Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Known Barium domains

Back
Id70b12a3b-4899-42cb-910c-5ffaf9d7997d
RulenameKnown Barium domains
DescriptionIdentifies a match across various data feeds for domains IOCs related to the Barium activity group.

References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer
SeverityHigh
TacticsCommandAndControl
Required data connectorsAzureFirewall
AzureMonitor(VMInsights)
CiscoASA
CiscoUmbrellaDataConnector
Corelight
DNS
GCPDNSDataConnector
InfobloxNIOS
MicrosoftThreatProtection
NXLogDnsLogs
PaloAltoNetworks
SquidProxy
Zscaler
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/BariumDomainIOC112020.yaml
Version1.7.1
Arm template70b12a3b-4899-42cb-910c-5ffaf9d7997d.json
Deploy To Azure

let DomainNames = dynamic(["0.ns1.dns-info.gq", "1.ns1.dns-info.gq", "10.ns1.dns-info.gq", "102.ns1.dns-info.gq", 
   "104.ns1.dns-info.gq", "11.ns1.dns-info.gq", "110.ns1.dns-info.gq", "115.ns1.dns-info.gq", "116.ns1.dns-info.gq", 
   "117.ns1.dns-info.gq", "118.ns1.dns-info.gq", "12.ns1.dns-info.gq", "120.ns1.dns-info.gq", "122.ns1.dns-info.gq", 
   "123.ns1.dns-info.gq", "128.ns1.dns-info.gq", "13.ns1.dns-info.gq", "134.ns1.dns-info.gq", "135.ns1.dns-info.gq", 
   "138.ns1.dns-info.gq", "14.ns1.dns-info.gq", "144.ns1.dns-info.gq", "15.ns1.dns-info.gq", "153.ns1.dns-info.gq", 
   "157.ns1.dns-info.gq", "16.ns1.dns-info.gq", "17.ns1.dns-info.gq", "18.ns1.dns-info.gq", "19.ns1.dns-info.gq", 
   "1a9604fa.ns1.feedsdns.com", "1c7606b6.ns1.steamappstore.com", "2.ns1.dns-info.gq", "20.ns1.dns-info.gq", 
   "201.ns1.dns-info.gq", "202.ns1.dns-info.gq", "204.ns1.dns-info.gq", "207.ns1.dns-info.gq", "21.ns1.dns-info.gq", 
   "210.ns1.dns-info.gq", "211.ns1.dns-info.gq", "216.ns1.dns-info.gq", "22.ns1.dns-info.gq", "220.ns1.dns-info.gq", 
   "223.ns1.dns-info.gq", "23.ns1.dns-info.gq", "24.ns1.dns-info.gq", "25.ns1.dns-info.gq", "26.ns1.dns-info.gq", 
   "27.ns1.dns-info.gq", "28.ns1.dns-info.gq", "29.ns1.dns-info.gq", "3.ns1.dns-info.gq", "30.ns1.dns-info.gq", 
   "31.ns1.dns-info.gq", "32.ns1.dns-info.gq", "33.ns1.dns-info.gq", "34.ns1.dns-info.gq", "35.ns1.dns-info.gq", 
   "36.ns1.dns-info.gq", "37.ns1.dns-info.gq", "39.ns1.dns-info.gq", "3d6fe4b2.ns1.steamappstore.com", 
   "4.ns1.dns-info.gq", "40.ns1.dns-info.gq", "42.ns1.dns-info.gq", "43.ns1.dns-info.gq", "44.ns1.dns-info.gq", 
   "45.ns1.dns-info.gq", "46.ns1.dns-info.gq", "48.ns1.dns-info.gq", "5.ns1.dns-info.gq", "50.ns1.dns-info.gq", 
   "50417.service.gstatic.dnset.com", "51.ns1.dns-info.gq", "52.ns1.dns-info.gq", "53.ns1.dns-info.gq",
   "54.ns1.dns-info.gq", "55.ns1.dns-info.gq", "56.ns1.dns-info.gq", "57.ns1.dns-info.gq", "58.ns1.dns-info.gq", 
   "6.ns1.dns-info.gq", "60.ns1.dns-info.gq", "62.ns1.dns-info.gq", "63.ns1.dns-info.gq", "64.ns1.dns-info.gq", 
   "65.ns1.dns-info.gq", "67.ns1.dns-info.gq", "7.ns1.dns-info.gq", "70.ns1.dns-info.gq", "71.ns1.dns-info.gq",
   "73.ns1.dns-info.gq", "77.ns1.dns-info.gq", "77075.service.gstatic.dnset.com", "7c1947fa.ns1.steamappstore.com",
   "8.ns1.dns-info.gq", "81.ns1.dns-info.gq", "86.ns1.dns-info.gq", "87.ns1.dns-info.gq", "9.ns1.dns-info.gq", 
   "94343.service.gstatic.dnset.com", "9939.service.gstatic.dnset.com", "aa.ns.mircosoftdoc.com", 
   "aaa.feeds.api.ns1.feedsdns.com", "aaa.googlepublic.feeds.ns1.dns-info.gq", 
   "aaa.resolution.174547._get.cache.up.sourcedns.tk", "acc.microsoftonetravel.com", 
   "accounts.longmusic.com", "admin.dnstemplog.com", "agent.updatenai.com", 
   "alibaba.zzux.com", "api.feedsdns.com", "app.portomnail.com", "asia.updatenai.com", 
   "battllestategames.com", "bguha.serveuser.com", "binann-ce.com", "bing.dsmtp.com", 
   "blog.cdsend.xyz", "brives.minivineyapp.com", "bsbana.dynamic-dns.net", 
   "californiaforce.000webhostapp.com", "californiafroce.000webhostapp.com", 
   "cdn.freetcp.com", "cdsend.xyz", "cipla.zzux.com", "cloudfeeddns.com", "comcleanner.info",
   "cs.microsoftsonline.net", "dns-info.gq", "dns05.cf", "dns22.ml", "dns224.com", 
   "dnsdist.org", "dnstemplog.com", "doc.mircosoftdoc.com", "dropdns.com", 
   "eshop.cdn.freetcp.com", "exchange.dumb1.com", "exchange.misecure.com", "exchange.mrbasic.com",
   "facebookdocs.com", "facebookint.com", "facebookvi.com", "feed.ns1.dns-info.gq", "feedsdns.com", 
   "firejun.freeddns.com", "ftp.dns-info.dyndns.pro", "goallbandungtravel.com", "goodhk.azurewebsites.net", 
   "googlepublic.feed.ns1.dns-info.gq", "gp.spotifylite.cloud", "gskytop.com", "gstatic.dnset.com", 
   "gxxservice.com", "helpdesk.cdn.freetcp.com", "id.serveuser.com", "infestexe.com", "item.itemdb.com",
   "m.mircosoftdoc.com", "mail.transferdkim.xyz", "mcafee.updatenai.com", "mecgjm.mircosoftdoc.com",
   "microdocs.ga", "microsock.website", "microsocks.net", "microsoft.sendsmtp.com", 
   "microsoftbook.dns05.com", "microsoftcontactcenter.com", "microsoftdocs.dns05.com", "microsoftdocs.ml", 
   "microsoftonetravel.com", "microsoftonlines.net", "microsoftprod.com", "microsofts.dns1.us", "microsoftsonline.net",
    "minivineyapp.com", "mircosoftdoc.com", "mircosoftdocs.com", "mlcrosoft.ninth.biz", "mlcrosoft.site", 
   "mm.portomnail.com", "msdnupdate.com", "msecdn.cloud", "mtnl1.dynamic-dns.net", "ns.gstatic.dnset.com", 
   "ns.microsoftprod.com", "ns.steamappstore.com", "ns1.cdn.freetcp.com", "ns1.comcleanner.info", "ns1.dns-info.gq", 
   "ns1.dns05.cf", "ns1.dnstemplog.com", "ns1.dropdns.com", "ns1.microsoftonetravel.com", 
   "ns1.microsoftonlines.net", "ns1.microsoftprod.com", "ns1.microsoftsonline.net", "ns1.mlcrosoft.site", 
   "ns1.teams.wikaba.com", "ns1.windowsdefende.com", "ns2.comcleanner.info", "ns2.dnstemplog.com", 
   "ns2.microsoftonetravel.com", "ns2.microsoftprod.com", "ns2.microsoftsonline.net", "ns2.mlcrosoft.site", 
   "ns2.windowsdefende.com", "ns3.microsoftprod.com", "ns3.mlcrosoft.site", "nutrition.mrbasic.com", 
   "nutrition.youdontcare.com", "online.mlcrosoft.site", "online.msdnupdate.com", "outlookservce.site", 
   "owa.jetos.com", "owa.otzo.com", "pornotime.co", "portomnail.com", 
   "post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com", "pricingdmdk.com", "prod.microsoftprod.com", 
   "product.microsoftprod.com", "ptcl.yourtrap.com", "query.api.sourcedns.tk", "rb.itemdb.com", "redditcdn.com", 
   "rss.otzo.com", "secure.msdnupdate.com", "service.dns22.ml", "service.gstatic.dnset.com", "service04.dns04.com", 
   "settings.teams.wikaba.com", "sip.outlookservce.site", "sixindent.epizy.com", "soft.msdnupdate.com", "sourcedns.ml", 
   "sourcedns.tk", "sport.msdnupdate.com", "spotifylite.cloud", "static.misecure.com", "steamappstore.com", 
   "store.otzo.com", "survey.outlookservce.site", "team.itemdb.com", "temp221.com", "test.microsoftprod.com", 
   "thisisaaa.000webhostapp.com", "token.dns04.com", "token.dns05.com", "transferdkim.xyz", 
   "travelsanignacio.com", "update08.com", "updated08.com", "updatenai.com", "wantforspeed.com",
    "web.mircosoftdoc.com", "webmail.pornotime.co", "webwhois.team.itemdb.com", "windowsdefende.com", "wnswindows.com",
    "ashcrack.freetcp.com", "battllestategames.com", "binannce.com", "cdsend.xyz", "comcleanner.info", "microsock.website", 
   "microsocks.net", "microsoftsonline.net", "mlcrosoft.site", "notify.serveuser.com", "ns1.microsoftprod.com", 
   "ns2.microsoftprod.com", "pricingdmdk.com", "steamappstore.com", "update08.com", "wnswindows.com", 
   "youtube.dns05.com", "z1.zalofilescdn.com", "z2.zalofilescdn.com", "zalofilescdn.com"]); 
(union isfuzzy=true 
 (CommonSecurityLog  
 | parse Message with * '(' DNSName ')' *  
 | where DNSName in~ (DomainNames) 
 | extend Account = SourceUserID, Computer = DeviceName, IPAddress =  DestinationIP 
 ), 
 (_Im_Dns (domain_has_any=DomainNames)
 | extend DNSName = DnsQuery 
 | extend IPAddress =  SrcIpAddr, Computer = Dvc
 ), 
 (_Im_WebSession (url_has_any=DomainNames)
 | extend DNSName = tostring(parse_url(Url)["Host"])
 | extend IPAddress =  SrcIpAddr, Computer = Dvc
 ), 
 (VMConnection  
 | parse RemoteDnsCanonicalNames with * '["' DNSName '"]' * 
 | where isnotempty(DNSName) 
 | where DNSName  in~ (DomainNames) 
 | extend IPAddress = RemoteIp 
 ), 
 ( 
  DeviceNetworkEvents 
 | where isnotempty(RemoteUrl) 
 | where RemoteUrl  in~ (DomainNames)  
 | extend IPAddress = RemoteIP 
 | extend Computer = DeviceName 
 ),
 (AzureDiagnostics 
 | where ResourceType == "AZUREFIREWALLS"
 | where Category == "AzureFirewallApplicationRule"
 | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
 | where isnotempty(DestinationHost)
 | where DestinationHost has_any (DomainNames)  
 | extend DNSName = DestinationHost 
 | extend IPCustomEntity = SourceHost
 ),
 (AzureDiagnostics
 | where ResourceType == "AZUREFIREWALLS"
 | where Category == "AzureFirewallNetworkRule"
 | where msg_s has_any (DomainNames)
 | parse msg_s with Protocol " request from " SourceIP ":" SourcePortInt:int " to " TargetIP ":" TargetPortInt:int *
 | parse kind=regex flags=U msg_s with * ". Action\\: " Action1a "\\."
 | parse msg_s with * ". Policy: " Policy ". Rule Collection Group: " RuleCollectionGroup "." *
 | parse msg_s with * " Rule Collection: "  RuleCollection ". Rule: " Rule 
 | extend IPCustomEntity = SourceIP
 ),
 (AzureDiagnostics
 | where ResourceType == "AZUREFIREWALLS"
 | where Category == "AzureFirewallDnsProxy"
 | where msg_s has_any (DomainNames)
 | parse msg_s with "DNS Request: " SourceIP ":" SourcePortInt:int " - " QueryID:int " " RequestType " " RequestClass " " hostname ". " protocol " " details
 | extend
     ResponseDuration = extract("[0-9]*.?[0-9]+s$", 0, msg_s),
     SourcePort = tostring(SourcePortInt),
     QueryID =  tostring(QueryID)
 | project TimeGenerated,SourceIP,hostname,RequestType,ResponseDuration,details,msg_s
 | order by TimeGenerated
 | extend IPCustomEntity = SourceIP
 ),
 (AZFWApplicationRule
 | where Fqdn has_any (DomainNames)
 | extend IPCustomEntity = SourceIp
 ),
 (AZFWDnsQuery
 | where isnotempty(QueryName)
 | where QueryName has_any (DomainNames)
 | extend DNSName = QueryName
 | extend IPCustomEntity = SourceIp
 )
 ) 
 | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress 
queryFrequency: 1d
triggerOperator: gt
tactics:
- CommandAndControl
description: |
  'Identifies a match across various data feeds for domains IOCs related to the Barium activity group.
   References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer'  
status: Available
name: Known Barium domains
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/BariumDomainIOC112020.yaml
severity: High
triggerThreshold: 0
version: 1.7.1
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: HostCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
tags:
- Schema: ASIMDns
  SchemaVersion: 0.1.1
id: 70b12a3b-4899-42cb-910c-5ffaf9d7997d
requiredDataConnectors:
- connectorId: SquidProxy
  dataTypes:
  - SquidProxy_CL
- connectorId: DNS
  dataTypes:
  - DnsEvents
- connectorId: AzureMonitor(VMInsights)
  dataTypes:
  - VMConnection
- connectorId: CiscoASA
  dataTypes:
  - CommonSecurityLog
- connectorId: PaloAltoNetworks
  dataTypes:
  - CommonSecurityLog
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceNetworkEvents
- connectorId: AzureFirewall
  dataTypes:
  - AzureDiagnostics
  - AZFWApplicationRule
  - AZFWDnsQuery
- connectorId: Zscaler
  dataTypes:
  - CommonSecurityLog
- connectorId: InfobloxNIOS
  dataTypes:
  - Syslog
- connectorId: GCPDNSDataConnector
  dataTypes:
  - GCP_DNS_CL
- connectorId: NXLogDnsLogs
  dataTypes:
  - NXLog_DNS_Server_CL
- connectorId: CiscoUmbrellaDataConnector
  dataTypes:
  - Cisco_Umbrella_dns_CL
- connectorId: Corelight
  dataTypes:
  - Corelight_CL
kind: Scheduled
query: |2

  let DomainNames = dynamic(["0.ns1.dns-info.gq", "1.ns1.dns-info.gq", "10.ns1.dns-info.gq", "102.ns1.dns-info.gq", 
     "104.ns1.dns-info.gq", "11.ns1.dns-info.gq", "110.ns1.dns-info.gq", "115.ns1.dns-info.gq", "116.ns1.dns-info.gq", 
     "117.ns1.dns-info.gq", "118.ns1.dns-info.gq", "12.ns1.dns-info.gq", "120.ns1.dns-info.gq", "122.ns1.dns-info.gq", 
     "123.ns1.dns-info.gq", "128.ns1.dns-info.gq", "13.ns1.dns-info.gq", "134.ns1.dns-info.gq", "135.ns1.dns-info.gq", 
     "138.ns1.dns-info.gq", "14.ns1.dns-info.gq", "144.ns1.dns-info.gq", "15.ns1.dns-info.gq", "153.ns1.dns-info.gq", 
     "157.ns1.dns-info.gq", "16.ns1.dns-info.gq", "17.ns1.dns-info.gq", "18.ns1.dns-info.gq", "19.ns1.dns-info.gq", 
     "1a9604fa.ns1.feedsdns.com", "1c7606b6.ns1.steamappstore.com", "2.ns1.dns-info.gq", "20.ns1.dns-info.gq", 
     "201.ns1.dns-info.gq", "202.ns1.dns-info.gq", "204.ns1.dns-info.gq", "207.ns1.dns-info.gq", "21.ns1.dns-info.gq", 
     "210.ns1.dns-info.gq", "211.ns1.dns-info.gq", "216.ns1.dns-info.gq", "22.ns1.dns-info.gq", "220.ns1.dns-info.gq", 
     "223.ns1.dns-info.gq", "23.ns1.dns-info.gq", "24.ns1.dns-info.gq", "25.ns1.dns-info.gq", "26.ns1.dns-info.gq", 
     "27.ns1.dns-info.gq", "28.ns1.dns-info.gq", "29.ns1.dns-info.gq", "3.ns1.dns-info.gq", "30.ns1.dns-info.gq", 
     "31.ns1.dns-info.gq", "32.ns1.dns-info.gq", "33.ns1.dns-info.gq", "34.ns1.dns-info.gq", "35.ns1.dns-info.gq", 
     "36.ns1.dns-info.gq", "37.ns1.dns-info.gq", "39.ns1.dns-info.gq", "3d6fe4b2.ns1.steamappstore.com", 
     "4.ns1.dns-info.gq", "40.ns1.dns-info.gq", "42.ns1.dns-info.gq", "43.ns1.dns-info.gq", "44.ns1.dns-info.gq", 
     "45.ns1.dns-info.gq", "46.ns1.dns-info.gq", "48.ns1.dns-info.gq", "5.ns1.dns-info.gq", "50.ns1.dns-info.gq", 
     "50417.service.gstatic.dnset.com", "51.ns1.dns-info.gq", "52.ns1.dns-info.gq", "53.ns1.dns-info.gq",
     "54.ns1.dns-info.gq", "55.ns1.dns-info.gq", "56.ns1.dns-info.gq", "57.ns1.dns-info.gq", "58.ns1.dns-info.gq", 
     "6.ns1.dns-info.gq", "60.ns1.dns-info.gq", "62.ns1.dns-info.gq", "63.ns1.dns-info.gq", "64.ns1.dns-info.gq", 
     "65.ns1.dns-info.gq", "67.ns1.dns-info.gq", "7.ns1.dns-info.gq", "70.ns1.dns-info.gq", "71.ns1.dns-info.gq",
     "73.ns1.dns-info.gq", "77.ns1.dns-info.gq", "77075.service.gstatic.dnset.com", "7c1947fa.ns1.steamappstore.com",
     "8.ns1.dns-info.gq", "81.ns1.dns-info.gq", "86.ns1.dns-info.gq", "87.ns1.dns-info.gq", "9.ns1.dns-info.gq", 
     "94343.service.gstatic.dnset.com", "9939.service.gstatic.dnset.com", "aa.ns.mircosoftdoc.com", 
     "aaa.feeds.api.ns1.feedsdns.com", "aaa.googlepublic.feeds.ns1.dns-info.gq", 
     "aaa.resolution.174547._get.cache.up.sourcedns.tk", "acc.microsoftonetravel.com", 
     "accounts.longmusic.com", "admin.dnstemplog.com", "agent.updatenai.com", 
     "alibaba.zzux.com", "api.feedsdns.com", "app.portomnail.com", "asia.updatenai.com", 
     "battllestategames.com", "bguha.serveuser.com", "binann-ce.com", "bing.dsmtp.com", 
     "blog.cdsend.xyz", "brives.minivineyapp.com", "bsbana.dynamic-dns.net", 
     "californiaforce.000webhostapp.com", "californiafroce.000webhostapp.com", 
     "cdn.freetcp.com", "cdsend.xyz", "cipla.zzux.com", "cloudfeeddns.com", "comcleanner.info",
     "cs.microsoftsonline.net", "dns-info.gq", "dns05.cf", "dns22.ml", "dns224.com", 
     "dnsdist.org", "dnstemplog.com", "doc.mircosoftdoc.com", "dropdns.com", 
     "eshop.cdn.freetcp.com", "exchange.dumb1.com", "exchange.misecure.com", "exchange.mrbasic.com",
     "facebookdocs.com", "facebookint.com", "facebookvi.com", "feed.ns1.dns-info.gq", "feedsdns.com", 
     "firejun.freeddns.com", "ftp.dns-info.dyndns.pro", "goallbandungtravel.com", "goodhk.azurewebsites.net", 
     "googlepublic.feed.ns1.dns-info.gq", "gp.spotifylite.cloud", "gskytop.com", "gstatic.dnset.com", 
     "gxxservice.com", "helpdesk.cdn.freetcp.com", "id.serveuser.com", "infestexe.com", "item.itemdb.com",
     "m.mircosoftdoc.com", "mail.transferdkim.xyz", "mcafee.updatenai.com", "mecgjm.mircosoftdoc.com",
     "microdocs.ga", "microsock.website", "microsocks.net", "microsoft.sendsmtp.com", 
     "microsoftbook.dns05.com", "microsoftcontactcenter.com", "microsoftdocs.dns05.com", "microsoftdocs.ml", 
     "microsoftonetravel.com", "microsoftonlines.net", "microsoftprod.com", "microsofts.dns1.us", "microsoftsonline.net",
      "minivineyapp.com", "mircosoftdoc.com", "mircosoftdocs.com", "mlcrosoft.ninth.biz", "mlcrosoft.site", 
     "mm.portomnail.com", "msdnupdate.com", "msecdn.cloud", "mtnl1.dynamic-dns.net", "ns.gstatic.dnset.com", 
     "ns.microsoftprod.com", "ns.steamappstore.com", "ns1.cdn.freetcp.com", "ns1.comcleanner.info", "ns1.dns-info.gq", 
     "ns1.dns05.cf", "ns1.dnstemplog.com", "ns1.dropdns.com", "ns1.microsoftonetravel.com", 
     "ns1.microsoftonlines.net", "ns1.microsoftprod.com", "ns1.microsoftsonline.net", "ns1.mlcrosoft.site", 
     "ns1.teams.wikaba.com", "ns1.windowsdefende.com", "ns2.comcleanner.info", "ns2.dnstemplog.com", 
     "ns2.microsoftonetravel.com", "ns2.microsoftprod.com", "ns2.microsoftsonline.net", "ns2.mlcrosoft.site", 
     "ns2.windowsdefende.com", "ns3.microsoftprod.com", "ns3.mlcrosoft.site", "nutrition.mrbasic.com", 
     "nutrition.youdontcare.com", "online.mlcrosoft.site", "online.msdnupdate.com", "outlookservce.site", 
     "owa.jetos.com", "owa.otzo.com", "pornotime.co", "portomnail.com", 
     "post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com", "pricingdmdk.com", "prod.microsoftprod.com", 
     "product.microsoftprod.com", "ptcl.yourtrap.com", "query.api.sourcedns.tk", "rb.itemdb.com", "redditcdn.com", 
     "rss.otzo.com", "secure.msdnupdate.com", "service.dns22.ml", "service.gstatic.dnset.com", "service04.dns04.com", 
     "settings.teams.wikaba.com", "sip.outlookservce.site", "sixindent.epizy.com", "soft.msdnupdate.com", "sourcedns.ml", 
     "sourcedns.tk", "sport.msdnupdate.com", "spotifylite.cloud", "static.misecure.com", "steamappstore.com", 
     "store.otzo.com", "survey.outlookservce.site", "team.itemdb.com", "temp221.com", "test.microsoftprod.com", 
     "thisisaaa.000webhostapp.com", "token.dns04.com", "token.dns05.com", "transferdkim.xyz", 
     "travelsanignacio.com", "update08.com", "updated08.com", "updatenai.com", "wantforspeed.com",
      "web.mircosoftdoc.com", "webmail.pornotime.co", "webwhois.team.itemdb.com", "windowsdefende.com", "wnswindows.com",
      "ashcrack.freetcp.com", "battllestategames.com", "binannce.com", "cdsend.xyz", "comcleanner.info", "microsock.website", 
     "microsocks.net", "microsoftsonline.net", "mlcrosoft.site", "notify.serveuser.com", "ns1.microsoftprod.com", 
     "ns2.microsoftprod.com", "pricingdmdk.com", "steamappstore.com", "update08.com", "wnswindows.com", 
     "youtube.dns05.com", "z1.zalofilescdn.com", "z2.zalofilescdn.com", "zalofilescdn.com"]); 
  (union isfuzzy=true 
   (CommonSecurityLog  
   | parse Message with * '(' DNSName ')' *  
   | where DNSName in~ (DomainNames) 
   | extend Account = SourceUserID, Computer = DeviceName, IPAddress =  DestinationIP 
   ), 
   (_Im_Dns (domain_has_any=DomainNames)
   | extend DNSName = DnsQuery 
   | extend IPAddress =  SrcIpAddr, Computer = Dvc
   ), 
   (_Im_WebSession (url_has_any=DomainNames)
   | extend DNSName = tostring(parse_url(Url)["Host"])
   | extend IPAddress =  SrcIpAddr, Computer = Dvc
   ), 
   (VMConnection  
   | parse RemoteDnsCanonicalNames with * '["' DNSName '"]' * 
   | where isnotempty(DNSName) 
   | where DNSName  in~ (DomainNames) 
   | extend IPAddress = RemoteIp 
   ), 
   ( 
    DeviceNetworkEvents 
   | where isnotempty(RemoteUrl) 
   | where RemoteUrl  in~ (DomainNames)  
   | extend IPAddress = RemoteIP 
   | extend Computer = DeviceName 
   ),
   (AzureDiagnostics 
   | where ResourceType == "AZUREFIREWALLS"
   | where Category == "AzureFirewallApplicationRule"
   | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
   | where isnotempty(DestinationHost)
   | where DestinationHost has_any (DomainNames)  
   | extend DNSName = DestinationHost 
   | extend IPCustomEntity = SourceHost
   ),
   (AzureDiagnostics
   | where ResourceType == "AZUREFIREWALLS"
   | where Category == "AzureFirewallNetworkRule"
   | where msg_s has_any (DomainNames)
   | parse msg_s with Protocol " request from " SourceIP ":" SourcePortInt:int " to " TargetIP ":" TargetPortInt:int *
   | parse kind=regex flags=U msg_s with * ". Action\\: " Action1a "\\."
   | parse msg_s with * ". Policy: " Policy ". Rule Collection Group: " RuleCollectionGroup "." *
   | parse msg_s with * " Rule Collection: "  RuleCollection ". Rule: " Rule 
   | extend IPCustomEntity = SourceIP
   ),
   (AzureDiagnostics
   | where ResourceType == "AZUREFIREWALLS"
   | where Category == "AzureFirewallDnsProxy"
   | where msg_s has_any (DomainNames)
   | parse msg_s with "DNS Request: " SourceIP ":" SourcePortInt:int " - " QueryID:int " " RequestType " " RequestClass " " hostname ". " protocol " " details
   | extend
       ResponseDuration = extract("[0-9]*.?[0-9]+s$", 0, msg_s),
       SourcePort = tostring(SourcePortInt),
       QueryID =  tostring(QueryID)
   | project TimeGenerated,SourceIP,hostname,RequestType,ResponseDuration,details,msg_s
   | order by TimeGenerated
   | extend IPCustomEntity = SourceIP
   ),
   (AZFWApplicationRule
   | where Fqdn has_any (DomainNames)
   | extend IPCustomEntity = SourceIp
   ),
   (AZFWDnsQuery
   | where isnotempty(QueryName)
   | where QueryName has_any (DomainNames)
   | extend DNSName = QueryName
   | extend IPCustomEntity = SourceIp
   )
   ) 
   | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress 
queryPeriod: 1d
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/70b12a3b-4899-42cb-910c-5ffaf9d7997d')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/70b12a3b-4899-42cb-910c-5ffaf9d7997d')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Known Barium domains",
        "description": "'Identifies a match across various data feeds for domains IOCs related to the Barium activity group.\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer'\n",
        "severity": "High",
        "enabled": true,
        "query": "\nlet DomainNames = dynamic([\"0.ns1.dns-info.gq\", \"1.ns1.dns-info.gq\", \"10.ns1.dns-info.gq\", \"102.ns1.dns-info.gq\", \n   \"104.ns1.dns-info.gq\", \"11.ns1.dns-info.gq\", \"110.ns1.dns-info.gq\", \"115.ns1.dns-info.gq\", \"116.ns1.dns-info.gq\", \n   \"117.ns1.dns-info.gq\", \"118.ns1.dns-info.gq\", \"12.ns1.dns-info.gq\", \"120.ns1.dns-info.gq\", \"122.ns1.dns-info.gq\", \n   \"123.ns1.dns-info.gq\", \"128.ns1.dns-info.gq\", \"13.ns1.dns-info.gq\", \"134.ns1.dns-info.gq\", \"135.ns1.dns-info.gq\", \n   \"138.ns1.dns-info.gq\", \"14.ns1.dns-info.gq\", \"144.ns1.dns-info.gq\", \"15.ns1.dns-info.gq\", \"153.ns1.dns-info.gq\", \n   \"157.ns1.dns-info.gq\", \"16.ns1.dns-info.gq\", \"17.ns1.dns-info.gq\", \"18.ns1.dns-info.gq\", \"19.ns1.dns-info.gq\", \n   \"1a9604fa.ns1.feedsdns.com\", \"1c7606b6.ns1.steamappstore.com\", \"2.ns1.dns-info.gq\", \"20.ns1.dns-info.gq\", \n   \"201.ns1.dns-info.gq\", \"202.ns1.dns-info.gq\", \"204.ns1.dns-info.gq\", \"207.ns1.dns-info.gq\", \"21.ns1.dns-info.gq\", \n   \"210.ns1.dns-info.gq\", \"211.ns1.dns-info.gq\", \"216.ns1.dns-info.gq\", \"22.ns1.dns-info.gq\", \"220.ns1.dns-info.gq\", \n   \"223.ns1.dns-info.gq\", \"23.ns1.dns-info.gq\", \"24.ns1.dns-info.gq\", \"25.ns1.dns-info.gq\", \"26.ns1.dns-info.gq\", \n   \"27.ns1.dns-info.gq\", \"28.ns1.dns-info.gq\", \"29.ns1.dns-info.gq\", \"3.ns1.dns-info.gq\", \"30.ns1.dns-info.gq\", \n   \"31.ns1.dns-info.gq\", \"32.ns1.dns-info.gq\", \"33.ns1.dns-info.gq\", \"34.ns1.dns-info.gq\", \"35.ns1.dns-info.gq\", \n   \"36.ns1.dns-info.gq\", \"37.ns1.dns-info.gq\", \"39.ns1.dns-info.gq\", \"3d6fe4b2.ns1.steamappstore.com\", \n   \"4.ns1.dns-info.gq\", \"40.ns1.dns-info.gq\", \"42.ns1.dns-info.gq\", \"43.ns1.dns-info.gq\", \"44.ns1.dns-info.gq\", \n   \"45.ns1.dns-info.gq\", \"46.ns1.dns-info.gq\", \"48.ns1.dns-info.gq\", \"5.ns1.dns-info.gq\", \"50.ns1.dns-info.gq\", \n   \"50417.service.gstatic.dnset.com\", \"51.ns1.dns-info.gq\", \"52.ns1.dns-info.gq\", \"53.ns1.dns-info.gq\",\n   \"54.ns1.dns-info.gq\", \"55.ns1.dns-info.gq\", \"56.ns1.dns-info.gq\", \"57.ns1.dns-info.gq\", \"58.ns1.dns-info.gq\", \n   \"6.ns1.dns-info.gq\", \"60.ns1.dns-info.gq\", \"62.ns1.dns-info.gq\", \"63.ns1.dns-info.gq\", \"64.ns1.dns-info.gq\", \n   \"65.ns1.dns-info.gq\", \"67.ns1.dns-info.gq\", \"7.ns1.dns-info.gq\", \"70.ns1.dns-info.gq\", \"71.ns1.dns-info.gq\",\n   \"73.ns1.dns-info.gq\", \"77.ns1.dns-info.gq\", \"77075.service.gstatic.dnset.com\", \"7c1947fa.ns1.steamappstore.com\",\n   \"8.ns1.dns-info.gq\", \"81.ns1.dns-info.gq\", \"86.ns1.dns-info.gq\", \"87.ns1.dns-info.gq\", \"9.ns1.dns-info.gq\", \n   \"94343.service.gstatic.dnset.com\", \"9939.service.gstatic.dnset.com\", \"aa.ns.mircosoftdoc.com\", \n   \"aaa.feeds.api.ns1.feedsdns.com\", \"aaa.googlepublic.feeds.ns1.dns-info.gq\", \n   \"aaa.resolution.174547._get.cache.up.sourcedns.tk\", \"acc.microsoftonetravel.com\", \n   \"accounts.longmusic.com\", \"admin.dnstemplog.com\", \"agent.updatenai.com\", \n   \"alibaba.zzux.com\", \"api.feedsdns.com\", \"app.portomnail.com\", \"asia.updatenai.com\", \n   \"battllestategames.com\", \"bguha.serveuser.com\", \"binann-ce.com\", \"bing.dsmtp.com\", \n   \"blog.cdsend.xyz\", \"brives.minivineyapp.com\", \"bsbana.dynamic-dns.net\", \n   \"californiaforce.000webhostapp.com\", \"californiafroce.000webhostapp.com\", \n   \"cdn.freetcp.com\", \"cdsend.xyz\", \"cipla.zzux.com\", \"cloudfeeddns.com\", \"comcleanner.info\",\n   \"cs.microsoftsonline.net\", \"dns-info.gq\", \"dns05.cf\", \"dns22.ml\", \"dns224.com\", \n   \"dnsdist.org\", \"dnstemplog.com\", \"doc.mircosoftdoc.com\", \"dropdns.com\", \n   \"eshop.cdn.freetcp.com\", \"exchange.dumb1.com\", \"exchange.misecure.com\", \"exchange.mrbasic.com\",\n   \"facebookdocs.com\", \"facebookint.com\", \"facebookvi.com\", \"feed.ns1.dns-info.gq\", \"feedsdns.com\", \n   \"firejun.freeddns.com\", \"ftp.dns-info.dyndns.pro\", \"goallbandungtravel.com\", \"goodhk.azurewebsites.net\", \n   \"googlepublic.feed.ns1.dns-info.gq\", \"gp.spotifylite.cloud\", \"gskytop.com\", \"gstatic.dnset.com\", \n   \"gxxservice.com\", \"helpdesk.cdn.freetcp.com\", \"id.serveuser.com\", \"infestexe.com\", \"item.itemdb.com\",\n   \"m.mircosoftdoc.com\", \"mail.transferdkim.xyz\", \"mcafee.updatenai.com\", \"mecgjm.mircosoftdoc.com\",\n   \"microdocs.ga\", \"microsock.website\", \"microsocks.net\", \"microsoft.sendsmtp.com\", \n   \"microsoftbook.dns05.com\", \"microsoftcontactcenter.com\", \"microsoftdocs.dns05.com\", \"microsoftdocs.ml\", \n   \"microsoftonetravel.com\", \"microsoftonlines.net\", \"microsoftprod.com\", \"microsofts.dns1.us\", \"microsoftsonline.net\",\n    \"minivineyapp.com\", \"mircosoftdoc.com\", \"mircosoftdocs.com\", \"mlcrosoft.ninth.biz\", \"mlcrosoft.site\", \n   \"mm.portomnail.com\", \"msdnupdate.com\", \"msecdn.cloud\", \"mtnl1.dynamic-dns.net\", \"ns.gstatic.dnset.com\", \n   \"ns.microsoftprod.com\", \"ns.steamappstore.com\", \"ns1.cdn.freetcp.com\", \"ns1.comcleanner.info\", \"ns1.dns-info.gq\", \n   \"ns1.dns05.cf\", \"ns1.dnstemplog.com\", \"ns1.dropdns.com\", \"ns1.microsoftonetravel.com\", \n   \"ns1.microsoftonlines.net\", \"ns1.microsoftprod.com\", \"ns1.microsoftsonline.net\", \"ns1.mlcrosoft.site\", \n   \"ns1.teams.wikaba.com\", \"ns1.windowsdefende.com\", \"ns2.comcleanner.info\", \"ns2.dnstemplog.com\", \n   \"ns2.microsoftonetravel.com\", \"ns2.microsoftprod.com\", \"ns2.microsoftsonline.net\", \"ns2.mlcrosoft.site\", \n   \"ns2.windowsdefende.com\", \"ns3.microsoftprod.com\", \"ns3.mlcrosoft.site\", \"nutrition.mrbasic.com\", \n   \"nutrition.youdontcare.com\", \"online.mlcrosoft.site\", \"online.msdnupdate.com\", \"outlookservce.site\", \n   \"owa.jetos.com\", \"owa.otzo.com\", \"pornotime.co\", \"portomnail.com\", \n   \"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com\", \"pricingdmdk.com\", \"prod.microsoftprod.com\", \n   \"product.microsoftprod.com\", \"ptcl.yourtrap.com\", \"query.api.sourcedns.tk\", \"rb.itemdb.com\", \"redditcdn.com\", \n   \"rss.otzo.com\", \"secure.msdnupdate.com\", \"service.dns22.ml\", \"service.gstatic.dnset.com\", \"service04.dns04.com\", \n   \"settings.teams.wikaba.com\", \"sip.outlookservce.site\", \"sixindent.epizy.com\", \"soft.msdnupdate.com\", \"sourcedns.ml\", \n   \"sourcedns.tk\", \"sport.msdnupdate.com\", \"spotifylite.cloud\", \"static.misecure.com\", \"steamappstore.com\", \n   \"store.otzo.com\", \"survey.outlookservce.site\", \"team.itemdb.com\", \"temp221.com\", \"test.microsoftprod.com\", \n   \"thisisaaa.000webhostapp.com\", \"token.dns04.com\", \"token.dns05.com\", \"transferdkim.xyz\", \n   \"travelsanignacio.com\", \"update08.com\", \"updated08.com\", \"updatenai.com\", \"wantforspeed.com\",\n    \"web.mircosoftdoc.com\", \"webmail.pornotime.co\", \"webwhois.team.itemdb.com\", \"windowsdefende.com\", \"wnswindows.com\",\n    \"ashcrack.freetcp.com\", \"battllestategames.com\", \"binannce.com\", \"cdsend.xyz\", \"comcleanner.info\", \"microsock.website\", \n   \"microsocks.net\", \"microsoftsonline.net\", \"mlcrosoft.site\", \"notify.serveuser.com\", \"ns1.microsoftprod.com\", \n   \"ns2.microsoftprod.com\", \"pricingdmdk.com\", \"steamappstore.com\", \"update08.com\", \"wnswindows.com\", \n   \"youtube.dns05.com\", \"z1.zalofilescdn.com\", \"z2.zalofilescdn.com\", \"zalofilescdn.com\"]); \n(union isfuzzy=true \n (CommonSecurityLog  \n | parse Message with * '(' DNSName ')' *  \n | where DNSName in~ (DomainNames) \n | extend Account = SourceUserID, Computer = DeviceName, IPAddress =  DestinationIP \n ), \n (_Im_Dns (domain_has_any=DomainNames)\n | extend DNSName = DnsQuery \n | extend IPAddress =  SrcIpAddr, Computer = Dvc\n ), \n (_Im_WebSession (url_has_any=DomainNames)\n | extend DNSName = tostring(parse_url(Url)[\"Host\"])\n | extend IPAddress =  SrcIpAddr, Computer = Dvc\n ), \n (VMConnection  \n | parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' * \n | where isnotempty(DNSName) \n | where DNSName  in~ (DomainNames) \n | extend IPAddress = RemoteIp \n ), \n ( \n  DeviceNetworkEvents \n | where isnotempty(RemoteUrl) \n | where RemoteUrl  in~ (DomainNames)  \n | extend IPAddress = RemoteIP \n | extend Computer = DeviceName \n ),\n (AzureDiagnostics \n | where ResourceType == \"AZUREFIREWALLS\"\n | where Category == \"AzureFirewallApplicationRule\"\n | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n | where isnotempty(DestinationHost)\n | where DestinationHost has_any (DomainNames)  \n | extend DNSName = DestinationHost \n | extend IPCustomEntity = SourceHost\n ),\n (AzureDiagnostics\n | where ResourceType == \"AZUREFIREWALLS\"\n | where Category == \"AzureFirewallNetworkRule\"\n | where msg_s has_any (DomainNames)\n | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int *\n | parse kind=regex flags=U msg_s with * \". Action\\\\: \" Action1a \"\\\\.\"\n | parse msg_s with * \". Policy: \" Policy \". Rule Collection Group: \" RuleCollectionGroup \".\" *\n | parse msg_s with * \" Rule Collection: \"  RuleCollection \". Rule: \" Rule \n | extend IPCustomEntity = SourceIP\n ),\n (AzureDiagnostics\n | where ResourceType == \"AZUREFIREWALLS\"\n | where Category == \"AzureFirewallDnsProxy\"\n | where msg_s has_any (DomainNames)\n | parse msg_s with \"DNS Request: \" SourceIP \":\" SourcePortInt:int \" - \" QueryID:int \" \" RequestType \" \" RequestClass \" \" hostname \". \" protocol \" \" details\n | extend\n     ResponseDuration = extract(\"[0-9]*.?[0-9]+s$\", 0, msg_s),\n     SourcePort = tostring(SourcePortInt),\n     QueryID =  tostring(QueryID)\n | project TimeGenerated,SourceIP,hostname,RequestType,ResponseDuration,details,msg_s\n | order by TimeGenerated\n | extend IPCustomEntity = SourceIP\n ),\n (AZFWApplicationRule\n | where Fqdn has_any (DomainNames)\n | extend IPCustomEntity = SourceIp\n ),\n (AZFWDnsQuery\n | where isnotempty(QueryName)\n | where QueryName has_any (DomainNames)\n | extend DNSName = QueryName\n | extend IPCustomEntity = SourceIp\n )\n ) \n | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress \n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "alertRuleTemplateName": "70b12a3b-4899-42cb-910c-5ffaf9d7997d",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "AccountCustomEntity"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "HostCustomEntity"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IPCustomEntity"
              }
            ]
          }
        ],
        "templateVersion": "1.7.1",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/BariumDomainIOC112020.yaml",
        "status": "Available",
        "tags": [
          {
            "Schema": "ASIMDns",
            "SchemaVersion": "0.1.1"
          }
        ]
      }
    }
  ]
}