Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. [Deprecated] - Midnight Blizzard - Domain, Hash and IP IOCs - May 2021

[Deprecated] - Midnight Blizzard - Domain, Hash and IP IOCs - May 2021

Back
Id677da133-e487-4108-a150-5b926591a92b
Rulename[Deprecated] - Midnight Blizzard - Domain, Hash and IP IOCs - May 2021
DescriptionThis query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft’s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy
SeverityMedium
TacticsCommandAndControl
Execution
TechniquesT1102.002
T1204.001
Required data connectorsAWSS3
AzureFirewall
AzureMonitor(VMInsights)
CEF
CheckPoint
CiscoASA
CiscoUmbrellaDataConnector
Corelight
DNS
F5
Fortinet
GCPDNSDataConnector
InfobloxNIOS
MicrosoftSysmonForLinux
MicrosoftThreatProtection
NXLogDnsLogs
Office365
PaloAltoNetworks
SecurityEvents
SquidProxy
WindowsFirewall
WindowsForwardedEvents
Zscaler
KindScheduled
Query frequency6h
Query period6h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/MidnightBlizzard_IOCsMay2021.yaml
Version2.0.0
Arm template677da133-e487-4108-a150-5b926591a92b.json
Deploy To Azure
let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)
[@"https://raw.githubusercontent.com/microsoft/mstic/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv"] with (format="csv", ignoreFirstRecord=True);
let sha256s = (iocs | where Type =~ "SHA256"| project IoC);
let ips = (iocs | where Type =~ "IP"| project IoC);
let IPList = dynamic(["192.99.221.77","83.171.237.173"]);
let ips_list=toscalar(ips | summarize makeset(IoC));
let full_ip_list= array_concat(ips_list, IPList);
let domains = (iocs | where Type =~ "Domain"| project IoC);
let domain_list=toscalar(domains | summarize make_set(IoC));
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let sha256Hashes = dynamic(["2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252",
"d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142",
"94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916",
"48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0",
"ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c",
"ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330"]);
(union isfuzzy=true
(CommonSecurityLog
| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (domains) or RequestURL has_any (domains) or Message has_any (IPList)
| parse Message with * '(' DNSName ')' * 
| extend MessageIP = extract(IPRegex, 0, Message)
| extend IPMatch = case(SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP", MessageIP in (IPList), "Message", RequestURL in (domains), "RequestUrl", SourceIP in (ips), "SourceIP", DestinationIP in (ips), "DestinationIP", MessageIP in (IPList), "Message", "NoMatch") 
| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, IPMatch == "Message", MessageIP, "NoMatch"), AccountCustomEntity = SourceUserID
),
(_Im_Dns (domain_has_any=todynamic(domain_list))
| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc
| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host
),
(_Im_Dns (response_has_any_prefix=todynamic(full_ip_list))
| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc
| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host
),
(VMConnection
| where SourceIp in (IPList) or DestinationIp in (IPList) or SourceIp in (ips) or DestinationIp in (ips) or RemoteDnsCanonicalNames has_any (domains)
| parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
| extend IPMatch = case( SourceIp in (IPList), "SourceIP", DestinationIp in (IPList), "DestinationIP",  SourceIp in (ips), "SourceIP", DestinationIp in (ips), "DestinationIP", "None") 
| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == "SourceIP", SourceIp, IPMatch == "DestinationIP", DestinationIp, "NoMatch"), HostCustomEntity = Computer
),
(OfficeActivity
| where ClientIP in (IPList) or ClientIP in (ips)
| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId
),
(WindowsFirewall
| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)
| extend IPMatch = case( SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP", SourceIP in (ips), "SourceIP", DestinationIP in (ips), "DestinationIP", "None")
),
(_Im_NetworkSession(srcipaddr_has_any_prefix=full_ip_list)
  | extend IPMatch =  "SourceIP"
  | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = SrcIpAddr //, AccountCustomEntity =User
),
(_Im_NetworkSession(dstipaddr_has_any_prefix=full_ip_list)
  | extend IPMatch =  "DestinationIP"
  | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity =  DstIpAddr //, AccountCustomEntity =User
),
(_Im_WebSession(url_has_any=domains)
  | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)["Host"]), AccountCustomEntity=User
),
(_Im_WebSession(srcipaddr_has_any_prefix=full_ip_list)
  | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)["Host"]), AccountCustomEntity=User
),
(AzureDiagnostics 
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallApplicationRule"
| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
| where isnotempty(DestinationHost)
| where DestinationHost has_any (domains)  
| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost
),
(AZFWApplicationRule
| where isnotempty(Fqdn)
| where Fqdn has_any (domains)
| extend timestamp = TimeGenerated
| extend DNSName = Fqdn
| extend IPCustomEntity = SourceIp
),
(AZFWDnsQuery
| where isnotempty(QueryName)
| where QueryName has_any (domains)
| extend timestamp = TimeGenerated
| extend DNSName = QueryName
| extend IPCustomEntity = SourceIp
),
(Event
//This query uses sysmon data depending on table name used this may need updating
| where Source == "Microsoft-Windows-Sysmon"
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| where EventDetail has_any (sha256Hashes) or EventDetail has_any (sha256s)
| parse EventDetail with * 'SHA256=' SHA256 '",' *
| extend Type = strcat(Type, ": ", Source), Account = UserName, FileHash = SHA256
| project Type, TimeGenerated, Computer, Account, FileHash
),
(DeviceFileEvents
| where SHA256 in~ (sha256Hashes) or SHA256 in~ (sha256s)
| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256
| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash
),
(imFileEvent
| where TargetFileSHA256 in~ (sha256Hashes) or TargetFileSHA256 in~ (sha256s)
| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256
| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash
),
(CommonSecurityLog
| where FileHash in (sha256Hashes) or FileHash in (sha256s)
| extend timestamp = TimeGenerated
)
)

requiredDataConnectors:
- connectorId: AWSS3
  datatypes:
  - AWSVPCFlow
- connectorId: WindowsForwardedEvents
  dataTypes:
  - WindowsEvent
- connectorId: SquidProxy
  dataTypes:
  - SquidProxy_CL
- connectorId: MicrosoftSysmonForLinux
  dataTypes:
  - Syslog
- connectorId: DNS
  dataTypes:
  - DnsEvents
- connectorId: AzureMonitor(VMInsights)
  dataTypes:
  - VMConnection
- connectorId: F5
  dataTypes:
  - CommonSecurityLog
- connectorId: CiscoASA
  dataTypes:
  - CommonSecurityLog
- connectorId: PaloAltoNetworks
  dataTypes:
  - CommonSecurityLog
- connectorId: Fortinet
  dataTypes:
  - CommonSecurityLog
- connectorId: CheckPoint
  dataTypes:
  - CommonSecurityLog
- connectorId: CEF
  dataTypes:
  - CommonSecurityLog
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceNetworkEvents
  - DeviceFileEvents
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: Office365
  dataTypes:
  - OfficeActivity
- connectorId: AzureFirewall
  dataTypes:
  - AzureDiagnostics
  - AZFWApplicationRule
  - AZFWDnsQuery
- connectorId: WindowsFirewall
  dataTypes:
  - WindowsFirewall
- connectorId: Zscaler
  dataTypes:
  - CommonSecurityLog
- connectorId: InfobloxNIOS
  dataTypes:
  - Syslog
- connectorId: GCPDNSDataConnector
  dataTypes:
  - GCP_DNS_CL
- connectorId: NXLogDnsLogs
  dataTypes:
  - NXLog_DNS_Server_CL
- connectorId: CiscoUmbrellaDataConnector
  dataTypes:
  - Cisco_Umbrella_dns_CL
- connectorId: Corelight
  dataTypes:
  - Corelight_CL
triggerOperator: gt
queryFrequency: 6h
name: '[Deprecated] - Midnight Blizzard - Domain, Hash and IP IOCs - May 2021'
status: Available
queryPeriod: 6h
id: 677da133-e487-4108-a150-5b926591a92b
description: |
    'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'
severity: Medium
tags:
- Midnight Blizzard
- SchemaVersion: 0.1.0
  Schema: ASIMFileEvent
query: |
  let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)
  [@"https://raw.githubusercontent.com/microsoft/mstic/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv"] with (format="csv", ignoreFirstRecord=True);
  let sha256s = (iocs | where Type =~ "SHA256"| project IoC);
  let ips = (iocs | where Type =~ "IP"| project IoC);
  let IPList = dynamic(["192.99.221.77","83.171.237.173"]);
  let ips_list=toscalar(ips | summarize makeset(IoC));
  let full_ip_list= array_concat(ips_list, IPList);
  let domains = (iocs | where Type =~ "Domain"| project IoC);
  let domain_list=toscalar(domains | summarize make_set(IoC));
  let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
  let sha256Hashes = dynamic(["2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252",
  "d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142",
  "94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916",
  "48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0",
  "ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c",
  "ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330"]);
  (union isfuzzy=true
  (CommonSecurityLog
  | where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (domains) or RequestURL has_any (domains) or Message has_any (IPList)
  | parse Message with * '(' DNSName ')' * 
  | extend MessageIP = extract(IPRegex, 0, Message)
  | extend IPMatch = case(SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP", MessageIP in (IPList), "Message", RequestURL in (domains), "RequestUrl", SourceIP in (ips), "SourceIP", DestinationIP in (ips), "DestinationIP", MessageIP in (IPList), "Message", "NoMatch") 
  | extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, IPMatch == "Message", MessageIP, "NoMatch"), AccountCustomEntity = SourceUserID
  ),
  (_Im_Dns (domain_has_any=todynamic(domain_list))
  | extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc
  | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host
  ),
  (_Im_Dns (response_has_any_prefix=todynamic(full_ip_list))
  | extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc
  | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host
  ),
  (VMConnection
  | where SourceIp in (IPList) or DestinationIp in (IPList) or SourceIp in (ips) or DestinationIp in (ips) or RemoteDnsCanonicalNames has_any (domains)
  | parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
  | extend IPMatch = case( SourceIp in (IPList), "SourceIP", DestinationIp in (IPList), "DestinationIP",  SourceIp in (ips), "SourceIP", DestinationIp in (ips), "DestinationIP", "None") 
  | extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == "SourceIP", SourceIp, IPMatch == "DestinationIP", DestinationIp, "NoMatch"), HostCustomEntity = Computer
  ),
  (OfficeActivity
  | where ClientIP in (IPList) or ClientIP in (ips)
  | extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId
  ),
  (WindowsFirewall
  | where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)
  | extend IPMatch = case( SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP", SourceIP in (ips), "SourceIP", DestinationIP in (ips), "DestinationIP", "None")
  ),
  (_Im_NetworkSession(srcipaddr_has_any_prefix=full_ip_list)
    | extend IPMatch =  "SourceIP"
    | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = SrcIpAddr //, AccountCustomEntity =User
  ),
  (_Im_NetworkSession(dstipaddr_has_any_prefix=full_ip_list)
    | extend IPMatch =  "DestinationIP"
    | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity =  DstIpAddr //, AccountCustomEntity =User
  ),
  (_Im_WebSession(url_has_any=domains)
    | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)["Host"]), AccountCustomEntity=User
  ),
  (_Im_WebSession(srcipaddr_has_any_prefix=full_ip_list)
    | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)["Host"]), AccountCustomEntity=User
  ),
  (AzureDiagnostics 
  | where ResourceType == "AZUREFIREWALLS"
  | where Category == "AzureFirewallApplicationRule"
  | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
  | where isnotempty(DestinationHost)
  | where DestinationHost has_any (domains)  
  | extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost
  ),
  (AZFWApplicationRule
  | where isnotempty(Fqdn)
  | where Fqdn has_any (domains)
  | extend timestamp = TimeGenerated
  | extend DNSName = Fqdn
  | extend IPCustomEntity = SourceIp
  ),
  (AZFWDnsQuery
  | where isnotempty(QueryName)
  | where QueryName has_any (domains)
  | extend timestamp = TimeGenerated
  | extend DNSName = QueryName
  | extend IPCustomEntity = SourceIp
  ),
  (Event
  //This query uses sysmon data depending on table name used this may need updating
  | where Source == "Microsoft-Windows-Sysmon"
  | extend EvData = parse_xml(EventData)
  | extend EventDetail = EvData.DataItem.EventData.Data
  | where EventDetail has_any (sha256Hashes) or EventDetail has_any (sha256s)
  | parse EventDetail with * 'SHA256=' SHA256 '",' *
  | extend Type = strcat(Type, ": ", Source), Account = UserName, FileHash = SHA256
  | project Type, TimeGenerated, Computer, Account, FileHash
  ),
  (DeviceFileEvents
  | where SHA256 in~ (sha256Hashes) or SHA256 in~ (sha256s)
  | extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256
  | project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash
  ),
  (imFileEvent
  | where TargetFileSHA256 in~ (sha256Hashes) or TargetFileSHA256 in~ (sha256s)
  | extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256
  | project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash
  ),
  (CommonSecurityLog
  | where FileHash in (sha256Hashes) or FileHash in (sha256s)
  | extend timestamp = TimeGenerated
  )
  )  
version: 2.0.0
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/MidnightBlizzard_IOCsMay2021.yaml
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: HostCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
- entityType: DNS
  fieldMappings:
  - identifier: DomainName
    columnName: DNSName
relevantTechniques:
- T1102.002
- T1204.001
tactics:
- CommandAndControl
- Execution
triggerThreshold: 0

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/677da133-e487-4108-a150-5b926591a92b')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/677da133-e487-4108-a150-5b926591a92b')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "[Deprecated] - Midnight Blizzard - Domain, Hash and IP IOCs - May 2021",
        "description": "'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\n[@\"https://raw.githubusercontent.com/microsoft/mstic/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet sha256s = (iocs | where Type =~ \"SHA256\"| project IoC);\nlet ips = (iocs | where Type =~ \"IP\"| project IoC);\nlet IPList = dynamic([\"192.99.221.77\",\"83.171.237.173\"]);\nlet ips_list=toscalar(ips | summarize makeset(IoC));\nlet full_ip_list= array_concat(ips_list, IPList);\nlet domains = (iocs | where Type =~ \"Domain\"| project IoC);\nlet domain_list=toscalar(domains | summarize make_set(IoC));\nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\nlet sha256Hashes = dynamic([\"2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252\",\n\"d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142\",\n\"94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\",\n\"48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\",\n\"ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\",\n\"ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\"]);\n(union isfuzzy=true\n(CommonSecurityLog\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (domains) or RequestURL has_any (domains) or Message has_any (IPList)\n| parse Message with * '(' DNSName ')' * \n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", MessageIP in (IPList), \"Message\", RequestURL in (domains), \"RequestUrl\", SourceIP in (ips), \"SourceIP\", DestinationIP in (ips), \"DestinationIP\", MessageIP in (IPList), \"Message\", \"NoMatch\") \n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, IPMatch == \"Message\", MessageIP, \"NoMatch\"), AccountCustomEntity = SourceUserID\n),\n(_Im_Dns (domain_has_any=todynamic(domain_list))\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\n),\n(_Im_Dns (response_has_any_prefix=todynamic(full_ip_list))\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\n),\n(VMConnection\n| where SourceIp in (IPList) or DestinationIp in (IPList) or SourceIp in (ips) or DestinationIp in (ips) or RemoteDnsCanonicalNames has_any (domains)\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\",  SourceIp in (ips), \"SourceIP\", DestinationIp in (ips), \"DestinationIP\", \"None\") \n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"NoMatch\"), HostCustomEntity = Computer\n),\n(OfficeActivity\n| where ClientIP in (IPList) or ClientIP in (ips)\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\n),\n(WindowsFirewall\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", SourceIP in (ips), \"SourceIP\", DestinationIP in (ips), \"DestinationIP\", \"None\")\n),\n(_Im_NetworkSession(srcipaddr_has_any_prefix=full_ip_list)\n  | extend IPMatch =  \"SourceIP\"\n  | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = SrcIpAddr //, AccountCustomEntity =User\n),\n(_Im_NetworkSession(dstipaddr_has_any_prefix=full_ip_list)\n  | extend IPMatch =  \"DestinationIP\"\n  | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity =  DstIpAddr //, AccountCustomEntity =User\n),\n(_Im_WebSession(url_has_any=domains)\n  | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)[\"Host\"]), AccountCustomEntity=User\n),\n(_Im_WebSession(srcipaddr_has_any_prefix=full_ip_list)\n  | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)[\"Host\"]), AccountCustomEntity=User\n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (domains)  \n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\n),\n(AZFWApplicationRule\n| where isnotempty(Fqdn)\n| where Fqdn has_any (domains)\n| extend timestamp = TimeGenerated\n| extend DNSName = Fqdn\n| extend IPCustomEntity = SourceIp\n),\n(AZFWDnsQuery\n| where isnotempty(QueryName)\n| where QueryName has_any (domains)\n| extend timestamp = TimeGenerated\n| extend DNSName = QueryName\n| extend IPCustomEntity = SourceIp\n),\n(Event\n//This query uses sysmon data depending on table name used this may need updating\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| where EventDetail has_any (sha256Hashes) or EventDetail has_any (sha256s)\n| parse EventDetail with * 'SHA256=' SHA256 '\",' *\n| extend Type = strcat(Type, \": \", Source), Account = UserName, FileHash = SHA256\n| project Type, TimeGenerated, Computer, Account, FileHash\n),\n(DeviceFileEvents\n| where SHA256 in~ (sha256Hashes) or SHA256 in~ (sha256s)\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(imFileEvent\n| where TargetFileSHA256 in~ (sha256Hashes) or TargetFileSHA256 in~ (sha256s)\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(CommonSecurityLog\n| where FileHash in (sha256Hashes) or FileHash in (sha256s)\n| extend timestamp = TimeGenerated\n)\n)\n",
        "queryFrequency": "PT6H",
        "queryPeriod": "PT6H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "Execution"
        ],
        "techniques": [
          "T1102.002",
          "T1204.001"
        ],
        "alertRuleTemplateName": "677da133-e487-4108-a150-5b926591a92b",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "AccountCustomEntity"
              }
            ],
            "entityType": "Account"
          },
          {
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "HostCustomEntity"
              }
            ],
            "entityType": "Host"
          },
          {
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IPCustomEntity"
              }
            ],
            "entityType": "IP"
          },
          {
            "fieldMappings": [
              {
                "identifier": "DomainName",
                "columnName": "DNSName"
              }
            ],
            "entityType": "DNS"
          }
        ],
        "tags": [
          "Midnight Blizzard",
          {
            "Schema": "ASIMFileEvent",
            "SchemaVersion": "0.1.0"
          }
        ],
        "templateVersion": "2.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/MidnightBlizzard_IOCsMay2021.yaml",
        "status": "Available"
      }
    }
  ]
}