Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. AV detections related to Zinc actors

AV detections related to Zinc actors

Back
Id3705158d-e008-49c9-92dd-e538e1549090
RulenameAV detections related to Zinc actors
DescriptionThis query looks for Microsoft Defender AV detections related to Zinc threat actor. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, etc.

This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.

Reference: https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/
SeverityHigh
TacticsImpact
TechniquesT1486
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Zinc Open Source/Analytic Rules/ZincOctober2022_AVHits_IOC.yaml
Version1.0.2
Arm template3705158d-e008-49c9-92dd-e538e1549090.json
Deploy To Azure
let Zinc_threats = dynamic(["Trojan:Win32/ZetaNile.A", "Trojan:Win32/EventHorizon.A", "Trojan:Win32/FoggyBrass.A", "Trojan:Win32/FoggyBrass.B", "Trojan:Win32/PhantomStar.A","Trojan:Win32/PhantomStar.C","TrojanDropper:Win32/PhantomStar.A"]);
DeviceInfo
| extend DeviceName = tolower(DeviceName)
| join kind=inner ( SecurityAlert
| where ProviderName == "MDATP"
| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)
| where ThreatName in~ (Zinc_threats) or ThreatFamilyName in~ (Zinc_threats)
| extend CompromisedEntity = tolower(CompromisedEntity)
) on $left.DeviceName == $right.CompromisedEntity
| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities
| extend HostName = tostring(split(CompromisedEntity, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(CompromisedEntity, '.'), 1, -1), '.'))

tags:
- Zinc
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: DnsDomain
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: PublicIP
tactics:
- Impact
requiredDataConnectors:
- dataTypes:
  - SecurityAlert
  - DeviceInfo
  connectorId: MicrosoftThreatProtection
id: 3705158d-e008-49c9-92dd-e538e1549090
severity: High
status: Available
query: |
  let Zinc_threats = dynamic(["Trojan:Win32/ZetaNile.A", "Trojan:Win32/EventHorizon.A", "Trojan:Win32/FoggyBrass.A", "Trojan:Win32/FoggyBrass.B", "Trojan:Win32/PhantomStar.A","Trojan:Win32/PhantomStar.C","TrojanDropper:Win32/PhantomStar.A"]);
  DeviceInfo
  | extend DeviceName = tolower(DeviceName)
  | join kind=inner ( SecurityAlert
  | where ProviderName == "MDATP"
  | extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
  | extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)
  | where ThreatName in~ (Zinc_threats) or ThreatFamilyName in~ (Zinc_threats)
  | extend CompromisedEntity = tolower(CompromisedEntity)
  ) on $left.DeviceName == $right.CompromisedEntity
  | summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities
  | extend HostName = tostring(split(CompromisedEntity, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(CompromisedEntity, '.'), 1, -1), '.'))  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Zinc Open Source/Analytic Rules/ZincOctober2022_AVHits_IOC.yaml
kind: Scheduled
queryPeriod: 1d
version: 1.0.2
name: AV detections related to Zinc actors
queryFrequency: 1d
triggerThreshold: 0
relevantTechniques:
- T1486
description: |
  'This query looks for Microsoft Defender AV detections related to  Zinc threat actor. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, etc. 
   This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.
   Reference: https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/'  
triggerOperator: gt