Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Star Blizzard C2 Domains August 2022

Back
Id2149d9bb-8298-444c-8f99-f7bf0274dd05
RulenameStar Blizzard C2 Domains August 2022
DescriptionIdentifies a match across various data feeds for domains related to an actor tracked by Microsoft as Star Blizzard.
SeverityHigh
TacticsInitialAccess
TechniquesT1566
Required data connectorsAzureFirewall
AzureMonitor(VMInsights)
CiscoASA
MicrosoftThreatProtection
PaloAltoNetworks
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/StarBlizzardDomainsAugust2022.yaml
Version1.0.5
Arm template2149d9bb-8298-444c-8f99-f7bf0274dd05.json
Deploy To Azure
let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SEABORGIUMIOC.csv"] with (format="csv", ignoreFirstRecord=True);
let DomainNames = (iocs | where Type =~ "domainname"| project IoC);
(union isfuzzy=true
(CommonSecurityLog
| parse Message with * '(' DNSName ')' *
| where DNSName in~ (DomainNames)
| extend Account = SourceUserID, Computer = DeviceName, IPAddress =  DestinationIP
),
(_Im_Dns (domain_has_any=DomainNames)
| extend DNSName = DnsQuery
| extend IPAddress =  SrcIpAddr, Computer = Dvc
),
(_Im_WebSession (url_has_any=DomainNames)
| extend DNSName = tostring(parse_url(Url)["Host"])
| extend IPAddress =  SrcIpAddr, Computer = Dvc
),
(VMConnection
| parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
| where DNSName  in~ (DomainNames)
| extend IPAddress = RemoteIp
),
(DeviceNetworkEvents
| where RemoteUrl  has_any (DomainNames)
| extend IPAddress = RemoteIP
| extend Computer = DeviceName
),
(EmailUrlInfo
| where Url has_any (DomainNames)
| join (EmailEvents
| where EmailDirection == "Inbound" ) on NetworkMessageId
| extend IPAddress = SenderIPv4
| extend Account = RecipientEmailAddress
),
(AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallApplicationRule"
| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
| where isnotempty(DestinationHost)
| where DestinationHost has_any (DomainNames)
| extend DNSName = DestinationHost
| extend IPAddress = SourceHost
)
)
| extend AccountName = tostring(split(Account, "@")[0]), AccountUPNSuffix = tostring(split(Account, "@")[1])
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| extend AccountName = tostring(split(Account, "@")[0]), AccountUPNSuffix = tostring(split(Account, "@")[1])
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
description: |
    'Identifies a match across various data feeds for domains related to an actor tracked by Microsoft as Star Blizzard.'
metadata:
  source:
    kind: Community
  author:
    name: Microsoft Security Research
  categories:
    domains:
    - Security - Threat Intelligence
  support:
    tier: Community
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
  - VMConnection
  connectorId: AzureMonitor(VMInsights)
- dataTypes:
  - CommonSecurityLog
  connectorId: CiscoASA
- dataTypes:
  - CommonSecurityLog
  connectorId: PaloAltoNetworks
- dataTypes:
  - DeviceNetworkEvents
  - EmailUrlInfo
  - EmailEvents
  connectorId: MicrosoftThreatProtection
- dataTypes:
  - AzureDiagnostics
  connectorId: AzureFirewall
query: |
  let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SEABORGIUMIOC.csv"] with (format="csv", ignoreFirstRecord=True);
  let DomainNames = (iocs | where Type =~ "domainname"| project IoC);
  (union isfuzzy=true
  (CommonSecurityLog
  | parse Message with * '(' DNSName ')' *
  | where DNSName in~ (DomainNames)
  | extend Account = SourceUserID, Computer = DeviceName, IPAddress =  DestinationIP
  ),
  (_Im_Dns (domain_has_any=DomainNames)
  | extend DNSName = DnsQuery
  | extend IPAddress =  SrcIpAddr, Computer = Dvc
  ),
  (_Im_WebSession (url_has_any=DomainNames)
  | extend DNSName = tostring(parse_url(Url)["Host"])
  | extend IPAddress =  SrcIpAddr, Computer = Dvc
  ),
  (VMConnection
  | parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
  | where DNSName  in~ (DomainNames)
  | extend IPAddress = RemoteIp
  ),
  (DeviceNetworkEvents
  | where RemoteUrl  has_any (DomainNames)
  | extend IPAddress = RemoteIP
  | extend Computer = DeviceName
  ),
  (EmailUrlInfo
  | where Url has_any (DomainNames)
  | join (EmailEvents
  | where EmailDirection == "Inbound" ) on NetworkMessageId
  | extend IPAddress = SenderIPv4
  | extend Account = RecipientEmailAddress
  ),
  (AzureDiagnostics
  | where ResourceType == "AZUREFIREWALLS"
  | where Category == "AzureFirewallApplicationRule"
  | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
  | where isnotempty(DestinationHost)
  | where DestinationHost has_any (DomainNames)
  | extend DNSName = DestinationHost
  | extend IPAddress = SourceHost
  )
  )
  | extend AccountName = tostring(split(Account, "@")[0]), AccountUPNSuffix = tostring(split(Account, "@")[1])
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
  | extend AccountName = tostring(split(Account, "@")[0]), AccountUPNSuffix = tostring(split(Account, "@")[1])
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)  
name: Star Blizzard C2 Domains August 2022
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: Account
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountUPNSuffix
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: Computer
  - identifier: HostName
    columnName: HostName
  - identifier: NTDomain
    columnName: HostNameDomain
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPAddress
kind: Scheduled
severity: High
relevantTechniques:
- T1566
tactics:
- InitialAccess
queryFrequency: 1d
tags:
- Star Blizzard
- Schema: ASIMDns
  SchemaVersion: 0.1.1
version: 1.0.5
queryPeriod: 1d
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/StarBlizzardDomainsAugust2022.yaml
id: 2149d9bb-8298-444c-8f99-f7bf0274dd05
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2149d9bb-8298-444c-8f99-f7bf0274dd05')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2149d9bb-8298-444c-8f99-f7bf0274dd05')]",
      "properties": {
        "alertRuleTemplateName": "2149d9bb-8298-444c-8f99-f7bf0274dd05",
        "customDetails": null,
        "description": "'Identifies a match across various data feeds for domains related to an actor tracked by Microsoft as Star Blizzard.'\n",
        "displayName": "Star Blizzard C2 Domains August 2022",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Account",
                "identifier": "FullName"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountUPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Computer",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "HostNameDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPAddress",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/StarBlizzardDomainsAugust2022.yaml",
        "query": "let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SEABORGIUMIOC.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet DomainNames = (iocs | where Type =~ \"domainname\"| project IoC);\n(union isfuzzy=true\n(CommonSecurityLog\n| parse Message with * '(' DNSName ')' *\n| where DNSName in~ (DomainNames)\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress =  DestinationIP\n),\n(_Im_Dns (domain_has_any=DomainNames)\n| extend DNSName = DnsQuery\n| extend IPAddress =  SrcIpAddr, Computer = Dvc\n),\n(_Im_WebSession (url_has_any=DomainNames)\n| extend DNSName = tostring(parse_url(Url)[\"Host\"])\n| extend IPAddress =  SrcIpAddr, Computer = Dvc\n),\n(VMConnection\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where DNSName  in~ (DomainNames)\n| extend IPAddress = RemoteIp\n),\n(DeviceNetworkEvents\n| where RemoteUrl  has_any (DomainNames)\n| extend IPAddress = RemoteIP\n| extend Computer = DeviceName\n),\n(EmailUrlInfo\n| where Url has_any (DomainNames)\n| join (EmailEvents\n| where EmailDirection == \"Inbound\" ) on NetworkMessageId\n| extend IPAddress = SenderIPv4\n| extend Account = RecipientEmailAddress\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames)\n| extend DNSName = DestinationHost\n| extend IPAddress = SourceHost\n)\n)\n| extend AccountName = tostring(split(Account, \"@\")[0]), AccountUPNSuffix = tostring(split(Account, \"@\")[1])\n| extend HostName = tostring(split(Computer, \".\")[0]), DomainIndex = toint(indexof(Computer, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\n| extend AccountName = tostring(split(Account, \"@\")[0]), AccountUPNSuffix = tostring(split(Account, \"@\")[1])\n| extend HostName = tostring(split(Computer, \".\")[0]), DomainIndex = toint(indexof(Computer, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "tags": [
          "Star Blizzard",
          {
            "Schema": "ASIMDns",
            "SchemaVersion": "0.1.1"
          }
        ],
        "techniques": [
          "T1566"
        ],
        "templateVersion": "1.0.5",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}