Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Possible STRONTIUM attempted credential harvesting - Oct 2020

Back
Id68271db2-cbe9-4009-b1d3-bb3b5fe5713c
RulenamePossible STRONTIUM attempted credential harvesting - Oct 2020
DescriptionSurfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.
SeverityLow
TacticsCredentialAccess
TechniquesT1110
Required data connectorsOffice365
KindScheduled
Query frequency7d
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/STRONTIUMOct292020IOCs.yaml
Version1.0.1
Arm template68271db2-cbe9-4009-b1d3-bb3b5fe5713c.json
Deploy To Azure
let User_Agents = dynamic (["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70", 
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15", 
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0", 
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36", 
"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36"]);
OfficeActivity
| where RecordType in ("AzureActiveDirectoryAccountLogon", "AzureActiveDirectoryStsLogon") 
| where Operation != 'UserLoggedIn'
| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ "UserAgent", extractjson("$[0].Value", ExtendedProperties, typeof(string)),"")
| mv-expand parse_json(ExtendedProperties)
| where ExtendedProperties.Name =~ "RequestType"
| extend RequestType = todynamic(ExtendedProperties).Value
| where UserAgent =~ "ms-office" or UserAgent has_any (User_Agents)
| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent
| where authAttempts > 500
| extend timestamp = firstAttempt
| sort by uniqueAccounts
queryFrequency: 7d
severity: Low
triggerThreshold: 0
relevantTechniques:
- T1110
query: |
  let User_Agents = dynamic (["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70", 
  "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15", 
  "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0", 
  "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36", 
  "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36"]);
  OfficeActivity
  | where RecordType in ("AzureActiveDirectoryAccountLogon", "AzureActiveDirectoryStsLogon") 
  | where Operation != 'UserLoggedIn'
  | extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ "UserAgent", extractjson("$[0].Value", ExtendedProperties, typeof(string)),"")
  | mv-expand parse_json(ExtendedProperties)
  | where ExtendedProperties.Name =~ "RequestType"
  | extend RequestType = todynamic(ExtendedProperties).Value
  | where UserAgent =~ "ms-office" or UserAgent has_any (User_Agents)
  | summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent
  | where authAttempts > 500
  | extend timestamp = firstAttempt
  | sort by uniqueAccounts  
id: 68271db2-cbe9-4009-b1d3-bb3b5fe5713c
triggerOperator: gt
version: 1.0.1
requiredDataConnectors:
- connectorId: Office365
  dataTypes:
  - OfficeActivity
description: |
    'Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.'
queryPeriod: 14d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/STRONTIUMOct292020IOCs.yaml
status: Available
name: Possible STRONTIUM attempted credential harvesting - Oct 2020
tactics:
- CredentialAccess
kind: Scheduled
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/68271db2-cbe9-4009-b1d3-bb3b5fe5713c')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/68271db2-cbe9-4009-b1d3-bb3b5fe5713c')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Possible STRONTIUM attempted credential harvesting - Oct 2020",
        "description": "'Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.'\n",
        "severity": "Low",
        "enabled": true,
        "query": "let User_Agents = dynamic ([\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70\", \n\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15\", \n\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0\", \n\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\", \n\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\"]);\nOfficeActivity\n| where RecordType in (\"AzureActiveDirectoryAccountLogon\", \"AzureActiveDirectoryStsLogon\") \n| where Operation != 'UserLoggedIn'\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \"UserAgent\", extractjson(\"$[0].Value\", ExtendedProperties, typeof(string)),\"\")\n| mv-expand parse_json(ExtendedProperties)\n| where ExtendedProperties.Name =~ \"RequestType\"\n| extend RequestType = todynamic(ExtendedProperties).Value\n| where UserAgent =~ \"ms-office\" or UserAgent has_any (User_Agents)\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\n| where authAttempts > 500\n| extend timestamp = firstAttempt\n| sort by uniqueAccounts\n",
        "queryFrequency": "P7D",
        "queryPeriod": "P14D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "alertRuleTemplateName": "68271db2-cbe9-4009-b1d3-bb3b5fe5713c",
        "customDetails": null,
        "entityMappings": null,
        "templateVersion": "1.0.1",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/STRONTIUMOct292020IOCs.yaml",
        "status": "Available"
      }
    }
  ]
}