[Deprecated] - Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021
| Id | 595a10c9-91be-4abb-bbc7-ae9c57848bef |
| Rulename | [Deprecated] - Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021 |
| Description | This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft’s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy |
| Severity | Low |
| Tactics | Impact |
| Techniques | T1496 |
| Required data connectors | AzureFirewall AzureMonitor(VMInsights) CEF CheckPoint CiscoASA DNS F5 Fortinet MicrosoftThreatProtection Office365 PaloAltoNetworks SecurityEvents WindowsFirewall |
| Kind | Scheduled |
| Query frequency | 6h |
| Query period | 6h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/ChiaCryptoMining.yaml |
| Version | 2.0.0 |
| Arm template | 595a10c9-91be-4abb-bbc7-ae9c57848bef.json |
let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv"] with (format="csv", ignoreFirstRecord=True);
let process = (iocs | where Type =~ "process" | project IoC);
let sha256Hashes = (iocs | where Type =~ "sha256" | project IoC);
let IPList = (iocs | where Type =~ "ip"| project IoC);
let domains = (iocs | where Type =~ "domainname"| project IoC);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
(union isfuzzy=true
(CommonSecurityLog
| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (IPList)
| parse Message with * '(' DNSName ')' *
| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type
| extend MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, RequestURL)
| extend IPMatch = case(SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP", MessageIP in (IPList), "Message", RequestURL has_any (domains), "RequestUrl", "NoMatch"), AlertDetail = 'Chia crypto IOC detected'
| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, IPMatch == "Message", MessageIP, "NoMatch"), Account = SourceUserID
),
(DnsEvents
| where IPAddresses in (IPList) or Name in~ (domains)
| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type
| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer
| extend timestamp = TimeGenerated, IPEntity = DestinationIPAddress
),
(VMConnection
| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (domains)
| parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type
| extend IPMatch = case( SourceIp in (IPList), "SourceIP", DestinationIp in (IPList), "DestinationIP", "None")
| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == "SourceIP", SourceIp, IPMatch == "DestinationIP", DestinationIp, "NoMatch"), File = ProcessName
),
(Event
| where Source == "Microsoft-Windows-Sysmon"
| where EventID == 3
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| extend SourceIP = tostring(EventDetail.[9].["#text"]), DestinationIP = tostring(EventDetail.[14].["#text"]), Image = tostring(EventDetail.[4].["#text"])
| where SourceIP in (IPList) or DestinationIP in (IPList) or Image has_any (process)
| project TimeGenerated, SourceIP, DestinationIP, Image, Account = UserName, Computer, Type
| extend IPMatch = case( SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP", "None")
| extend timestamp = TimeGenerated, File = tostring(split(Image, '\\', -1)[-1]), IPEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, "None")
| extend FilePath = replace_string(Image, File, '')
),
(OfficeActivity
| where ClientIP in (IPList)
| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, Type
| extend timestamp = TimeGenerated, IPEntity = ClientIP, Account = UserId
),
(DeviceNetworkEvents
| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) or InitiatingProcessFileName has_any (process)
| project TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type
| extend timestamp = TimeGenerated, IPEntity = RemoteIP
),
(WindowsFirewall
| where SourceIP in (IPList) or DestinationIP in (IPList)
| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type
| extend IPMatch = case( SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP", "None")
| extend timestamp = TimeGenerated, Computer, IPEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, "None")
),
(AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallDnsProxy"
| project TimeGenerated,Resource, msg_s, Type
| parse msg_s with "DNS Request: " ClientIP ":" ClientPort " - " QueryID " " Request_Type " " Request_Class " " Request_Name ". " Request_Protocol " " Request_Size " " EDNSO_DO " " EDNS0_Buffersize " " Responce_Code " " Responce_Flags " " Responce_Size " " Response_Duration
| where Request_Name has_any (domains) or ClientIP in (IPList)
| extend timestamp = TimeGenerated, DNSName = Request_Name, IPEntity = ClientIP
),
(AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallApplicationRule"
| project TimeGenerated,Resource, msg_s, Type
| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
| where isnotempty(DestinationHost)
| where DestinationHost has_any (domains)
| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPEntity = SourceHost
),
(AZFWApplicationRule
| where isnotempty (Fqdn)
| where Fqdn has_any (domains)
| extend timestamp = TimeGenerated
| extend DNSName = Fqdn
| extend IPEntity = SourceIp
),
(AZFWDnsQuery
| where isnotempty(QueryName)
| where QueryName has_any (domains) or SourceIp in (IPList)
| extend timestamp = TimeGenerated
| extend DNSName = QueryName
| extend IPEntity = SourceIp
),
(Event
| where Source == "Microsoft-Windows-Sysmon"
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| where EventDetail has_any (sha256Hashes)
| parse EventDetail with * 'SHA256=' SHA256 '",' *
| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256
| extend Type = strcat(Type, ": ", Source), Account = UserName, FileHash = SHA256, Image = tostring(EventDetail.[4].["#text"])
| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, '\\', -1)[-1]), FileHashAlgo = 'SHA256'
| extend FilePath = replace_string(Image, File, '')
),
(DeviceFileEvents
| where InitiatingProcessFolderPath has_any (process)
| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type
| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256
| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = 'SHA256'
| extend FilePath = replace_string(InitiatingProcessFolderPath, File, '')
),
(CommonSecurityLog
| where FileHash in (sha256Hashes)
| project TimeGenerated, Message, SourceUserID, FileHash, Type
| extend timestamp = TimeGenerated, FileHashAlgo = 'SHA256', Account = SourceUserID
),
(Event
| where Source == "Microsoft-Windows-Sysmon"
| where EventID == 1
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| project TimeGenerated, EventDetail, UserName, Computer, Type
| extend Image = tostring(EventDetail.[4].["#text"]), CommandLine = tostring(EventDetail.[10].["#text"]), Account = UserName, FileHash = tostring(EventDetail.[17].["#text"])
| where Image has_any (process)
| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, '\\', -1)[-1]), FileHashAlgo = 'SHA256'
| extend FilePath= replace_string(Image, File, '')
),
(DeviceEvents
| where InitiatingProcessFileName has_any (process) or InitiatingProcessSHA256 in~ (sha256Hashes)
| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type
| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath
| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = 'SHA256'
| extend FilePath = replace_string(InitiatingProcessFolderPath, File, '')
),
(SecurityEvent
| where EventID == '4688'
| where NewProcessName has_any (process)
| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type
| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, '\\', -1)[-1])
| extend FilePath = replace_string(NewProcessName, File, '')
)
)
| extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/ChiaCryptoMining.yaml
severity: Low
tags:
- Chia
name: '[Deprecated] - Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021'
entityMappings:
- entityType: Account
fieldMappings:
- columnName: AccountCustomEntity
identifier: FullName
- entityType: Host
fieldMappings:
- columnName: HostCustomEntity
identifier: FullName
- entityType: IP
fieldMappings:
- columnName: IPCustomEntity
identifier: Address
- entityType: File
fieldMappings:
- columnName: FileCustomEntity
identifier: Name
- columnName: FilePathCustomEntity
identifier: Directory
- entityType: FileHash
fieldMappings:
- columnName: FileHashAlgo
identifier: Algorithm
- columnName: FileHashCustomEntity
identifier: Value
relevantTechniques:
- T1496
queryFrequency: 6h
triggerThreshold: 0
queryPeriod: 6h
description: |
'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'
id: 595a10c9-91be-4abb-bbc7-ae9c57848bef
version: 2.0.0
tactics:
- Impact
query: |
let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv"] with (format="csv", ignoreFirstRecord=True);
let process = (iocs | where Type =~ "process" | project IoC);
let sha256Hashes = (iocs | where Type =~ "sha256" | project IoC);
let IPList = (iocs | where Type =~ "ip"| project IoC);
let domains = (iocs | where Type =~ "domainname"| project IoC);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
(union isfuzzy=true
(CommonSecurityLog
| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (IPList)
| parse Message with * '(' DNSName ')' *
| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type
| extend MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, RequestURL)
| extend IPMatch = case(SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP", MessageIP in (IPList), "Message", RequestURL has_any (domains), "RequestUrl", "NoMatch"), AlertDetail = 'Chia crypto IOC detected'
| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, IPMatch == "Message", MessageIP, "NoMatch"), Account = SourceUserID
),
(DnsEvents
| where IPAddresses in (IPList) or Name in~ (domains)
| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type
| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer
| extend timestamp = TimeGenerated, IPEntity = DestinationIPAddress
),
(VMConnection
| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (domains)
| parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type
| extend IPMatch = case( SourceIp in (IPList), "SourceIP", DestinationIp in (IPList), "DestinationIP", "None")
| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == "SourceIP", SourceIp, IPMatch == "DestinationIP", DestinationIp, "NoMatch"), File = ProcessName
),
(Event
| where Source == "Microsoft-Windows-Sysmon"
| where EventID == 3
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| extend SourceIP = tostring(EventDetail.[9].["#text"]), DestinationIP = tostring(EventDetail.[14].["#text"]), Image = tostring(EventDetail.[4].["#text"])
| where SourceIP in (IPList) or DestinationIP in (IPList) or Image has_any (process)
| project TimeGenerated, SourceIP, DestinationIP, Image, Account = UserName, Computer, Type
| extend IPMatch = case( SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP", "None")
| extend timestamp = TimeGenerated, File = tostring(split(Image, '\\', -1)[-1]), IPEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, "None")
| extend FilePath = replace_string(Image, File, '')
),
(OfficeActivity
| where ClientIP in (IPList)
| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, Type
| extend timestamp = TimeGenerated, IPEntity = ClientIP, Account = UserId
),
(DeviceNetworkEvents
| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) or InitiatingProcessFileName has_any (process)
| project TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type
| extend timestamp = TimeGenerated, IPEntity = RemoteIP
),
(WindowsFirewall
| where SourceIP in (IPList) or DestinationIP in (IPList)
| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type
| extend IPMatch = case( SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP", "None")
| extend timestamp = TimeGenerated, Computer, IPEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, "None")
),
(AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallDnsProxy"
| project TimeGenerated,Resource, msg_s, Type
| parse msg_s with "DNS Request: " ClientIP ":" ClientPort " - " QueryID " " Request_Type " " Request_Class " " Request_Name ". " Request_Protocol " " Request_Size " " EDNSO_DO " " EDNS0_Buffersize " " Responce_Code " " Responce_Flags " " Responce_Size " " Response_Duration
| where Request_Name has_any (domains) or ClientIP in (IPList)
| extend timestamp = TimeGenerated, DNSName = Request_Name, IPEntity = ClientIP
),
(AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallApplicationRule"
| project TimeGenerated,Resource, msg_s, Type
| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
| where isnotempty(DestinationHost)
| where DestinationHost has_any (domains)
| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPEntity = SourceHost
),
(AZFWApplicationRule
| where isnotempty (Fqdn)
| where Fqdn has_any (domains)
| extend timestamp = TimeGenerated
| extend DNSName = Fqdn
| extend IPEntity = SourceIp
),
(AZFWDnsQuery
| where isnotempty(QueryName)
| where QueryName has_any (domains) or SourceIp in (IPList)
| extend timestamp = TimeGenerated
| extend DNSName = QueryName
| extend IPEntity = SourceIp
),
(Event
| where Source == "Microsoft-Windows-Sysmon"
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| where EventDetail has_any (sha256Hashes)
| parse EventDetail with * 'SHA256=' SHA256 '",' *
| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256
| extend Type = strcat(Type, ": ", Source), Account = UserName, FileHash = SHA256, Image = tostring(EventDetail.[4].["#text"])
| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, '\\', -1)[-1]), FileHashAlgo = 'SHA256'
| extend FilePath = replace_string(Image, File, '')
),
(DeviceFileEvents
| where InitiatingProcessFolderPath has_any (process)
| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type
| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256
| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = 'SHA256'
| extend FilePath = replace_string(InitiatingProcessFolderPath, File, '')
),
(CommonSecurityLog
| where FileHash in (sha256Hashes)
| project TimeGenerated, Message, SourceUserID, FileHash, Type
| extend timestamp = TimeGenerated, FileHashAlgo = 'SHA256', Account = SourceUserID
),
(Event
| where Source == "Microsoft-Windows-Sysmon"
| where EventID == 1
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| project TimeGenerated, EventDetail, UserName, Computer, Type
| extend Image = tostring(EventDetail.[4].["#text"]), CommandLine = tostring(EventDetail.[10].["#text"]), Account = UserName, FileHash = tostring(EventDetail.[17].["#text"])
| where Image has_any (process)
| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, '\\', -1)[-1]), FileHashAlgo = 'SHA256'
| extend FilePath= replace_string(Image, File, '')
),
(DeviceEvents
| where InitiatingProcessFileName has_any (process) or InitiatingProcessSHA256 in~ (sha256Hashes)
| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type
| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath
| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = 'SHA256'
| extend FilePath = replace_string(InitiatingProcessFolderPath, File, '')
),
(SecurityEvent
| where EventID == '4688'
| where NewProcessName has_any (process)
| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type
| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, '\\', -1)[-1])
| extend FilePath = replace_string(NewProcessName, File, '')
)
)
| extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash
status: Available
requiredDataConnectors:
- dataTypes:
- DnsEvents
connectorId: DNS
- dataTypes:
- VMConnection
connectorId: AzureMonitor(VMInsights)
- dataTypes:
- CommonSecurityLog
connectorId: F5
- dataTypes:
- CommonSecurityLog
connectorId: CiscoASA
- dataTypes:
- CommonSecurityLog
connectorId: PaloAltoNetworks
- dataTypes:
- CommonSecurityLog
connectorId: Fortinet
- dataTypes:
- CommonSecurityLog
connectorId: CheckPoint
- dataTypes:
- CommonSecurityLog
connectorId: CEF
- dataTypes:
- DeviceNetworkEvents
- DeviceFileEvents
- DeviceEvents
connectorId: MicrosoftThreatProtection
- dataTypes:
- SecurityEvent
connectorId: SecurityEvents
- dataTypes:
- OfficeActivity
connectorId: Office365
- dataTypes:
- AzureDiagnostics
- AZFWApplicationRule
- AZFWDnsQuery
connectorId: AzureFirewall
- dataTypes:
- WindowsFirewall
connectorId: WindowsFirewall
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/595a10c9-91be-4abb-bbc7-ae9c57848bef')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/595a10c9-91be-4abb-bbc7-ae9c57848bef')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01-preview",
"properties": {
"displayName": "[Deprecated] - Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021",
"description": "'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'\n",
"severity": "Low",
"enabled": true,
"query": "let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet process = (iocs | where Type =~ \"process\" | project IoC);\nlet sha256Hashes = (iocs | where Type =~ \"sha256\" | project IoC);\nlet IPList = (iocs | where Type =~ \"ip\"| project IoC);\nlet domains = (iocs | where Type =~ \"domainname\"| project IoC);\nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\n(union isfuzzy=true\n(CommonSecurityLog\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (IPList)\n| parse Message with * '(' DNSName ')' * \n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type\n| extend MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, RequestURL)\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", MessageIP in (IPList), \"Message\", RequestURL has_any (domains), \"RequestUrl\", \"NoMatch\"), AlertDetail = 'Chia crypto IOC detected'\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, IPMatch == \"Message\", MessageIP, \"NoMatch\"), Account = SourceUserID\n),\n(DnsEvents\n| where IPAddresses in (IPList) or Name in~ (domains) \n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer\n| extend timestamp = TimeGenerated, IPEntity = DestinationIPAddress\n),\n(VMConnection\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (domains)\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", \"None\") \n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"NoMatch\"), File = ProcessName\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 3\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend SourceIP = tostring(EventDetail.[9].[\"#text\"]), DestinationIP = tostring(EventDetail.[14].[\"#text\"]), Image = tostring(EventDetail.[4].[\"#text\"])\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Image has_any (process)\n| project TimeGenerated, SourceIP, DestinationIP, Image, Account = UserName, Computer, Type\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\") \n| extend timestamp = TimeGenerated, File = tostring(split(Image, '\\\\', -1)[-1]), IPEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n| extend FilePath = replace_string(Image, File, '')\n), \n(OfficeActivity\n| where ClientIP in (IPList) \n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, Type\n| extend timestamp = TimeGenerated, IPEntity = ClientIP, Account = UserId\n),\n(DeviceNetworkEvents\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) or InitiatingProcessFileName has_any (process)\n| project TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\n| extend timestamp = TimeGenerated, IPEntity = RemoteIP\n),\n(WindowsFirewall\n| where SourceIP in (IPList) or DestinationIP in (IPList) \n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\")\n| extend timestamp = TimeGenerated, Computer, IPEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| project TimeGenerated,Resource, msg_s, Type\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (domains) or ClientIP in (IPList)\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPEntity = ClientIP\n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| project TimeGenerated,Resource, msg_s, Type\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (domains) \n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPEntity = SourceHost\n),\n(AZFWApplicationRule\n| where isnotempty (Fqdn)\n| where Fqdn has_any (domains)\n| extend timestamp = TimeGenerated\n| extend DNSName = Fqdn\n| extend IPEntity = SourceIp\n),\n(AZFWDnsQuery\n| where isnotempty(QueryName)\n| where QueryName has_any (domains) or SourceIp in (IPList)\n| extend timestamp = TimeGenerated\n| extend DNSName = QueryName\n| extend IPEntity = SourceIp\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| where EventDetail has_any (sha256Hashes) \n| parse EventDetail with * 'SHA256=' SHA256 '\",' *\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\n| extend Type = strcat(Type, \": \", Source), Account = UserName, FileHash = SHA256, Image = tostring(EventDetail.[4].[\"#text\"])\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, '\\\\', -1)[-1]), FileHashAlgo = 'SHA256'\n| extend FilePath = replace_string(Image, File, '')\n),\n(DeviceFileEvents\n| where InitiatingProcessFolderPath has_any (process)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = 'SHA256'\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, '')\n),\n(CommonSecurityLog\n| where FileHash in (sha256Hashes)\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\n| extend timestamp = TimeGenerated, FileHashAlgo = 'SHA256', Account = SourceUserID\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| project TimeGenerated, EventDetail, UserName, Computer, Type\n| extend Image = tostring(EventDetail.[4].[\"#text\"]), CommandLine = tostring(EventDetail.[10].[\"#text\"]), Account = UserName, FileHash = tostring(EventDetail.[17].[\"#text\"])\n| where Image has_any (process)\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, '\\\\', -1)[-1]), FileHashAlgo = 'SHA256'\n| extend FilePath= replace_string(Image, File, '')\n),\n(DeviceEvents\n| where InitiatingProcessFileName has_any (process) or InitiatingProcessSHA256 in~ (sha256Hashes)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = 'SHA256'\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, '')\n),\n(SecurityEvent\n| where EventID == '4688'\n| where NewProcessName has_any (process)\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, '\\\\', -1)[-1])\n| extend FilePath = replace_string(NewProcessName, File, '')\n)\n)\n| extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash\n",
"queryFrequency": "PT6H",
"queryPeriod": "PT6H",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Impact"
],
"techniques": [
"T1496"
],
"alertRuleTemplateName": "595a10c9-91be-4abb-bbc7-ae9c57848bef",
"customDetails": null,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "HostCustomEntity"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
}
]
},
{
"entityType": "File",
"fieldMappings": [
{
"identifier": "Name",
"columnName": "FileCustomEntity"
},
{
"identifier": "Directory",
"columnName": "FilePathCustomEntity"
}
]
},
{
"entityType": "FileHash",
"fieldMappings": [
{
"identifier": "Algorithm",
"columnName": "FileHashAlgo"
},
{
"identifier": "Value",
"columnName": "FileHashCustomEntity"
}
]
}
],
"templateVersion": "2.0.0",
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/ChiaCryptoMining.yaml",
"status": "Available",
"tags": [
"Chia"
]
}
}
]
}