Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Star Blizzard C2 Domains August 2022

Star Blizzard C2 Domains August 2022

Back
Id2149d9bb-8298-444c-8f99-f7bf0274dd05
RulenameStar Blizzard C2 Domains August 2022
DescriptionIdentifies a match across various data feeds for domains related to an actor tracked by Microsoft as Star Blizzard.
SeverityHigh
TacticsInitialAccess
TechniquesT1566
Required data connectorsAzureFirewall
AzureMonitor(VMInsights)
CiscoASA
MicrosoftThreatProtection
PaloAltoNetworks
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/StarBlizzardDomainsAugust2022.yaml
Version1.0.5
Arm template2149d9bb-8298-444c-8f99-f7bf0274dd05.json
Deploy To Azure
let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SEABORGIUMIOC.csv"] with (format="csv", ignoreFirstRecord=True);
let DomainNames = (iocs | where Type =~ "domainname"| project IoC);
(union isfuzzy=true
(CommonSecurityLog
| parse Message with * '(' DNSName ')' *
| where DNSName in~ (DomainNames)
| extend Account = SourceUserID, Computer = DeviceName, IPAddress =  DestinationIP
),
(_Im_Dns (domain_has_any=DomainNames)
| extend DNSName = DnsQuery
| extend IPAddress =  SrcIpAddr, Computer = Dvc
),
(_Im_WebSession (url_has_any=DomainNames)
| extend DNSName = tostring(parse_url(Url)["Host"])
| extend IPAddress =  SrcIpAddr, Computer = Dvc
),
(VMConnection
| parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
| where DNSName  in~ (DomainNames)
| extend IPAddress = RemoteIp
),
(DeviceNetworkEvents
| where RemoteUrl  has_any (DomainNames)
| extend IPAddress = RemoteIP
| extend Computer = DeviceName
),
(EmailUrlInfo
| where Url has_any (DomainNames)
| join (EmailEvents
| where EmailDirection == "Inbound" ) on NetworkMessageId
| extend IPAddress = SenderIPv4
| extend Account = RecipientEmailAddress
),
(AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallApplicationRule"
| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
| where isnotempty(DestinationHost)
| where DestinationHost has_any (DomainNames)
| extend DNSName = DestinationHost
| extend IPAddress = SourceHost
)
)
| extend AccountName = tostring(split(Account, "@")[0]), AccountUPNSuffix = tostring(split(Account, "@")[1])
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| extend AccountName = tostring(split(Account, "@")[0]), AccountUPNSuffix = tostring(split(Account, "@")[1])
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)

description: |
    'Identifies a match across various data feeds for domains related to an actor tracked by Microsoft as Star Blizzard.'
version: 1.0.5
triggerThreshold: 0
tactics:
- InitialAccess
queryPeriod: 1d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/StarBlizzardDomainsAugust2022.yaml
triggerOperator: gt
tags:
- Star Blizzard
- Schema: ASIMDns
  SchemaVersion: 0.1.1
id: 2149d9bb-8298-444c-8f99-f7bf0274dd05
name: Star Blizzard C2 Domains August 2022
queryFrequency: 1d
severity: High
metadata:
  author:
    name: Microsoft Security Research
  categories:
    domains:
    - Security - Threat Intelligence
  support:
    tier: Community
  source:
    kind: Community
kind: Scheduled
entityMappings:
- fieldMappings:
  - columnName: Account
    identifier: FullName
  - columnName: AccountName
    identifier: Name
  - columnName: AccountUPNSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: Computer
    identifier: FullName
  - columnName: HostName
    identifier: HostName
  - columnName: HostNameDomain
    identifier: NTDomain
  entityType: Host
- fieldMappings:
  - columnName: IPAddress
    identifier: Address
  entityType: IP
relevantTechniques:
- T1566
query: |
  let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SEABORGIUMIOC.csv"] with (format="csv", ignoreFirstRecord=True);
  let DomainNames = (iocs | where Type =~ "domainname"| project IoC);
  (union isfuzzy=true
  (CommonSecurityLog
  | parse Message with * '(' DNSName ')' *
  | where DNSName in~ (DomainNames)
  | extend Account = SourceUserID, Computer = DeviceName, IPAddress =  DestinationIP
  ),
  (_Im_Dns (domain_has_any=DomainNames)
  | extend DNSName = DnsQuery
  | extend IPAddress =  SrcIpAddr, Computer = Dvc
  ),
  (_Im_WebSession (url_has_any=DomainNames)
  | extend DNSName = tostring(parse_url(Url)["Host"])
  | extend IPAddress =  SrcIpAddr, Computer = Dvc
  ),
  (VMConnection
  | parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
  | where DNSName  in~ (DomainNames)
  | extend IPAddress = RemoteIp
  ),
  (DeviceNetworkEvents
  | where RemoteUrl  has_any (DomainNames)
  | extend IPAddress = RemoteIP
  | extend Computer = DeviceName
  ),
  (EmailUrlInfo
  | where Url has_any (DomainNames)
  | join (EmailEvents
  | where EmailDirection == "Inbound" ) on NetworkMessageId
  | extend IPAddress = SenderIPv4
  | extend Account = RecipientEmailAddress
  ),
  (AzureDiagnostics
  | where ResourceType == "AZUREFIREWALLS"
  | where Category == "AzureFirewallApplicationRule"
  | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
  | where isnotempty(DestinationHost)
  | where DestinationHost has_any (DomainNames)
  | extend DNSName = DestinationHost
  | extend IPAddress = SourceHost
  )
  )
  | extend AccountName = tostring(split(Account, "@")[0]), AccountUPNSuffix = tostring(split(Account, "@")[1])
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
  | extend AccountName = tostring(split(Account, "@")[0]), AccountUPNSuffix = tostring(split(Account, "@")[1])
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)  
requiredDataConnectors:
- dataTypes:
  - VMConnection
  connectorId: AzureMonitor(VMInsights)
- dataTypes:
  - CommonSecurityLog
  connectorId: CiscoASA
- dataTypes:
  - CommonSecurityLog
  connectorId: PaloAltoNetworks
- dataTypes:
  - DeviceNetworkEvents
  - EmailUrlInfo
  - EmailEvents
  connectorId: MicrosoftThreatProtection
- dataTypes:
  - AzureDiagnostics
  connectorId: AzureFirewall