
  - DnsEvents
- connectorId: AzureMonitor(VMInsights)
  dataTypes:
  - VMConnection
- connectorId: CiscoASA
  dataTypes:
  - CommonSecurityLog
- connectorId: PaloAltoNetworks
  dataTypes:
  - CommonSecurityLog
- connectorId: Office365
  dataTypes:
  - OfficeActivity
- connectorId: AzureFirewall
  dataTypes:
  - AzureDiagnostics
  - AZFWApplicationRule
  - AZFWDnsQuery
- connectorId: Zscaler
  dataTypes:
  - CommonSecurityLog
- connectorId: InfobloxNIOS
  dataTypes:
  - Syslog
- connectorId: GCPDNSDataConnector
  dataTypes:
  - GCP_DNS_CL
- connectorId: NXLogDnsLogs
  dataTypes:
  - NXLog_DNS_Server_CL
- connectorId: CiscoUmbrellaDataConnector
  dataTypes:
  - Cisco_Umbrella_dns_CL
- connectorId: Corelight
  dataTypes:
  - Corelight_CL
triggerOperator: gt
query: |
  let DomainNames = dynamic(["yahoo-verification.org","support-servics.com","verification-live.com","com-mailbox.com","com-myaccuants.com","notification-accountservice.com",
  "accounts-web-mail.com","customer-certificate.com","session-users-activities.com","user-profile-credentials.com","verify-linke.com","support-servics.net","verify-linkedin.net",
  "yahoo-verification.net","yahoo-verify.net","outlook-verify.net","com-users.net","verifiy-account.net","te1egram.net","account-verifiy.net","myaccount-services.net",
  "com-identifier-servicelog.name","microsoft-update.bid","outlook-livecom.bid","update-microsoft.bid","documentsfilesharing.cloud","com-microsoftonline.club",
  "confirm-session-identifier.info","session-management.info","confirmation-service.info","document-share.info","broadcast-news.info","customize-identity.info","webemail.info",
  "com-identifier-servicelog.info","documentsharing.info","notification-accountservice.info","identifier-activities.info","documentofficupdate.info","recoveryusercustomer.info",
  "serverbroadcast.info","account-profile-users.info","account-service-management.info","accounts-manager.info","activity-confirmation-service.info","com-accountidentifier.info",
  "com-privacy-help.info","com-sessionidentifier.info","com-useraccount.info","confirmation-users-service.info","confirm-identity.info","confirm-session-identification.info",
  "continue-session-identifier.info","customer-recovery.info","customers-activities.info","elitemaildelivery.info","email-delivery.info","identify-user-session.info",
  "message-serviceprovider.info","notificationapp.info","notification-manager.info","recognized-activity.info","recover-customers-service.info","recovery-session-change.info",
  "service-recovery-session.info","service-session-continue.info","session-mail-customers.info","session-managment.info","session-verify-user.info","shop-sellwear.info",
  "supportmailservice.info","terms-service-notification.info","user-activity-issues.info","useridentity-confirm.info","users-issue-services.info","verify-user-session.info",
  "login-gov.info","notification-signal-agnecy.info","notifications-center.info","identifier-services-sessions.info","customers-manager.info","session-manager.info",
  "customer-managers.info","confirmation-recovery-options.info","service-session-confirm.info","session-recovery-options.info","services-session-confirmation.info",
  "notification-managers.info","activities-services-notification.info","activities-recovery-options.info","activity-session-recovery.info","customers-services.info",
  "sessions-notification.info","download-teamspeak.info","services-issue-notification.info","microsoft-upgrade.mobi","broadcastnews.pro","mobile-messengerplus.network"]);
  let IPList = dynamic(["51.91.200.147"]);
  let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
  (union isfuzzy=true
  (CommonSecurityLog
  | parse Message with * '(' DNSName ')' *
  | extend MessageIP = extract(IPRegex, 0, Message)
  | extend RequestURLIP = extract(IPRegex, 0, Message)
  | where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList))
  or (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList)))
  or (isnotempty(Message) and MessageIP in (IPList))
  | extend IPMatch = case(SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP", MessageIP in (IPList), "Message", RequestURLIP in (IPList), "RequestUrl", "NoMatch")
  | extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP,IPMatch == "Message", MessageIP,
  IPMatch == "RequestUrl", RequestURLIP,"NoMatch"), Account = SourceUserID, Host = DeviceName
  ),
  (_Im_Dns (domain_has_any=DomainNames)
  | extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc
  | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),
  (_Im_Dns (response_has_any_prefix=IPList)
  | extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc
  | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),
  (_Im_WebSession(url_has_any=DomainNames)
  | extend DestinationIPAddress = DstIpAddr, DNSName = tostring(parse_url(Url)["Host"]), Host = Dvc
  | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),
  (VMConnection
  | parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
  | where isnotempty(SourceIp) or isnotempty(DestinationIp) or isnotempty(DNSName)
  | where SourceIp in (IPList) or DestinationIp in (IPList) or DNSName in~ (DomainNames)
  | extend IPMatch = case( SourceIp in (IPList), "SourceIP", DestinationIp in (IPList), "DestinationIP", "None")
  | extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == "SourceIP", SourceIp, IPMatch == "DestinationIP", DestinationIp, "None"), Host = Computer),
  (OfficeActivity
  | extend SourceIPAddress = ClientIP, Account = UserId
  | where  SourceIPAddress in (IPList)
  | extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account),
  (AzureDiagnostics
  | where ResourceType == "AZUREFIREWALLS"
  | where Category == "AzureFirewallApplicationRule"
  | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
  | where isnotempty(DestinationHost)
  | where DestinationHost has_any (DomainNames)  
  | extend DNSName = DestinationHost 
  | extend IPCustomEntity = SourceHost 
  ),
  (AzureDiagnostics
  | where ResourceType == "AZUREFIREWALLS"
  | where Category == "AzureFirewallDnsProxy"
  | project TimeGenerated,Resource, msg_s, Type
  | parse msg_s with "DNS Request: " ClientIP ":" ClientPort " - " QueryID " " Request_Type " " Request_Class " " Request_Name ". " Request_Protocol " " Request_Size " " EDNSO_DO " " EDNS0_Buffersize " " Responce_Code " " Responce_Flags " " Responce_Size " " Response_Duration
  | where  Request_Name  has_any (DomainNames)
  | extend DNSName = Request_Name 
  | extend IPCustomEntity = ClientIP
  ),
  (AZFWApplicationRule
  | where isnotempty(Fqdn)
  | where Fqdn has_any (DomainNames)  
  | extend DNSName = Fqdn 
  | extend IPCustomEntity = SourceIp
  ),
  (AZFWDnsQuery
  | where isnotempty(QueryName)
  | where QueryName has_any (DomainNames)
  | extend DNSName = QueryName
  | extend IPCustomEntity = SourceIp
  )
  )  
triggerThreshold: 0
name: Known Phosphorus group domains/IP
kind: Scheduled
version: 1.5.1
description: |
  'Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.
  References: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.'  
relevantTechniques:
- T1071
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/PHOSPHORUSMarch2019IOCs.yaml
tags:
- Schema: ASIMDns
  SchemaVersion: 0.1.1
status: Available
queryFrequency: 1d
queryPeriod: 1d
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: HostCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
id: 155f40c6-610d-497d-85fc-3cf06ec13256
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/155f40c6-610d-497d-85fc-3cf06ec13256')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/155f40c6-610d-497d-85fc-3cf06ec13256')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Known Phosphorus group domains/IP",
        "description": "'Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\nReferences: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.'\n",
        "severity": "High",
        "enabled": true,
        "query": "let DomainNames = dynamic([\"yahoo-verification.org\",\"support-servics.com\",\"verification-live.com\",\"com-mailbox.com\",\"com-myaccuants.com\",\"notification-accountservice.com\",\n\"accounts-web-mail.com\",\"customer-certificate.com\",\"session-users-activities.com\",\"user-profile-credentials.com\",\"verify-linke.com\",\"support-servics.net\",\"verify-linkedin.net\",\n\"yahoo-verification.net\",\"yahoo-verify.net\",\"outlook-verify.net\",\"com-users.net\",\"verifiy-account.net\",\"te1egram.net\",\"account-verifiy.net\",\"myaccount-services.net\",\n\"com-identifier-servicelog.name\",\"microsoft-update.bid\",\"outlook-livecom.bid\",\"update-microsoft.bid\",\"documentsfilesharing.cloud\",\"com-microsoftonline.club\",\n\"confirm-session-identifier.info\",\"session-management.info\",\"confirmation-service.info\",\"document-share.info\",\"broadcast-news.info\",\"customize-identity.info\",\"webemail.info\",\n\"com-identifier-servicelog.info\",\"documentsharing.info\",\"notification-accountservice.info\",\"identifier-activities.info\",\"documentofficupdate.info\",\"recoveryusercustomer.info\",\n\"serverbroadcast.info\",\"account-profile-users.info\",\"account-service-management.info\",\"accounts-manager.info\",\"activity-confirmation-service.info\",\"com-accountidentifier.info\",\n\"com-privacy-help.info\",\"com-sessionidentifier.info\",\"com-useraccount.info\",\"confirmation-users-service.info\",\"confirm-identity.info\",\"confirm-session-identification.info\",\n\"continue-session-identifier.info\",\"customer-recovery.info\",\"customers-activities.info\",\"elitemaildelivery.info\",\"email-delivery.info\",\"identify-user-session.info\",\n\"message-serviceprovider.info\",\"notificationapp.info\",\"notification-manager.info\",\"recognized-activity.info\",\"recover-customers-service.info\",\"recovery-session-change.info\",\n\"service-recovery-session.info\",\"service-session-continue.info\",\"session-mail-customers.info\",\"session-managment.info\",\"session-verify-user.info\",\"shop-sellwear.info\",\n\"supportmailservice.info\",\"terms-service-notification.info\",\"user-activity-issues.info\",\"useridentity-confirm.info\",\"users-issue-services.info\",\"verify-user-session.info\",\n\"login-gov.info\",\"notification-signal-agnecy.info\",\"notifications-center.info\",\"identifier-services-sessions.info\",\"customers-manager.info\",\"session-manager.info\",\n\"customer-managers.info\",\"confirmation-recovery-options.info\",\"service-session-confirm.info\",\"session-recovery-options.info\",\"services-session-confirmation.info\",\n\"notification-managers.info\",\"activities-services-notification.info\",\"activities-recovery-options.info\",\"activity-session-recovery.info\",\"customers-services.info\",\n\"sessions-notification.info\",\"download-teamspeak.info\",\"services-issue-notification.info\",\"microsoft-upgrade.mobi\",\"broadcastnews.pro\",\"mobile-messengerplus.network\"]);\nlet IPList = dynamic([\"51.91.200.147\"]);\nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\n(union isfuzzy=true\n(CommonSecurityLog\n| parse Message with * '(' DNSName ')' *\n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend RequestURLIP = extract(IPRegex, 0, Message)\n| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList))\nor (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList)))\nor (isnotempty(Message) and MessageIP in (IPList))\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", MessageIP in (IPList), \"Message\", RequestURLIP in (IPList), \"RequestUrl\", \"NoMatch\")\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP,IPMatch == \"Message\", MessageIP,\nIPMatch == \"RequestUrl\", RequestURLIP,\"NoMatch\"), Account = SourceUserID, Host = DeviceName\n),\n(_Im_Dns (domain_has_any=DomainNames)\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\n(_Im_Dns (response_has_any_prefix=IPList)\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\n(_Im_WebSession(url_has_any=DomainNames)\n| extend DestinationIPAddress = DstIpAddr, DNSName = tostring(parse_url(Url)[\"Host\"]), Host = Dvc\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\n(VMConnection\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) or isnotempty(DNSName)\n| where SourceIp in (IPList) or DestinationIp in (IPList) or DNSName in~ (DomainNames)\n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", \"None\")\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"None\"), Host = Computer),\n(OfficeActivity\n| extend SourceIPAddress = ClientIP, Account = UserId\n| where  SourceIPAddress in (IPList)\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames)  \n| extend DNSName = DestinationHost \n| extend IPCustomEntity = SourceHost \n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| project TimeGenerated,Resource, msg_s, Type\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where  Request_Name  has_any (DomainNames)\n| extend DNSName = Request_Name \n| extend IPCustomEntity = ClientIP\n),\n(AZFWApplicationRule\n| where isnotempty(Fqdn)\n| where Fqdn has_any (DomainNames)  \n| extend DNSName = Fqdn \n| extend IPCustomEntity = SourceIp\n),\n(AZFWDnsQuery\n| where isnotempty(QueryName)\n| where QueryName has_any (DomainNames)\n| extend DNSName = QueryName\n| extend IPCustomEntity = SourceIp\n)\n)\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "techniques": [
          "T1071"
        ],
        "alertRuleTemplateName": "155f40c6-610d-497d-85fc-3cf06ec13256",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ],
            "entityType": "Account"
          },
          {
            "fieldMappings": [
              {
                "columnName": "HostCustomEntity",
                "identifier": "FullName"
              }
            ],
            "entityType": "Host"
          },
          {
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ],
            "entityType": "IP"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/PHOSPHORUSMarch2019IOCs.yaml",
        "templateVersion": "1.5.1",
        "tags": [
          {
            "Schema": "ASIMDns",
            "SchemaVersion": "0.1.1"
          }
        ],
        "status": "Available"
      }
    }
  ]
}