Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. [Deprecated] - Possible Forest Blizzard attempted credential harvesting - Oct 2020

[Deprecated] - Possible Forest Blizzard attempted credential harvesting - Oct 2020

Back
Id68271db2-cbe9-4009-b1d3-bb3b5fe5713c
Rulename[Deprecated] - Possible Forest Blizzard attempted credential harvesting - Oct 2020
DescriptionThis query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft’s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy
SeverityLow
TacticsCredentialAccess
TechniquesT1110
Required data connectorsOffice365
KindScheduled
Query frequency7d
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/ForestBlizzardOct292020IOCs.yaml
Version2.0.0
Arm template68271db2-cbe9-4009-b1d3-bb3b5fe5713c.json
Deploy To Azure
let User_Agents = dynamic (["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70", 
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15", 
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0", 
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36", 
"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36"]);
OfficeActivity
| where RecordType in ("AzureActiveDirectoryAccountLogon", "AzureActiveDirectoryStsLogon") 
| where Operation != 'UserLoggedIn'
| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ "UserAgent", extractjson("$[0].Value", ExtendedProperties, typeof(string)),"")
| mv-expand parse_json(ExtendedProperties)
| where ExtendedProperties.Name =~ "RequestType"
| extend RequestType = todynamic(ExtendedProperties).Value
| where UserAgent =~ "ms-office" or UserAgent has_any (User_Agents)
| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent
| where authAttempts > 500
| extend timestamp = firstAttempt
| sort by uniqueAccounts

severity: Low
queryFrequency: 7d
relevantTechniques:
- T1110
tactics:
- CredentialAccess
kind: Scheduled
query: |
  let User_Agents = dynamic (["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70", 
  "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15", 
  "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0", 
  "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36", 
  "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36"]);
  OfficeActivity
  | where RecordType in ("AzureActiveDirectoryAccountLogon", "AzureActiveDirectoryStsLogon") 
  | where Operation != 'UserLoggedIn'
  | extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ "UserAgent", extractjson("$[0].Value", ExtendedProperties, typeof(string)),"")
  | mv-expand parse_json(ExtendedProperties)
  | where ExtendedProperties.Name =~ "RequestType"
  | extend RequestType = todynamic(ExtendedProperties).Value
  | where UserAgent =~ "ms-office" or UserAgent has_any (User_Agents)
  | summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent
  | where authAttempts > 500
  | extend timestamp = firstAttempt
  | sort by uniqueAccounts  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/ForestBlizzardOct292020IOCs.yaml
queryPeriod: 14d
status: Available
version: 2.0.0
name: '[Deprecated] - Possible Forest Blizzard attempted credential harvesting - Oct 2020'
requiredDataConnectors:
- dataTypes:
  - OfficeActivity
  connectorId: Office365
triggerOperator: gt
id: 68271db2-cbe9-4009-b1d3-bb3b5fe5713c
description: |
    'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'
triggerThreshold: 0

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/68271db2-cbe9-4009-b1d3-bb3b5fe5713c')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/68271db2-cbe9-4009-b1d3-bb3b5fe5713c')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "[Deprecated] - Possible Forest Blizzard attempted credential harvesting - Oct 2020",
        "description": "'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'\n",
        "severity": "Low",
        "enabled": true,
        "query": "let User_Agents = dynamic ([\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70\", \n\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15\", \n\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0\", \n\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\", \n\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\"]);\nOfficeActivity\n| where RecordType in (\"AzureActiveDirectoryAccountLogon\", \"AzureActiveDirectoryStsLogon\") \n| where Operation != 'UserLoggedIn'\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \"UserAgent\", extractjson(\"$[0].Value\", ExtendedProperties, typeof(string)),\"\")\n| mv-expand parse_json(ExtendedProperties)\n| where ExtendedProperties.Name =~ \"RequestType\"\n| extend RequestType = todynamic(ExtendedProperties).Value\n| where UserAgent =~ \"ms-office\" or UserAgent has_any (User_Agents)\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\n| where authAttempts > 500\n| extend timestamp = firstAttempt\n| sort by uniqueAccounts\n",
        "queryFrequency": "P7D",
        "queryPeriod": "P14D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "alertRuleTemplateName": "68271db2-cbe9-4009-b1d3-bb3b5fe5713c",
        "customDetails": null,
        "entityMappings": null,
        "templateVersion": "2.0.0",
        "status": "Available",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/ForestBlizzardOct292020IOCs.yaml"
      }
    }
  ]
}