Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

[Deprecated] - Known Barium domains

Back
Id70b12a3b-4899-42cb-910c-5ffaf9d7997d
Rulename[Deprecated] - Known Barium domains
DescriptionThis query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft’s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy
SeverityHigh
TacticsCommandAndControl
Required data connectorsAzureFirewall
AzureMonitor(VMInsights)
CiscoASA
CiscoUmbrellaDataConnector
Corelight
DNS
GCPDNSDataConnector
InfobloxNIOS
MicrosoftThreatProtection
NXLogDnsLogs
PaloAltoNetworks
SquidProxy
Zscaler
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/BariumDomainIOC112020.yaml
Version2.0.0
Arm template70b12a3b-4899-42cb-910c-5ffaf9d7997d.json
Deploy To Azure

let DomainNames = dynamic(["0.ns1.dns-info.gq", "1.ns1.dns-info.gq", "10.ns1.dns-info.gq", "102.ns1.dns-info.gq", 
   "104.ns1.dns-info.gq", "11.ns1.dns-info.gq", "110.ns1.dns-info.gq", "115.ns1.dns-info.gq", "116.ns1.dns-info.gq", 
   "117.ns1.dns-info.gq", "118.ns1.dns-info.gq", "12.ns1.dns-info.gq", "120.ns1.dns-info.gq", "122.ns1.dns-info.gq", 
   "123.ns1.dns-info.gq", "128.ns1.dns-info.gq", "13.ns1.dns-info.gq", "134.ns1.dns-info.gq", "135.ns1.dns-info.gq", 
   "138.ns1.dns-info.gq", "14.ns1.dns-info.gq", "144.ns1.dns-info.gq", "15.ns1.dns-info.gq", "153.ns1.dns-info.gq", 
   "157.ns1.dns-info.gq", "16.ns1.dns-info.gq", "17.ns1.dns-info.gq", "18.ns1.dns-info.gq", "19.ns1.dns-info.gq", 
   "1a9604fa.ns1.feedsdns.com", "1c7606b6.ns1.steamappstore.com", "2.ns1.dns-info.gq", "20.ns1.dns-info.gq", 
   "201.ns1.dns-info.gq", "202.ns1.dns-info.gq", "204.ns1.dns-info.gq", "207.ns1.dns-info.gq", "21.ns1.dns-info.gq", 
   "210.ns1.dns-info.gq", "211.ns1.dns-info.gq", "216.ns1.dns-info.gq", "22.ns1.dns-info.gq", "220.ns1.dns-info.gq", 
   "223.ns1.dns-info.gq", "23.ns1.dns-info.gq", "24.ns1.dns-info.gq", "25.ns1.dns-info.gq", "26.ns1.dns-info.gq", 
   "27.ns1.dns-info.gq", "28.ns1.dns-info.gq", "29.ns1.dns-info.gq", "3.ns1.dns-info.gq", "30.ns1.dns-info.gq", 
   "31.ns1.dns-info.gq", "32.ns1.dns-info.gq", "33.ns1.dns-info.gq", "34.ns1.dns-info.gq", "35.ns1.dns-info.gq", 
   "36.ns1.dns-info.gq", "37.ns1.dns-info.gq", "39.ns1.dns-info.gq", "3d6fe4b2.ns1.steamappstore.com", 
   "4.ns1.dns-info.gq", "40.ns1.dns-info.gq", "42.ns1.dns-info.gq", "43.ns1.dns-info.gq", "44.ns1.dns-info.gq", 
   "45.ns1.dns-info.gq", "46.ns1.dns-info.gq", "48.ns1.dns-info.gq", "5.ns1.dns-info.gq", "50.ns1.dns-info.gq", 
   "50417.service.gstatic.dnset.com", "51.ns1.dns-info.gq", "52.ns1.dns-info.gq", "53.ns1.dns-info.gq",
   "54.ns1.dns-info.gq", "55.ns1.dns-info.gq", "56.ns1.dns-info.gq", "57.ns1.dns-info.gq", "58.ns1.dns-info.gq", 
   "6.ns1.dns-info.gq", "60.ns1.dns-info.gq", "62.ns1.dns-info.gq", "63.ns1.dns-info.gq", "64.ns1.dns-info.gq", 
   "65.ns1.dns-info.gq", "67.ns1.dns-info.gq", "7.ns1.dns-info.gq", "70.ns1.dns-info.gq", "71.ns1.dns-info.gq",
   "73.ns1.dns-info.gq", "77.ns1.dns-info.gq", "77075.service.gstatic.dnset.com", "7c1947fa.ns1.steamappstore.com",
   "8.ns1.dns-info.gq", "81.ns1.dns-info.gq", "86.ns1.dns-info.gq", "87.ns1.dns-info.gq", "9.ns1.dns-info.gq", 
   "94343.service.gstatic.dnset.com", "9939.service.gstatic.dnset.com", "aa.ns.mircosoftdoc.com", 
   "aaa.feeds.api.ns1.feedsdns.com", "aaa.googlepublic.feeds.ns1.dns-info.gq", 
   "aaa.resolution.174547._get.cache.up.sourcedns.tk", "acc.microsoftonetravel.com", 
   "accounts.longmusic.com", "admin.dnstemplog.com", "agent.updatenai.com", 
   "alibaba.zzux.com", "api.feedsdns.com", "app.portomnail.com", "asia.updatenai.com", 
   "battllestategames.com", "bguha.serveuser.com", "binann-ce.com", "bing.dsmtp.com", 
   "blog.cdsend.xyz", "brives.minivineyapp.com", "bsbana.dynamic-dns.net", 
   "californiaforce.000webhostapp.com", "californiafroce.000webhostapp.com", 
   "cdn.freetcp.com", "cdsend.xyz", "cipla.zzux.com", "cloudfeeddns.com", "comcleanner.info",
   "cs.microsoftsonline.net", "dns-info.gq", "dns05.cf", "dns22.ml", "dns224.com", 
   "dnsdist.org", "dnstemplog.com", "doc.mircosoftdoc.com", "dropdns.com", 
   "eshop.cdn.freetcp.com", "exchange.dumb1.com", "exchange.misecure.com", "exchange.mrbasic.com",
   "facebookdocs.com", "facebookint.com", "facebookvi.com", "feed.ns1.dns-info.gq", "feedsdns.com", 
   "firejun.freeddns.com", "ftp.dns-info.dyndns.pro", "goallbandungtravel.com", "goodhk.azurewebsites.net", 
   "googlepublic.feed.ns1.dns-info.gq", "gp.spotifylite.cloud", "gskytop.com", "gstatic.dnset.com", 
   "gxxservice.com", "helpdesk.cdn.freetcp.com", "id.serveuser.com", "infestexe.com", "item.itemdb.com",
   "m.mircosoftdoc.com", "mail.transferdkim.xyz", "mcafee.updatenai.com", "mecgjm.mircosoftdoc.com",
   "microdocs.ga", "microsock.website", "microsocks.net", "microsoft.sendsmtp.com", 
   "microsoftbook.dns05.com", "microsoftcontactcenter.com", "microsoftdocs.dns05.com", "microsoftdocs.ml", 
   "microsoftonetravel.com", "microsoftonlines.net", "microsoftprod.com", "microsofts.dns1.us", "microsoftsonline.net",
    "minivineyapp.com", "mircosoftdoc.com", "mircosoftdocs.com", "mlcrosoft.ninth.biz", "mlcrosoft.site", 
   "mm.portomnail.com", "msdnupdate.com", "msecdn.cloud", "mtnl1.dynamic-dns.net", "ns.gstatic.dnset.com", 
   "ns.microsoftprod.com", "ns.steamappstore.com", "ns1.cdn.freetcp.com", "ns1.comcleanner.info", "ns1.dns-info.gq", 
   "ns1.dns05.cf", "ns1.dnstemplog.com", "ns1.dropdns.com", "ns1.microsoftonetravel.com", 
   "ns1.microsoftonlines.net", "ns1.microsoftprod.com", "ns1.microsoftsonline.net", "ns1.mlcrosoft.site", 
   "ns1.teams.wikaba.com", "ns1.windowsdefende.com", "ns2.comcleanner.info", "ns2.dnstemplog.com", 
   "ns2.microsoftonetravel.com", "ns2.microsoftprod.com", "ns2.microsoftsonline.net", "ns2.mlcrosoft.site", 
   "ns2.windowsdefende.com", "ns3.microsoftprod.com", "ns3.mlcrosoft.site", "nutrition.mrbasic.com", 
   "nutrition.youdontcare.com", "online.mlcrosoft.site", "online.msdnupdate.com", "outlookservce.site", 
   "owa.jetos.com", "owa.otzo.com", "pornotime.co", "portomnail.com", 
   "post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com", "pricingdmdk.com", "prod.microsoftprod.com", 
   "product.microsoftprod.com", "ptcl.yourtrap.com", "query.api.sourcedns.tk", "rb.itemdb.com", "redditcdn.com", 
   "rss.otzo.com", "secure.msdnupdate.com", "service.dns22.ml", "service.gstatic.dnset.com", "service04.dns04.com", 
   "settings.teams.wikaba.com", "sip.outlookservce.site", "sixindent.epizy.com", "soft.msdnupdate.com", "sourcedns.ml", 
   "sourcedns.tk", "sport.msdnupdate.com", "spotifylite.cloud", "static.misecure.com", "steamappstore.com", 
   "store.otzo.com", "survey.outlookservce.site", "team.itemdb.com", "temp221.com", "test.microsoftprod.com", 
   "thisisaaa.000webhostapp.com", "token.dns04.com", "token.dns05.com", "transferdkim.xyz", 
   "travelsanignacio.com", "update08.com", "updated08.com", "updatenai.com", "wantforspeed.com",
    "web.mircosoftdoc.com", "webmail.pornotime.co", "webwhois.team.itemdb.com", "windowsdefende.com", "wnswindows.com",
    "ashcrack.freetcp.com", "battllestategames.com", "binannce.com", "cdsend.xyz", "comcleanner.info", "microsock.website", 
   "microsocks.net", "microsoftsonline.net", "mlcrosoft.site", "notify.serveuser.com", "ns1.microsoftprod.com", 
   "ns2.microsoftprod.com", "pricingdmdk.com", "steamappstore.com", "update08.com", "wnswindows.com", 
   "youtube.dns05.com", "z1.zalofilescdn.com", "z2.zalofilescdn.com", "zalofilescdn.com"]); 
(union isfuzzy=true 
 (CommonSecurityLog  
 | parse Message with * '(' DNSName ')' *  
 | where DNSName in~ (DomainNames) 
 | extend Account = SourceUserID, Computer = DeviceName, IPAddress =  DestinationIP 
 ), 
 (_Im_Dns (domain_has_any=DomainNames)
 | extend DNSName = DnsQuery 
 | extend IPAddress =  SrcIpAddr, Computer = Dvc
 ), 
 (_Im_WebSession (url_has_any=DomainNames)
 | extend DNSName = tostring(parse_url(Url)["Host"])
 | extend IPAddress =  SrcIpAddr, Computer = Dvc
 ), 
 (VMConnection  
 | parse RemoteDnsCanonicalNames with * '["' DNSName '"]' * 
 | where isnotempty(DNSName) 
 | where DNSName  in~ (DomainNames) 
 | extend IPAddress = RemoteIp 
 ), 
 ( 
  DeviceNetworkEvents 
 | where isnotempty(RemoteUrl) 
 | where RemoteUrl  in~ (DomainNames)  
 | extend IPAddress = RemoteIP 
 | extend Computer = DeviceName 
 ),
 (AzureDiagnostics 
 | where ResourceType == "AZUREFIREWALLS"
 | where Category == "AzureFirewallApplicationRule"
 | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
 | where isnotempty(DestinationHost)
 | where DestinationHost has_any (DomainNames)  
 | extend DNSName = DestinationHost 
 | extend IPCustomEntity = SourceHost
 ),
 (AzureDiagnostics
 | where ResourceType == "AZUREFIREWALLS"
 | where Category == "AzureFirewallNetworkRule"
 | where msg_s has_any (DomainNames)
 | parse msg_s with Protocol " request from " SourceIP ":" SourcePortInt:int " to " TargetIP ":" TargetPortInt:int *
 | parse kind=regex flags=U msg_s with * ". Action\\: " Action1a "\\."
 | parse msg_s with * ". Policy: " Policy ". Rule Collection Group: " RuleCollectionGroup "." *
 | parse msg_s with * " Rule Collection: "  RuleCollection ". Rule: " Rule 
 | extend IPCustomEntity = SourceIP
 ),
 (AzureDiagnostics
 | where ResourceType == "AZUREFIREWALLS"
 | where Category == "AzureFirewallDnsProxy"
 | where msg_s has_any (DomainNames)
 | parse msg_s with "DNS Request: " SourceIP ":" SourcePortInt:int " - " QueryID:int " " RequestType " " RequestClass " " hostname ". " protocol " " details
 | extend
     ResponseDuration = extract("[0-9]*.?[0-9]+s$", 0, msg_s),
     SourcePort = tostring(SourcePortInt),
     QueryID =  tostring(QueryID)
 | project TimeGenerated,SourceIP,hostname,RequestType,ResponseDuration,details,msg_s
 | order by TimeGenerated
 | extend IPCustomEntity = SourceIP
 ),
 (AZFWApplicationRule
 | where Fqdn has_any (DomainNames)
 | extend IPCustomEntity = SourceIp
 ),
 (AZFWDnsQuery
 | where isnotempty(QueryName)
 | where QueryName has_any (DomainNames)
 | extend DNSName = QueryName
 | extend IPCustomEntity = SourceIp
 )
 ) 
 | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress 
tags:
- Schema: ASIMDns
  SchemaVersion: 0.1.1
status: Available
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/BariumDomainIOC112020.yaml
requiredDataConnectors:
- dataTypes:
  - SquidProxy_CL
  connectorId: SquidProxy
- dataTypes:
  - DnsEvents
  connectorId: DNS
- dataTypes:
  - VMConnection
  connectorId: AzureMonitor(VMInsights)
- dataTypes:
  - CommonSecurityLog
  connectorId: CiscoASA
- dataTypes:
  - CommonSecurityLog
  connectorId: PaloAltoNetworks
- dataTypes:
  - DeviceNetworkEvents
  connectorId: MicrosoftThreatProtection
- dataTypes:
  - AzureDiagnostics
  - AZFWApplicationRule
  - AZFWDnsQuery
  connectorId: AzureFirewall
- dataTypes:
  - CommonSecurityLog
  connectorId: Zscaler
- dataTypes:
  - Syslog
  connectorId: InfobloxNIOS
- dataTypes:
  - GCP_DNS_CL
  connectorId: GCPDNSDataConnector
- dataTypes:
  - NXLog_DNS_Server_CL
  connectorId: NXLogDnsLogs
- dataTypes:
  - Cisco_Umbrella_dns_CL
  connectorId: CiscoUmbrellaDataConnector
- dataTypes:
  - Corelight_CL
  connectorId: Corelight
queryPeriod: 1d
tactics:
- CommandAndControl
severity: High
triggerOperator: gt
description: |
    'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'
query: |2

  let DomainNames = dynamic(["0.ns1.dns-info.gq", "1.ns1.dns-info.gq", "10.ns1.dns-info.gq", "102.ns1.dns-info.gq", 
     "104.ns1.dns-info.gq", "11.ns1.dns-info.gq", "110.ns1.dns-info.gq", "115.ns1.dns-info.gq", "116.ns1.dns-info.gq", 
     "117.ns1.dns-info.gq", "118.ns1.dns-info.gq", "12.ns1.dns-info.gq", "120.ns1.dns-info.gq", "122.ns1.dns-info.gq", 
     "123.ns1.dns-info.gq", "128.ns1.dns-info.gq", "13.ns1.dns-info.gq", "134.ns1.dns-info.gq", "135.ns1.dns-info.gq", 
     "138.ns1.dns-info.gq", "14.ns1.dns-info.gq", "144.ns1.dns-info.gq", "15.ns1.dns-info.gq", "153.ns1.dns-info.gq", 
     "157.ns1.dns-info.gq", "16.ns1.dns-info.gq", "17.ns1.dns-info.gq", "18.ns1.dns-info.gq", "19.ns1.dns-info.gq", 
     "1a9604fa.ns1.feedsdns.com", "1c7606b6.ns1.steamappstore.com", "2.ns1.dns-info.gq", "20.ns1.dns-info.gq", 
     "201.ns1.dns-info.gq", "202.ns1.dns-info.gq", "204.ns1.dns-info.gq", "207.ns1.dns-info.gq", "21.ns1.dns-info.gq", 
     "210.ns1.dns-info.gq", "211.ns1.dns-info.gq", "216.ns1.dns-info.gq", "22.ns1.dns-info.gq", "220.ns1.dns-info.gq", 
     "223.ns1.dns-info.gq", "23.ns1.dns-info.gq", "24.ns1.dns-info.gq", "25.ns1.dns-info.gq", "26.ns1.dns-info.gq", 
     "27.ns1.dns-info.gq", "28.ns1.dns-info.gq", "29.ns1.dns-info.gq", "3.ns1.dns-info.gq", "30.ns1.dns-info.gq", 
     "31.ns1.dns-info.gq", "32.ns1.dns-info.gq", "33.ns1.dns-info.gq", "34.ns1.dns-info.gq", "35.ns1.dns-info.gq", 
     "36.ns1.dns-info.gq", "37.ns1.dns-info.gq", "39.ns1.dns-info.gq", "3d6fe4b2.ns1.steamappstore.com", 
     "4.ns1.dns-info.gq", "40.ns1.dns-info.gq", "42.ns1.dns-info.gq", "43.ns1.dns-info.gq", "44.ns1.dns-info.gq", 
     "45.ns1.dns-info.gq", "46.ns1.dns-info.gq", "48.ns1.dns-info.gq", "5.ns1.dns-info.gq", "50.ns1.dns-info.gq", 
     "50417.service.gstatic.dnset.com", "51.ns1.dns-info.gq", "52.ns1.dns-info.gq", "53.ns1.dns-info.gq",
     "54.ns1.dns-info.gq", "55.ns1.dns-info.gq", "56.ns1.dns-info.gq", "57.ns1.dns-info.gq", "58.ns1.dns-info.gq", 
     "6.ns1.dns-info.gq", "60.ns1.dns-info.gq", "62.ns1.dns-info.gq", "63.ns1.dns-info.gq", "64.ns1.dns-info.gq", 
     "65.ns1.dns-info.gq", "67.ns1.dns-info.gq", "7.ns1.dns-info.gq", "70.ns1.dns-info.gq", "71.ns1.dns-info.gq",
     "73.ns1.dns-info.gq", "77.ns1.dns-info.gq", "77075.service.gstatic.dnset.com", "7c1947fa.ns1.steamappstore.com",
     "8.ns1.dns-info.gq", "81.ns1.dns-info.gq", "86.ns1.dns-info.gq", "87.ns1.dns-info.gq", "9.ns1.dns-info.gq", 
     "94343.service.gstatic.dnset.com", "9939.service.gstatic.dnset.com", "aa.ns.mircosoftdoc.com", 
     "aaa.feeds.api.ns1.feedsdns.com", "aaa.googlepublic.feeds.ns1.dns-info.gq", 
     "aaa.resolution.174547._get.cache.up.sourcedns.tk", "acc.microsoftonetravel.com", 
     "accounts.longmusic.com", "admin.dnstemplog.com", "agent.updatenai.com", 
     "alibaba.zzux.com", "api.feedsdns.com", "app.portomnail.com", "asia.updatenai.com", 
     "battllestategames.com", "bguha.serveuser.com", "binann-ce.com", "bing.dsmtp.com", 
     "blog.cdsend.xyz", "brives.minivineyapp.com", "bsbana.dynamic-dns.net", 
     "californiaforce.000webhostapp.com", "californiafroce.000webhostapp.com", 
     "cdn.freetcp.com", "cdsend.xyz", "cipla.zzux.com", "cloudfeeddns.com", "comcleanner.info",
     "cs.microsoftsonline.net", "dns-info.gq", "dns05.cf", "dns22.ml", "dns224.com", 
     "dnsdist.org", "dnstemplog.com", "doc.mircosoftdoc.com", "dropdns.com", 
     "eshop.cdn.freetcp.com", "exchange.dumb1.com", "exchange.misecure.com", "exchange.mrbasic.com",
     "facebookdocs.com", "facebookint.com", "facebookvi.com", "feed.ns1.dns-info.gq", "feedsdns.com", 
     "firejun.freeddns.com", "ftp.dns-info.dyndns.pro", "goallbandungtravel.com", "goodhk.azurewebsites.net", 
     "googlepublic.feed.ns1.dns-info.gq", "gp.spotifylite.cloud", "gskytop.com", "gstatic.dnset.com", 
     "gxxservice.com", "helpdesk.cdn.freetcp.com", "id.serveuser.com", "infestexe.com", "item.itemdb.com",
     "m.mircosoftdoc.com", "mail.transferdkim.xyz", "mcafee.updatenai.com", "mecgjm.mircosoftdoc.com",
     "microdocs.ga", "microsock.website", "microsocks.net", "microsoft.sendsmtp.com", 
     "microsoftbook.dns05.com", "microsoftcontactcenter.com", "microsoftdocs.dns05.com", "microsoftdocs.ml", 
     "microsoftonetravel.com", "microsoftonlines.net", "microsoftprod.com", "microsofts.dns1.us", "microsoftsonline.net",
      "minivineyapp.com", "mircosoftdoc.com", "mircosoftdocs.com", "mlcrosoft.ninth.biz", "mlcrosoft.site", 
     "mm.portomnail.com", "msdnupdate.com", "msecdn.cloud", "mtnl1.dynamic-dns.net", "ns.gstatic.dnset.com", 
     "ns.microsoftprod.com", "ns.steamappstore.com", "ns1.cdn.freetcp.com", "ns1.comcleanner.info", "ns1.dns-info.gq", 
     "ns1.dns05.cf", "ns1.dnstemplog.com", "ns1.dropdns.com", "ns1.microsoftonetravel.com", 
     "ns1.microsoftonlines.net", "ns1.microsoftprod.com", "ns1.microsoftsonline.net", "ns1.mlcrosoft.site", 
     "ns1.teams.wikaba.com", "ns1.windowsdefende.com", "ns2.comcleanner.info", "ns2.dnstemplog.com", 
     "ns2.microsoftonetravel.com", "ns2.microsoftprod.com", "ns2.microsoftsonline.net", "ns2.mlcrosoft.site", 
     "ns2.windowsdefende.com", "ns3.microsoftprod.com", "ns3.mlcrosoft.site", "nutrition.mrbasic.com", 
     "nutrition.youdontcare.com", "online.mlcrosoft.site", "online.msdnupdate.com", "outlookservce.site", 
     "owa.jetos.com", "owa.otzo.com", "pornotime.co", "portomnail.com", 
     "post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com", "pricingdmdk.com", "prod.microsoftprod.com", 
     "product.microsoftprod.com", "ptcl.yourtrap.com", "query.api.sourcedns.tk", "rb.itemdb.com", "redditcdn.com", 
     "rss.otzo.com", "secure.msdnupdate.com", "service.dns22.ml", "service.gstatic.dnset.com", "service04.dns04.com", 
     "settings.teams.wikaba.com", "sip.outlookservce.site", "sixindent.epizy.com", "soft.msdnupdate.com", "sourcedns.ml", 
     "sourcedns.tk", "sport.msdnupdate.com", "spotifylite.cloud", "static.misecure.com", "steamappstore.com", 
     "store.otzo.com", "survey.outlookservce.site", "team.itemdb.com", "temp221.com", "test.microsoftprod.com", 
     "thisisaaa.000webhostapp.com", "token.dns04.com", "token.dns05.com", "transferdkim.xyz", 
     "travelsanignacio.com", "update08.com", "updated08.com", "updatenai.com", "wantforspeed.com",
      "web.mircosoftdoc.com", "webmail.pornotime.co", "webwhois.team.itemdb.com", "windowsdefende.com", "wnswindows.com",
      "ashcrack.freetcp.com", "battllestategames.com", "binannce.com", "cdsend.xyz", "comcleanner.info", "microsock.website", 
     "microsocks.net", "microsoftsonline.net", "mlcrosoft.site", "notify.serveuser.com", "ns1.microsoftprod.com", 
     "ns2.microsoftprod.com", "pricingdmdk.com", "steamappstore.com", "update08.com", "wnswindows.com", 
     "youtube.dns05.com", "z1.zalofilescdn.com", "z2.zalofilescdn.com", "zalofilescdn.com"]); 
  (union isfuzzy=true 
   (CommonSecurityLog  
   | parse Message with * '(' DNSName ')' *  
   | where DNSName in~ (DomainNames) 
   | extend Account = SourceUserID, Computer = DeviceName, IPAddress =  DestinationIP 
   ), 
   (_Im_Dns (domain_has_any=DomainNames)
   | extend DNSName = DnsQuery 
   | extend IPAddress =  SrcIpAddr, Computer = Dvc
   ), 
   (_Im_WebSession (url_has_any=DomainNames)
   | extend DNSName = tostring(parse_url(Url)["Host"])
   | extend IPAddress =  SrcIpAddr, Computer = Dvc
   ), 
   (VMConnection  
   | parse RemoteDnsCanonicalNames with * '["' DNSName '"]' * 
   | where isnotempty(DNSName) 
   | where DNSName  in~ (DomainNames) 
   | extend IPAddress = RemoteIp 
   ), 
   ( 
    DeviceNetworkEvents 
   | where isnotempty(RemoteUrl) 
   | where RemoteUrl  in~ (DomainNames)  
   | extend IPAddress = RemoteIP 
   | extend Computer = DeviceName 
   ),
   (AzureDiagnostics 
   | where ResourceType == "AZUREFIREWALLS"
   | where Category == "AzureFirewallApplicationRule"
   | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
   | where isnotempty(DestinationHost)
   | where DestinationHost has_any (DomainNames)  
   | extend DNSName = DestinationHost 
   | extend IPCustomEntity = SourceHost
   ),
   (AzureDiagnostics
   | where ResourceType == "AZUREFIREWALLS"
   | where Category == "AzureFirewallNetworkRule"
   | where msg_s has_any (DomainNames)
   | parse msg_s with Protocol " request from " SourceIP ":" SourcePortInt:int " to " TargetIP ":" TargetPortInt:int *
   | parse kind=regex flags=U msg_s with * ". Action\\: " Action1a "\\."
   | parse msg_s with * ". Policy: " Policy ". Rule Collection Group: " RuleCollectionGroup "." *
   | parse msg_s with * " Rule Collection: "  RuleCollection ". Rule: " Rule 
   | extend IPCustomEntity = SourceIP
   ),
   (AzureDiagnostics
   | where ResourceType == "AZUREFIREWALLS"
   | where Category == "AzureFirewallDnsProxy"
   | where msg_s has_any (DomainNames)
   | parse msg_s with "DNS Request: " SourceIP ":" SourcePortInt:int " - " QueryID:int " " RequestType " " RequestClass " " hostname ". " protocol " " details
   | extend
       ResponseDuration = extract("[0-9]*.?[0-9]+s$", 0, msg_s),
       SourcePort = tostring(SourcePortInt),
       QueryID =  tostring(QueryID)
   | project TimeGenerated,SourceIP,hostname,RequestType,ResponseDuration,details,msg_s
   | order by TimeGenerated
   | extend IPCustomEntity = SourceIP
   ),
   (AZFWApplicationRule
   | where Fqdn has_any (DomainNames)
   | extend IPCustomEntity = SourceIp
   ),
   (AZFWDnsQuery
   | where isnotempty(QueryName)
   | where QueryName has_any (DomainNames)
   | extend DNSName = QueryName
   | extend IPCustomEntity = SourceIp
   )
   ) 
   | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress 
name: '[Deprecated] - Known Barium domains'
version: 2.0.0
kind: Scheduled
id: 70b12a3b-4899-42cb-910c-5ffaf9d7997d
queryFrequency: 1d
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
- entityType: Host
  fieldMappings:
  - columnName: HostCustomEntity
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/70b12a3b-4899-42cb-910c-5ffaf9d7997d')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/70b12a3b-4899-42cb-910c-5ffaf9d7997d')]",
      "properties": {
        "alertRuleTemplateName": "70b12a3b-4899-42cb-910c-5ffaf9d7997d",
        "customDetails": null,
        "description": "'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'\n",
        "displayName": "[Deprecated] - Known Barium domains",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/BariumDomainIOC112020.yaml",
        "query": "\nlet DomainNames = dynamic([\"0.ns1.dns-info.gq\", \"1.ns1.dns-info.gq\", \"10.ns1.dns-info.gq\", \"102.ns1.dns-info.gq\", \n   \"104.ns1.dns-info.gq\", \"11.ns1.dns-info.gq\", \"110.ns1.dns-info.gq\", \"115.ns1.dns-info.gq\", \"116.ns1.dns-info.gq\", \n   \"117.ns1.dns-info.gq\", \"118.ns1.dns-info.gq\", \"12.ns1.dns-info.gq\", \"120.ns1.dns-info.gq\", \"122.ns1.dns-info.gq\", \n   \"123.ns1.dns-info.gq\", \"128.ns1.dns-info.gq\", \"13.ns1.dns-info.gq\", \"134.ns1.dns-info.gq\", \"135.ns1.dns-info.gq\", \n   \"138.ns1.dns-info.gq\", \"14.ns1.dns-info.gq\", \"144.ns1.dns-info.gq\", \"15.ns1.dns-info.gq\", \"153.ns1.dns-info.gq\", \n   \"157.ns1.dns-info.gq\", \"16.ns1.dns-info.gq\", \"17.ns1.dns-info.gq\", \"18.ns1.dns-info.gq\", \"19.ns1.dns-info.gq\", \n   \"1a9604fa.ns1.feedsdns.com\", \"1c7606b6.ns1.steamappstore.com\", \"2.ns1.dns-info.gq\", \"20.ns1.dns-info.gq\", \n   \"201.ns1.dns-info.gq\", \"202.ns1.dns-info.gq\", \"204.ns1.dns-info.gq\", \"207.ns1.dns-info.gq\", \"21.ns1.dns-info.gq\", \n   \"210.ns1.dns-info.gq\", \"211.ns1.dns-info.gq\", \"216.ns1.dns-info.gq\", \"22.ns1.dns-info.gq\", \"220.ns1.dns-info.gq\", \n   \"223.ns1.dns-info.gq\", \"23.ns1.dns-info.gq\", \"24.ns1.dns-info.gq\", \"25.ns1.dns-info.gq\", \"26.ns1.dns-info.gq\", \n   \"27.ns1.dns-info.gq\", \"28.ns1.dns-info.gq\", \"29.ns1.dns-info.gq\", \"3.ns1.dns-info.gq\", \"30.ns1.dns-info.gq\", \n   \"31.ns1.dns-info.gq\", \"32.ns1.dns-info.gq\", \"33.ns1.dns-info.gq\", \"34.ns1.dns-info.gq\", \"35.ns1.dns-info.gq\", \n   \"36.ns1.dns-info.gq\", \"37.ns1.dns-info.gq\", \"39.ns1.dns-info.gq\", \"3d6fe4b2.ns1.steamappstore.com\", \n   \"4.ns1.dns-info.gq\", \"40.ns1.dns-info.gq\", \"42.ns1.dns-info.gq\", \"43.ns1.dns-info.gq\", \"44.ns1.dns-info.gq\", \n   \"45.ns1.dns-info.gq\", \"46.ns1.dns-info.gq\", \"48.ns1.dns-info.gq\", \"5.ns1.dns-info.gq\", \"50.ns1.dns-info.gq\", \n   \"50417.service.gstatic.dnset.com\", \"51.ns1.dns-info.gq\", \"52.ns1.dns-info.gq\", \"53.ns1.dns-info.gq\",\n   \"54.ns1.dns-info.gq\", \"55.ns1.dns-info.gq\", \"56.ns1.dns-info.gq\", \"57.ns1.dns-info.gq\", \"58.ns1.dns-info.gq\", \n   \"6.ns1.dns-info.gq\", \"60.ns1.dns-info.gq\", \"62.ns1.dns-info.gq\", \"63.ns1.dns-info.gq\", \"64.ns1.dns-info.gq\", \n   \"65.ns1.dns-info.gq\", \"67.ns1.dns-info.gq\", \"7.ns1.dns-info.gq\", \"70.ns1.dns-info.gq\", \"71.ns1.dns-info.gq\",\n   \"73.ns1.dns-info.gq\", \"77.ns1.dns-info.gq\", \"77075.service.gstatic.dnset.com\", \"7c1947fa.ns1.steamappstore.com\",\n   \"8.ns1.dns-info.gq\", \"81.ns1.dns-info.gq\", \"86.ns1.dns-info.gq\", \"87.ns1.dns-info.gq\", \"9.ns1.dns-info.gq\", \n   \"94343.service.gstatic.dnset.com\", \"9939.service.gstatic.dnset.com\", \"aa.ns.mircosoftdoc.com\", \n   \"aaa.feeds.api.ns1.feedsdns.com\", \"aaa.googlepublic.feeds.ns1.dns-info.gq\", \n   \"aaa.resolution.174547._get.cache.up.sourcedns.tk\", \"acc.microsoftonetravel.com\", \n   \"accounts.longmusic.com\", \"admin.dnstemplog.com\", \"agent.updatenai.com\", \n   \"alibaba.zzux.com\", \"api.feedsdns.com\", \"app.portomnail.com\", \"asia.updatenai.com\", \n   \"battllestategames.com\", \"bguha.serveuser.com\", \"binann-ce.com\", \"bing.dsmtp.com\", \n   \"blog.cdsend.xyz\", \"brives.minivineyapp.com\", \"bsbana.dynamic-dns.net\", \n   \"californiaforce.000webhostapp.com\", \"californiafroce.000webhostapp.com\", \n   \"cdn.freetcp.com\", \"cdsend.xyz\", \"cipla.zzux.com\", \"cloudfeeddns.com\", \"comcleanner.info\",\n   \"cs.microsoftsonline.net\", \"dns-info.gq\", \"dns05.cf\", \"dns22.ml\", \"dns224.com\", \n   \"dnsdist.org\", \"dnstemplog.com\", \"doc.mircosoftdoc.com\", \"dropdns.com\", \n   \"eshop.cdn.freetcp.com\", \"exchange.dumb1.com\", \"exchange.misecure.com\", \"exchange.mrbasic.com\",\n   \"facebookdocs.com\", \"facebookint.com\", \"facebookvi.com\", \"feed.ns1.dns-info.gq\", \"feedsdns.com\", \n   \"firejun.freeddns.com\", \"ftp.dns-info.dyndns.pro\", \"goallbandungtravel.com\", \"goodhk.azurewebsites.net\", \n   \"googlepublic.feed.ns1.dns-info.gq\", \"gp.spotifylite.cloud\", \"gskytop.com\", \"gstatic.dnset.com\", \n   \"gxxservice.com\", \"helpdesk.cdn.freetcp.com\", \"id.serveuser.com\", \"infestexe.com\", \"item.itemdb.com\",\n   \"m.mircosoftdoc.com\", \"mail.transferdkim.xyz\", \"mcafee.updatenai.com\", \"mecgjm.mircosoftdoc.com\",\n   \"microdocs.ga\", \"microsock.website\", \"microsocks.net\", \"microsoft.sendsmtp.com\", \n   \"microsoftbook.dns05.com\", \"microsoftcontactcenter.com\", \"microsoftdocs.dns05.com\", \"microsoftdocs.ml\", \n   \"microsoftonetravel.com\", \"microsoftonlines.net\", \"microsoftprod.com\", \"microsofts.dns1.us\", \"microsoftsonline.net\",\n    \"minivineyapp.com\", \"mircosoftdoc.com\", \"mircosoftdocs.com\", \"mlcrosoft.ninth.biz\", \"mlcrosoft.site\", \n   \"mm.portomnail.com\", \"msdnupdate.com\", \"msecdn.cloud\", \"mtnl1.dynamic-dns.net\", \"ns.gstatic.dnset.com\", \n   \"ns.microsoftprod.com\", \"ns.steamappstore.com\", \"ns1.cdn.freetcp.com\", \"ns1.comcleanner.info\", \"ns1.dns-info.gq\", \n   \"ns1.dns05.cf\", \"ns1.dnstemplog.com\", \"ns1.dropdns.com\", \"ns1.microsoftonetravel.com\", \n   \"ns1.microsoftonlines.net\", \"ns1.microsoftprod.com\", \"ns1.microsoftsonline.net\", \"ns1.mlcrosoft.site\", \n   \"ns1.teams.wikaba.com\", \"ns1.windowsdefende.com\", \"ns2.comcleanner.info\", \"ns2.dnstemplog.com\", \n   \"ns2.microsoftonetravel.com\", \"ns2.microsoftprod.com\", \"ns2.microsoftsonline.net\", \"ns2.mlcrosoft.site\", \n   \"ns2.windowsdefende.com\", \"ns3.microsoftprod.com\", \"ns3.mlcrosoft.site\", \"nutrition.mrbasic.com\", \n   \"nutrition.youdontcare.com\", \"online.mlcrosoft.site\", \"online.msdnupdate.com\", \"outlookservce.site\", \n   \"owa.jetos.com\", \"owa.otzo.com\", \"pornotime.co\", \"portomnail.com\", \n   \"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com\", \"pricingdmdk.com\", \"prod.microsoftprod.com\", \n   \"product.microsoftprod.com\", \"ptcl.yourtrap.com\", \"query.api.sourcedns.tk\", \"rb.itemdb.com\", \"redditcdn.com\", \n   \"rss.otzo.com\", \"secure.msdnupdate.com\", \"service.dns22.ml\", \"service.gstatic.dnset.com\", \"service04.dns04.com\", \n   \"settings.teams.wikaba.com\", \"sip.outlookservce.site\", \"sixindent.epizy.com\", \"soft.msdnupdate.com\", \"sourcedns.ml\", \n   \"sourcedns.tk\", \"sport.msdnupdate.com\", \"spotifylite.cloud\", \"static.misecure.com\", \"steamappstore.com\", \n   \"store.otzo.com\", \"survey.outlookservce.site\", \"team.itemdb.com\", \"temp221.com\", \"test.microsoftprod.com\", \n   \"thisisaaa.000webhostapp.com\", \"token.dns04.com\", \"token.dns05.com\", \"transferdkim.xyz\", \n   \"travelsanignacio.com\", \"update08.com\", \"updated08.com\", \"updatenai.com\", \"wantforspeed.com\",\n    \"web.mircosoftdoc.com\", \"webmail.pornotime.co\", \"webwhois.team.itemdb.com\", \"windowsdefende.com\", \"wnswindows.com\",\n    \"ashcrack.freetcp.com\", \"battllestategames.com\", \"binannce.com\", \"cdsend.xyz\", \"comcleanner.info\", \"microsock.website\", \n   \"microsocks.net\", \"microsoftsonline.net\", \"mlcrosoft.site\", \"notify.serveuser.com\", \"ns1.microsoftprod.com\", \n   \"ns2.microsoftprod.com\", \"pricingdmdk.com\", \"steamappstore.com\", \"update08.com\", \"wnswindows.com\", \n   \"youtube.dns05.com\", \"z1.zalofilescdn.com\", \"z2.zalofilescdn.com\", \"zalofilescdn.com\"]); \n(union isfuzzy=true \n (CommonSecurityLog  \n | parse Message with * '(' DNSName ')' *  \n | where DNSName in~ (DomainNames) \n | extend Account = SourceUserID, Computer = DeviceName, IPAddress =  DestinationIP \n ), \n (_Im_Dns (domain_has_any=DomainNames)\n | extend DNSName = DnsQuery \n | extend IPAddress =  SrcIpAddr, Computer = Dvc\n ), \n (_Im_WebSession (url_has_any=DomainNames)\n | extend DNSName = tostring(parse_url(Url)[\"Host\"])\n | extend IPAddress =  SrcIpAddr, Computer = Dvc\n ), \n (VMConnection  \n | parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' * \n | where isnotempty(DNSName) \n | where DNSName  in~ (DomainNames) \n | extend IPAddress = RemoteIp \n ), \n ( \n  DeviceNetworkEvents \n | where isnotempty(RemoteUrl) \n | where RemoteUrl  in~ (DomainNames)  \n | extend IPAddress = RemoteIP \n | extend Computer = DeviceName \n ),\n (AzureDiagnostics \n | where ResourceType == \"AZUREFIREWALLS\"\n | where Category == \"AzureFirewallApplicationRule\"\n | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n | where isnotempty(DestinationHost)\n | where DestinationHost has_any (DomainNames)  \n | extend DNSName = DestinationHost \n | extend IPCustomEntity = SourceHost\n ),\n (AzureDiagnostics\n | where ResourceType == \"AZUREFIREWALLS\"\n | where Category == \"AzureFirewallNetworkRule\"\n | where msg_s has_any (DomainNames)\n | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int *\n | parse kind=regex flags=U msg_s with * \". Action\\\\: \" Action1a \"\\\\.\"\n | parse msg_s with * \". Policy: \" Policy \". Rule Collection Group: \" RuleCollectionGroup \".\" *\n | parse msg_s with * \" Rule Collection: \"  RuleCollection \". Rule: \" Rule \n | extend IPCustomEntity = SourceIP\n ),\n (AzureDiagnostics\n | where ResourceType == \"AZUREFIREWALLS\"\n | where Category == \"AzureFirewallDnsProxy\"\n | where msg_s has_any (DomainNames)\n | parse msg_s with \"DNS Request: \" SourceIP \":\" SourcePortInt:int \" - \" QueryID:int \" \" RequestType \" \" RequestClass \" \" hostname \". \" protocol \" \" details\n | extend\n     ResponseDuration = extract(\"[0-9]*.?[0-9]+s$\", 0, msg_s),\n     SourcePort = tostring(SourcePortInt),\n     QueryID =  tostring(QueryID)\n | project TimeGenerated,SourceIP,hostname,RequestType,ResponseDuration,details,msg_s\n | order by TimeGenerated\n | extend IPCustomEntity = SourceIP\n ),\n (AZFWApplicationRule\n | where Fqdn has_any (DomainNames)\n | extend IPCustomEntity = SourceIp\n ),\n (AZFWDnsQuery\n | where isnotempty(QueryName)\n | where QueryName has_any (DomainNames)\n | extend DNSName = QueryName\n | extend IPCustomEntity = SourceIp\n )\n ) \n | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress \n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "High",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "tags": [
          {
            "Schema": "ASIMDns",
            "SchemaVersion": "0.1.1"
          }
        ],
        "templateVersion": "2.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}