[Deprecated] - Known Barium domains
| Id | 70b12a3b-4899-42cb-910c-5ffaf9d7997d |
| Rulename | [Deprecated] - Known Barium domains |
| Description | This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft’s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy |
| Severity | High |
| Tactics | CommandAndControl |
| Required data connectors | AzureFirewall AzureMonitor(VMInsights) CiscoASA CiscoUmbrellaDataConnector Corelight DNS GCPDNSDataConnector InfobloxNIOS MicrosoftThreatProtection NXLogDnsLogs PaloAltoNetworks SquidProxy Zscaler |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/BariumDomainIOC112020.yaml |
| Version | 2.0.0 |
| Arm template | 70b12a3b-4899-42cb-910c-5ffaf9d7997d.json |
let DomainNames = dynamic(["0.ns1.dns-info.gq", "1.ns1.dns-info.gq", "10.ns1.dns-info.gq", "102.ns1.dns-info.gq",
"104.ns1.dns-info.gq", "11.ns1.dns-info.gq", "110.ns1.dns-info.gq", "115.ns1.dns-info.gq", "116.ns1.dns-info.gq",
"117.ns1.dns-info.gq", "118.ns1.dns-info.gq", "12.ns1.dns-info.gq", "120.ns1.dns-info.gq", "122.ns1.dns-info.gq",
"123.ns1.dns-info.gq", "128.ns1.dns-info.gq", "13.ns1.dns-info.gq", "134.ns1.dns-info.gq", "135.ns1.dns-info.gq",
"138.ns1.dns-info.gq", "14.ns1.dns-info.gq", "144.ns1.dns-info.gq", "15.ns1.dns-info.gq", "153.ns1.dns-info.gq",
"157.ns1.dns-info.gq", "16.ns1.dns-info.gq", "17.ns1.dns-info.gq", "18.ns1.dns-info.gq", "19.ns1.dns-info.gq",
"1a9604fa.ns1.feedsdns.com", "1c7606b6.ns1.steamappstore.com", "2.ns1.dns-info.gq", "20.ns1.dns-info.gq",
"201.ns1.dns-info.gq", "202.ns1.dns-info.gq", "204.ns1.dns-info.gq", "207.ns1.dns-info.gq", "21.ns1.dns-info.gq",
"210.ns1.dns-info.gq", "211.ns1.dns-info.gq", "216.ns1.dns-info.gq", "22.ns1.dns-info.gq", "220.ns1.dns-info.gq",
"223.ns1.dns-info.gq", "23.ns1.dns-info.gq", "24.ns1.dns-info.gq", "25.ns1.dns-info.gq", "26.ns1.dns-info.gq",
"27.ns1.dns-info.gq", "28.ns1.dns-info.gq", "29.ns1.dns-info.gq", "3.ns1.dns-info.gq", "30.ns1.dns-info.gq",
"31.ns1.dns-info.gq", "32.ns1.dns-info.gq", "33.ns1.dns-info.gq", "34.ns1.dns-info.gq", "35.ns1.dns-info.gq",
"36.ns1.dns-info.gq", "37.ns1.dns-info.gq", "39.ns1.dns-info.gq", "3d6fe4b2.ns1.steamappstore.com",
"4.ns1.dns-info.gq", "40.ns1.dns-info.gq", "42.ns1.dns-info.gq", "43.ns1.dns-info.gq", "44.ns1.dns-info.gq",
"45.ns1.dns-info.gq", "46.ns1.dns-info.gq", "48.ns1.dns-info.gq", "5.ns1.dns-info.gq", "50.ns1.dns-info.gq",
"50417.service.gstatic.dnset.com", "51.ns1.dns-info.gq", "52.ns1.dns-info.gq", "53.ns1.dns-info.gq",
"54.ns1.dns-info.gq", "55.ns1.dns-info.gq", "56.ns1.dns-info.gq", "57.ns1.dns-info.gq", "58.ns1.dns-info.gq",
"6.ns1.dns-info.gq", "60.ns1.dns-info.gq", "62.ns1.dns-info.gq", "63.ns1.dns-info.gq", "64.ns1.dns-info.gq",
"65.ns1.dns-info.gq", "67.ns1.dns-info.gq", "7.ns1.dns-info.gq", "70.ns1.dns-info.gq", "71.ns1.dns-info.gq",
"73.ns1.dns-info.gq", "77.ns1.dns-info.gq", "77075.service.gstatic.dnset.com", "7c1947fa.ns1.steamappstore.com",
"8.ns1.dns-info.gq", "81.ns1.dns-info.gq", "86.ns1.dns-info.gq", "87.ns1.dns-info.gq", "9.ns1.dns-info.gq",
"94343.service.gstatic.dnset.com", "9939.service.gstatic.dnset.com", "aa.ns.mircosoftdoc.com",
"aaa.feeds.api.ns1.feedsdns.com", "aaa.googlepublic.feeds.ns1.dns-info.gq",
"aaa.resolution.174547._get.cache.up.sourcedns.tk", "acc.microsoftonetravel.com",
"accounts.longmusic.com", "admin.dnstemplog.com", "agent.updatenai.com",
"alibaba.zzux.com", "api.feedsdns.com", "app.portomnail.com", "asia.updatenai.com",
"battllestategames.com", "bguha.serveuser.com", "binann-ce.com", "bing.dsmtp.com",
"blog.cdsend.xyz", "brives.minivineyapp.com", "bsbana.dynamic-dns.net",
"californiaforce.000webhostapp.com", "californiafroce.000webhostapp.com",
"cdn.freetcp.com", "cdsend.xyz", "cipla.zzux.com", "cloudfeeddns.com", "comcleanner.info",
"cs.microsoftsonline.net", "dns-info.gq", "dns05.cf", "dns22.ml", "dns224.com",
"dnsdist.org", "dnstemplog.com", "doc.mircosoftdoc.com", "dropdns.com",
"eshop.cdn.freetcp.com", "exchange.dumb1.com", "exchange.misecure.com", "exchange.mrbasic.com",
"facebookdocs.com", "facebookint.com", "facebookvi.com", "feed.ns1.dns-info.gq", "feedsdns.com",
"firejun.freeddns.com", "ftp.dns-info.dyndns.pro", "goallbandungtravel.com", "goodhk.azurewebsites.net",
"googlepublic.feed.ns1.dns-info.gq", "gp.spotifylite.cloud", "gskytop.com", "gstatic.dnset.com",
"gxxservice.com", "helpdesk.cdn.freetcp.com", "id.serveuser.com", "infestexe.com", "item.itemdb.com",
"m.mircosoftdoc.com", "mail.transferdkim.xyz", "mcafee.updatenai.com", "mecgjm.mircosoftdoc.com",
"microdocs.ga", "microsock.website", "microsocks.net", "microsoft.sendsmtp.com",
"microsoftbook.dns05.com", "microsoftcontactcenter.com", "microsoftdocs.dns05.com", "microsoftdocs.ml",
"microsoftonetravel.com", "microsoftonlines.net", "microsoftprod.com", "microsofts.dns1.us", "microsoftsonline.net",
"minivineyapp.com", "mircosoftdoc.com", "mircosoftdocs.com", "mlcrosoft.ninth.biz", "mlcrosoft.site",
"mm.portomnail.com", "msdnupdate.com", "msecdn.cloud", "mtnl1.dynamic-dns.net", "ns.gstatic.dnset.com",
"ns.microsoftprod.com", "ns.steamappstore.com", "ns1.cdn.freetcp.com", "ns1.comcleanner.info", "ns1.dns-info.gq",
"ns1.dns05.cf", "ns1.dnstemplog.com", "ns1.dropdns.com", "ns1.microsoftonetravel.com",
"ns1.microsoftonlines.net", "ns1.microsoftprod.com", "ns1.microsoftsonline.net", "ns1.mlcrosoft.site",
"ns1.teams.wikaba.com", "ns1.windowsdefende.com", "ns2.comcleanner.info", "ns2.dnstemplog.com",
"ns2.microsoftonetravel.com", "ns2.microsoftprod.com", "ns2.microsoftsonline.net", "ns2.mlcrosoft.site",
"ns2.windowsdefende.com", "ns3.microsoftprod.com", "ns3.mlcrosoft.site", "nutrition.mrbasic.com",
"nutrition.youdontcare.com", "online.mlcrosoft.site", "online.msdnupdate.com", "outlookservce.site",
"owa.jetos.com", "owa.otzo.com", "pornotime.co", "portomnail.com",
"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com", "pricingdmdk.com", "prod.microsoftprod.com",
"product.microsoftprod.com", "ptcl.yourtrap.com", "query.api.sourcedns.tk", "rb.itemdb.com", "redditcdn.com",
"rss.otzo.com", "secure.msdnupdate.com", "service.dns22.ml", "service.gstatic.dnset.com", "service04.dns04.com",
"settings.teams.wikaba.com", "sip.outlookservce.site", "sixindent.epizy.com", "soft.msdnupdate.com", "sourcedns.ml",
"sourcedns.tk", "sport.msdnupdate.com", "spotifylite.cloud", "static.misecure.com", "steamappstore.com",
"store.otzo.com", "survey.outlookservce.site", "team.itemdb.com", "temp221.com", "test.microsoftprod.com",
"thisisaaa.000webhostapp.com", "token.dns04.com", "token.dns05.com", "transferdkim.xyz",
"travelsanignacio.com", "update08.com", "updated08.com", "updatenai.com", "wantforspeed.com",
"web.mircosoftdoc.com", "webmail.pornotime.co", "webwhois.team.itemdb.com", "windowsdefende.com", "wnswindows.com",
"ashcrack.freetcp.com", "battllestategames.com", "binannce.com", "cdsend.xyz", "comcleanner.info", "microsock.website",
"microsocks.net", "microsoftsonline.net", "mlcrosoft.site", "notify.serveuser.com", "ns1.microsoftprod.com",
"ns2.microsoftprod.com", "pricingdmdk.com", "steamappstore.com", "update08.com", "wnswindows.com",
"youtube.dns05.com", "z1.zalofilescdn.com", "z2.zalofilescdn.com", "zalofilescdn.com"]);
(union isfuzzy=true
(CommonSecurityLog
| parse Message with * '(' DNSName ')' *
| where DNSName in~ (DomainNames)
| extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP
),
(_Im_Dns (domain_has_any=DomainNames)
| extend DNSName = DnsQuery
| extend IPAddress = SrcIpAddr, Computer = Dvc
),
(_Im_WebSession (url_has_any=DomainNames)
| extend DNSName = tostring(parse_url(Url)["Host"])
| extend IPAddress = SrcIpAddr, Computer = Dvc
),
(VMConnection
| parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
| where isnotempty(DNSName)
| where DNSName in~ (DomainNames)
| extend IPAddress = RemoteIp
),
(
DeviceNetworkEvents
| where isnotempty(RemoteUrl)
| where RemoteUrl in~ (DomainNames)
| extend IPAddress = RemoteIP
| extend Computer = DeviceName
),
(AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallApplicationRule"
| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
| where isnotempty(DestinationHost)
| where DestinationHost has_any (DomainNames)
| extend DNSName = DestinationHost
| extend IPCustomEntity = SourceHost
),
(AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallNetworkRule"
| where msg_s has_any (DomainNames)
| parse msg_s with Protocol " request from " SourceIP ":" SourcePortInt:int " to " TargetIP ":" TargetPortInt:int *
| parse kind=regex flags=U msg_s with * ". Action\\: " Action1a "\\."
| parse msg_s with * ". Policy: " Policy ". Rule Collection Group: " RuleCollectionGroup "." *
| parse msg_s with * " Rule Collection: " RuleCollection ". Rule: " Rule
| extend IPCustomEntity = SourceIP
),
(AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallDnsProxy"
| where msg_s has_any (DomainNames)
| parse msg_s with "DNS Request: " SourceIP ":" SourcePortInt:int " - " QueryID:int " " RequestType " " RequestClass " " hostname ". " protocol " " details
| extend
ResponseDuration = extract("[0-9]*.?[0-9]+s$", 0, msg_s),
SourcePort = tostring(SourcePortInt),
QueryID = tostring(QueryID)
| project TimeGenerated,SourceIP,hostname,RequestType,ResponseDuration,details,msg_s
| order by TimeGenerated
| extend IPCustomEntity = SourceIP
),
(AZFWApplicationRule
| where Fqdn has_any (DomainNames)
| extend IPCustomEntity = SourceIp
),
(AZFWDnsQuery
| where isnotempty(QueryName)
| where QueryName has_any (DomainNames)
| extend DNSName = QueryName
| extend IPCustomEntity = SourceIp
)
)
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress
tags:
- SchemaVersion: 0.1.1
Schema: ASIMDns
version: 2.0.0
name: '[Deprecated] - Known Barium domains'
severity: High
kind: Scheduled
queryPeriod: 1d
description: |
'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'
query: |2
let DomainNames = dynamic(["0.ns1.dns-info.gq", "1.ns1.dns-info.gq", "10.ns1.dns-info.gq", "102.ns1.dns-info.gq",
"104.ns1.dns-info.gq", "11.ns1.dns-info.gq", "110.ns1.dns-info.gq", "115.ns1.dns-info.gq", "116.ns1.dns-info.gq",
"117.ns1.dns-info.gq", "118.ns1.dns-info.gq", "12.ns1.dns-info.gq", "120.ns1.dns-info.gq", "122.ns1.dns-info.gq",
"123.ns1.dns-info.gq", "128.ns1.dns-info.gq", "13.ns1.dns-info.gq", "134.ns1.dns-info.gq", "135.ns1.dns-info.gq",
"138.ns1.dns-info.gq", "14.ns1.dns-info.gq", "144.ns1.dns-info.gq", "15.ns1.dns-info.gq", "153.ns1.dns-info.gq",
"157.ns1.dns-info.gq", "16.ns1.dns-info.gq", "17.ns1.dns-info.gq", "18.ns1.dns-info.gq", "19.ns1.dns-info.gq",
"1a9604fa.ns1.feedsdns.com", "1c7606b6.ns1.steamappstore.com", "2.ns1.dns-info.gq", "20.ns1.dns-info.gq",
"201.ns1.dns-info.gq", "202.ns1.dns-info.gq", "204.ns1.dns-info.gq", "207.ns1.dns-info.gq", "21.ns1.dns-info.gq",
"210.ns1.dns-info.gq", "211.ns1.dns-info.gq", "216.ns1.dns-info.gq", "22.ns1.dns-info.gq", "220.ns1.dns-info.gq",
"223.ns1.dns-info.gq", "23.ns1.dns-info.gq", "24.ns1.dns-info.gq", "25.ns1.dns-info.gq", "26.ns1.dns-info.gq",
"27.ns1.dns-info.gq", "28.ns1.dns-info.gq", "29.ns1.dns-info.gq", "3.ns1.dns-info.gq", "30.ns1.dns-info.gq",
"31.ns1.dns-info.gq", "32.ns1.dns-info.gq", "33.ns1.dns-info.gq", "34.ns1.dns-info.gq", "35.ns1.dns-info.gq",
"36.ns1.dns-info.gq", "37.ns1.dns-info.gq", "39.ns1.dns-info.gq", "3d6fe4b2.ns1.steamappstore.com",
"4.ns1.dns-info.gq", "40.ns1.dns-info.gq", "42.ns1.dns-info.gq", "43.ns1.dns-info.gq", "44.ns1.dns-info.gq",
"45.ns1.dns-info.gq", "46.ns1.dns-info.gq", "48.ns1.dns-info.gq", "5.ns1.dns-info.gq", "50.ns1.dns-info.gq",
"50417.service.gstatic.dnset.com", "51.ns1.dns-info.gq", "52.ns1.dns-info.gq", "53.ns1.dns-info.gq",
"54.ns1.dns-info.gq", "55.ns1.dns-info.gq", "56.ns1.dns-info.gq", "57.ns1.dns-info.gq", "58.ns1.dns-info.gq",
"6.ns1.dns-info.gq", "60.ns1.dns-info.gq", "62.ns1.dns-info.gq", "63.ns1.dns-info.gq", "64.ns1.dns-info.gq",
"65.ns1.dns-info.gq", "67.ns1.dns-info.gq", "7.ns1.dns-info.gq", "70.ns1.dns-info.gq", "71.ns1.dns-info.gq",
"73.ns1.dns-info.gq", "77.ns1.dns-info.gq", "77075.service.gstatic.dnset.com", "7c1947fa.ns1.steamappstore.com",
"8.ns1.dns-info.gq", "81.ns1.dns-info.gq", "86.ns1.dns-info.gq", "87.ns1.dns-info.gq", "9.ns1.dns-info.gq",
"94343.service.gstatic.dnset.com", "9939.service.gstatic.dnset.com", "aa.ns.mircosoftdoc.com",
"aaa.feeds.api.ns1.feedsdns.com", "aaa.googlepublic.feeds.ns1.dns-info.gq",
"aaa.resolution.174547._get.cache.up.sourcedns.tk", "acc.microsoftonetravel.com",
"accounts.longmusic.com", "admin.dnstemplog.com", "agent.updatenai.com",
"alibaba.zzux.com", "api.feedsdns.com", "app.portomnail.com", "asia.updatenai.com",
"battllestategames.com", "bguha.serveuser.com", "binann-ce.com", "bing.dsmtp.com",
"blog.cdsend.xyz", "brives.minivineyapp.com", "bsbana.dynamic-dns.net",
"californiaforce.000webhostapp.com", "californiafroce.000webhostapp.com",
"cdn.freetcp.com", "cdsend.xyz", "cipla.zzux.com", "cloudfeeddns.com", "comcleanner.info",
"cs.microsoftsonline.net", "dns-info.gq", "dns05.cf", "dns22.ml", "dns224.com",
"dnsdist.org", "dnstemplog.com", "doc.mircosoftdoc.com", "dropdns.com",
"eshop.cdn.freetcp.com", "exchange.dumb1.com", "exchange.misecure.com", "exchange.mrbasic.com",
"facebookdocs.com", "facebookint.com", "facebookvi.com", "feed.ns1.dns-info.gq", "feedsdns.com",
"firejun.freeddns.com", "ftp.dns-info.dyndns.pro", "goallbandungtravel.com", "goodhk.azurewebsites.net",
"googlepublic.feed.ns1.dns-info.gq", "gp.spotifylite.cloud", "gskytop.com", "gstatic.dnset.com",
"gxxservice.com", "helpdesk.cdn.freetcp.com", "id.serveuser.com", "infestexe.com", "item.itemdb.com",
"m.mircosoftdoc.com", "mail.transferdkim.xyz", "mcafee.updatenai.com", "mecgjm.mircosoftdoc.com",
"microdocs.ga", "microsock.website", "microsocks.net", "microsoft.sendsmtp.com",
"microsoftbook.dns05.com", "microsoftcontactcenter.com", "microsoftdocs.dns05.com", "microsoftdocs.ml",
"microsoftonetravel.com", "microsoftonlines.net", "microsoftprod.com", "microsofts.dns1.us", "microsoftsonline.net",
"minivineyapp.com", "mircosoftdoc.com", "mircosoftdocs.com", "mlcrosoft.ninth.biz", "mlcrosoft.site",
"mm.portomnail.com", "msdnupdate.com", "msecdn.cloud", "mtnl1.dynamic-dns.net", "ns.gstatic.dnset.com",
"ns.microsoftprod.com", "ns.steamappstore.com", "ns1.cdn.freetcp.com", "ns1.comcleanner.info", "ns1.dns-info.gq",
"ns1.dns05.cf", "ns1.dnstemplog.com", "ns1.dropdns.com", "ns1.microsoftonetravel.com",
"ns1.microsoftonlines.net", "ns1.microsoftprod.com", "ns1.microsoftsonline.net", "ns1.mlcrosoft.site",
"ns1.teams.wikaba.com", "ns1.windowsdefende.com", "ns2.comcleanner.info", "ns2.dnstemplog.com",
"ns2.microsoftonetravel.com", "ns2.microsoftprod.com", "ns2.microsoftsonline.net", "ns2.mlcrosoft.site",
"ns2.windowsdefende.com", "ns3.microsoftprod.com", "ns3.mlcrosoft.site", "nutrition.mrbasic.com",
"nutrition.youdontcare.com", "online.mlcrosoft.site", "online.msdnupdate.com", "outlookservce.site",
"owa.jetos.com", "owa.otzo.com", "pornotime.co", "portomnail.com",
"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com", "pricingdmdk.com", "prod.microsoftprod.com",
"product.microsoftprod.com", "ptcl.yourtrap.com", "query.api.sourcedns.tk", "rb.itemdb.com", "redditcdn.com",
"rss.otzo.com", "secure.msdnupdate.com", "service.dns22.ml", "service.gstatic.dnset.com", "service04.dns04.com",
"settings.teams.wikaba.com", "sip.outlookservce.site", "sixindent.epizy.com", "soft.msdnupdate.com", "sourcedns.ml",
"sourcedns.tk", "sport.msdnupdate.com", "spotifylite.cloud", "static.misecure.com", "steamappstore.com",
"store.otzo.com", "survey.outlookservce.site", "team.itemdb.com", "temp221.com", "test.microsoftprod.com",
"thisisaaa.000webhostapp.com", "token.dns04.com", "token.dns05.com", "transferdkim.xyz",
"travelsanignacio.com", "update08.com", "updated08.com", "updatenai.com", "wantforspeed.com",
"web.mircosoftdoc.com", "webmail.pornotime.co", "webwhois.team.itemdb.com", "windowsdefende.com", "wnswindows.com",
"ashcrack.freetcp.com", "battllestategames.com", "binannce.com", "cdsend.xyz", "comcleanner.info", "microsock.website",
"microsocks.net", "microsoftsonline.net", "mlcrosoft.site", "notify.serveuser.com", "ns1.microsoftprod.com",
"ns2.microsoftprod.com", "pricingdmdk.com", "steamappstore.com", "update08.com", "wnswindows.com",
"youtube.dns05.com", "z1.zalofilescdn.com", "z2.zalofilescdn.com", "zalofilescdn.com"]);
(union isfuzzy=true
(CommonSecurityLog
| parse Message with * '(' DNSName ')' *
| where DNSName in~ (DomainNames)
| extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP
),
(_Im_Dns (domain_has_any=DomainNames)
| extend DNSName = DnsQuery
| extend IPAddress = SrcIpAddr, Computer = Dvc
),
(_Im_WebSession (url_has_any=DomainNames)
| extend DNSName = tostring(parse_url(Url)["Host"])
| extend IPAddress = SrcIpAddr, Computer = Dvc
),
(VMConnection
| parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
| where isnotempty(DNSName)
| where DNSName in~ (DomainNames)
| extend IPAddress = RemoteIp
),
(
DeviceNetworkEvents
| where isnotempty(RemoteUrl)
| where RemoteUrl in~ (DomainNames)
| extend IPAddress = RemoteIP
| extend Computer = DeviceName
),
(AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallApplicationRule"
| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
| where isnotempty(DestinationHost)
| where DestinationHost has_any (DomainNames)
| extend DNSName = DestinationHost
| extend IPCustomEntity = SourceHost
),
(AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallNetworkRule"
| where msg_s has_any (DomainNames)
| parse msg_s with Protocol " request from " SourceIP ":" SourcePortInt:int " to " TargetIP ":" TargetPortInt:int *
| parse kind=regex flags=U msg_s with * ". Action\\: " Action1a "\\."
| parse msg_s with * ". Policy: " Policy ". Rule Collection Group: " RuleCollectionGroup "." *
| parse msg_s with * " Rule Collection: " RuleCollection ". Rule: " Rule
| extend IPCustomEntity = SourceIP
),
(AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallDnsProxy"
| where msg_s has_any (DomainNames)
| parse msg_s with "DNS Request: " SourceIP ":" SourcePortInt:int " - " QueryID:int " " RequestType " " RequestClass " " hostname ". " protocol " " details
| extend
ResponseDuration = extract("[0-9]*.?[0-9]+s$", 0, msg_s),
SourcePort = tostring(SourcePortInt),
QueryID = tostring(QueryID)
| project TimeGenerated,SourceIP,hostname,RequestType,ResponseDuration,details,msg_s
| order by TimeGenerated
| extend IPCustomEntity = SourceIP
),
(AZFWApplicationRule
| where Fqdn has_any (DomainNames)
| extend IPCustomEntity = SourceIp
),
(AZFWDnsQuery
| where isnotempty(QueryName)
| where QueryName has_any (DomainNames)
| extend DNSName = QueryName
| extend IPCustomEntity = SourceIp
)
)
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress
tactics:
- CommandAndControl
triggerOperator: gt
entityMappings:
- entityType: Account
fieldMappings:
- columnName: AccountCustomEntity
identifier: FullName
- entityType: Host
fieldMappings:
- columnName: HostCustomEntity
identifier: FullName
- entityType: IP
fieldMappings:
- columnName: IPCustomEntity
identifier: Address
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/BariumDomainIOC112020.yaml
requiredDataConnectors:
- connectorId: SquidProxy
dataTypes:
- SquidProxy_CL
- connectorId: DNS
dataTypes:
- DnsEvents
- connectorId: AzureMonitor(VMInsights)
dataTypes:
- VMConnection
- connectorId: CiscoASA
dataTypes:
- CommonSecurityLog
- connectorId: PaloAltoNetworks
dataTypes:
- CommonSecurityLog
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
- connectorId: AzureFirewall
dataTypes:
- AzureDiagnostics
- AZFWApplicationRule
- AZFWDnsQuery
- connectorId: Zscaler
dataTypes:
- CommonSecurityLog
- connectorId: InfobloxNIOS
dataTypes:
- Syslog
- connectorId: GCPDNSDataConnector
dataTypes:
- GCP_DNS_CL
- connectorId: NXLogDnsLogs
dataTypes:
- NXLog_DNS_Server_CL
- connectorId: CiscoUmbrellaDataConnector
dataTypes:
- Cisco_Umbrella_dns_CL
- connectorId: Corelight
dataTypes:
- Corelight_CL
status: Available
queryFrequency: 1d
id: 70b12a3b-4899-42cb-910c-5ffaf9d7997d
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/70b12a3b-4899-42cb-910c-5ffaf9d7997d')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/70b12a3b-4899-42cb-910c-5ffaf9d7997d')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01-preview",
"properties": {
"displayName": "[Deprecated] - Known Barium domains",
"description": "'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'\n",
"severity": "High",
"enabled": true,
"query": "\nlet DomainNames = dynamic([\"0.ns1.dns-info.gq\", \"1.ns1.dns-info.gq\", \"10.ns1.dns-info.gq\", \"102.ns1.dns-info.gq\", \n \"104.ns1.dns-info.gq\", \"11.ns1.dns-info.gq\", \"110.ns1.dns-info.gq\", \"115.ns1.dns-info.gq\", \"116.ns1.dns-info.gq\", \n \"117.ns1.dns-info.gq\", \"118.ns1.dns-info.gq\", \"12.ns1.dns-info.gq\", \"120.ns1.dns-info.gq\", \"122.ns1.dns-info.gq\", \n \"123.ns1.dns-info.gq\", \"128.ns1.dns-info.gq\", \"13.ns1.dns-info.gq\", \"134.ns1.dns-info.gq\", \"135.ns1.dns-info.gq\", \n \"138.ns1.dns-info.gq\", \"14.ns1.dns-info.gq\", \"144.ns1.dns-info.gq\", \"15.ns1.dns-info.gq\", \"153.ns1.dns-info.gq\", \n \"157.ns1.dns-info.gq\", \"16.ns1.dns-info.gq\", \"17.ns1.dns-info.gq\", \"18.ns1.dns-info.gq\", \"19.ns1.dns-info.gq\", \n \"1a9604fa.ns1.feedsdns.com\", \"1c7606b6.ns1.steamappstore.com\", \"2.ns1.dns-info.gq\", \"20.ns1.dns-info.gq\", \n \"201.ns1.dns-info.gq\", \"202.ns1.dns-info.gq\", \"204.ns1.dns-info.gq\", \"207.ns1.dns-info.gq\", \"21.ns1.dns-info.gq\", \n \"210.ns1.dns-info.gq\", \"211.ns1.dns-info.gq\", \"216.ns1.dns-info.gq\", \"22.ns1.dns-info.gq\", \"220.ns1.dns-info.gq\", \n \"223.ns1.dns-info.gq\", \"23.ns1.dns-info.gq\", \"24.ns1.dns-info.gq\", \"25.ns1.dns-info.gq\", \"26.ns1.dns-info.gq\", \n \"27.ns1.dns-info.gq\", \"28.ns1.dns-info.gq\", \"29.ns1.dns-info.gq\", \"3.ns1.dns-info.gq\", \"30.ns1.dns-info.gq\", \n \"31.ns1.dns-info.gq\", \"32.ns1.dns-info.gq\", \"33.ns1.dns-info.gq\", \"34.ns1.dns-info.gq\", \"35.ns1.dns-info.gq\", \n \"36.ns1.dns-info.gq\", \"37.ns1.dns-info.gq\", \"39.ns1.dns-info.gq\", \"3d6fe4b2.ns1.steamappstore.com\", \n \"4.ns1.dns-info.gq\", \"40.ns1.dns-info.gq\", \"42.ns1.dns-info.gq\", \"43.ns1.dns-info.gq\", \"44.ns1.dns-info.gq\", \n \"45.ns1.dns-info.gq\", \"46.ns1.dns-info.gq\", \"48.ns1.dns-info.gq\", \"5.ns1.dns-info.gq\", \"50.ns1.dns-info.gq\", \n \"50417.service.gstatic.dnset.com\", \"51.ns1.dns-info.gq\", \"52.ns1.dns-info.gq\", \"53.ns1.dns-info.gq\",\n \"54.ns1.dns-info.gq\", \"55.ns1.dns-info.gq\", \"56.ns1.dns-info.gq\", \"57.ns1.dns-info.gq\", \"58.ns1.dns-info.gq\", \n \"6.ns1.dns-info.gq\", \"60.ns1.dns-info.gq\", \"62.ns1.dns-info.gq\", \"63.ns1.dns-info.gq\", \"64.ns1.dns-info.gq\", \n \"65.ns1.dns-info.gq\", \"67.ns1.dns-info.gq\", \"7.ns1.dns-info.gq\", \"70.ns1.dns-info.gq\", \"71.ns1.dns-info.gq\",\n \"73.ns1.dns-info.gq\", \"77.ns1.dns-info.gq\", \"77075.service.gstatic.dnset.com\", \"7c1947fa.ns1.steamappstore.com\",\n \"8.ns1.dns-info.gq\", \"81.ns1.dns-info.gq\", \"86.ns1.dns-info.gq\", \"87.ns1.dns-info.gq\", \"9.ns1.dns-info.gq\", \n \"94343.service.gstatic.dnset.com\", \"9939.service.gstatic.dnset.com\", \"aa.ns.mircosoftdoc.com\", \n \"aaa.feeds.api.ns1.feedsdns.com\", \"aaa.googlepublic.feeds.ns1.dns-info.gq\", \n \"aaa.resolution.174547._get.cache.up.sourcedns.tk\", \"acc.microsoftonetravel.com\", \n \"accounts.longmusic.com\", \"admin.dnstemplog.com\", \"agent.updatenai.com\", \n \"alibaba.zzux.com\", \"api.feedsdns.com\", \"app.portomnail.com\", \"asia.updatenai.com\", \n \"battllestategames.com\", \"bguha.serveuser.com\", \"binann-ce.com\", \"bing.dsmtp.com\", \n \"blog.cdsend.xyz\", \"brives.minivineyapp.com\", \"bsbana.dynamic-dns.net\", \n \"californiaforce.000webhostapp.com\", \"californiafroce.000webhostapp.com\", \n \"cdn.freetcp.com\", \"cdsend.xyz\", \"cipla.zzux.com\", \"cloudfeeddns.com\", \"comcleanner.info\",\n \"cs.microsoftsonline.net\", \"dns-info.gq\", \"dns05.cf\", \"dns22.ml\", \"dns224.com\", \n \"dnsdist.org\", \"dnstemplog.com\", \"doc.mircosoftdoc.com\", \"dropdns.com\", \n \"eshop.cdn.freetcp.com\", \"exchange.dumb1.com\", \"exchange.misecure.com\", \"exchange.mrbasic.com\",\n \"facebookdocs.com\", \"facebookint.com\", \"facebookvi.com\", \"feed.ns1.dns-info.gq\", \"feedsdns.com\", \n \"firejun.freeddns.com\", \"ftp.dns-info.dyndns.pro\", \"goallbandungtravel.com\", \"goodhk.azurewebsites.net\", \n \"googlepublic.feed.ns1.dns-info.gq\", \"gp.spotifylite.cloud\", \"gskytop.com\", \"gstatic.dnset.com\", \n \"gxxservice.com\", \"helpdesk.cdn.freetcp.com\", \"id.serveuser.com\", \"infestexe.com\", \"item.itemdb.com\",\n \"m.mircosoftdoc.com\", \"mail.transferdkim.xyz\", \"mcafee.updatenai.com\", \"mecgjm.mircosoftdoc.com\",\n \"microdocs.ga\", \"microsock.website\", \"microsocks.net\", \"microsoft.sendsmtp.com\", \n \"microsoftbook.dns05.com\", \"microsoftcontactcenter.com\", \"microsoftdocs.dns05.com\", \"microsoftdocs.ml\", \n \"microsoftonetravel.com\", \"microsoftonlines.net\", \"microsoftprod.com\", \"microsofts.dns1.us\", \"microsoftsonline.net\",\n \"minivineyapp.com\", \"mircosoftdoc.com\", \"mircosoftdocs.com\", \"mlcrosoft.ninth.biz\", \"mlcrosoft.site\", \n \"mm.portomnail.com\", \"msdnupdate.com\", \"msecdn.cloud\", \"mtnl1.dynamic-dns.net\", \"ns.gstatic.dnset.com\", \n \"ns.microsoftprod.com\", \"ns.steamappstore.com\", \"ns1.cdn.freetcp.com\", \"ns1.comcleanner.info\", \"ns1.dns-info.gq\", \n \"ns1.dns05.cf\", \"ns1.dnstemplog.com\", \"ns1.dropdns.com\", \"ns1.microsoftonetravel.com\", \n \"ns1.microsoftonlines.net\", \"ns1.microsoftprod.com\", \"ns1.microsoftsonline.net\", \"ns1.mlcrosoft.site\", \n \"ns1.teams.wikaba.com\", \"ns1.windowsdefende.com\", \"ns2.comcleanner.info\", \"ns2.dnstemplog.com\", \n \"ns2.microsoftonetravel.com\", \"ns2.microsoftprod.com\", \"ns2.microsoftsonline.net\", \"ns2.mlcrosoft.site\", \n \"ns2.windowsdefende.com\", \"ns3.microsoftprod.com\", \"ns3.mlcrosoft.site\", \"nutrition.mrbasic.com\", \n \"nutrition.youdontcare.com\", \"online.mlcrosoft.site\", \"online.msdnupdate.com\", \"outlookservce.site\", \n \"owa.jetos.com\", \"owa.otzo.com\", \"pornotime.co\", \"portomnail.com\", \n \"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com\", \"pricingdmdk.com\", \"prod.microsoftprod.com\", \n \"product.microsoftprod.com\", \"ptcl.yourtrap.com\", \"query.api.sourcedns.tk\", \"rb.itemdb.com\", \"redditcdn.com\", \n \"rss.otzo.com\", \"secure.msdnupdate.com\", \"service.dns22.ml\", \"service.gstatic.dnset.com\", \"service04.dns04.com\", \n \"settings.teams.wikaba.com\", \"sip.outlookservce.site\", \"sixindent.epizy.com\", \"soft.msdnupdate.com\", \"sourcedns.ml\", \n \"sourcedns.tk\", \"sport.msdnupdate.com\", \"spotifylite.cloud\", \"static.misecure.com\", \"steamappstore.com\", \n \"store.otzo.com\", \"survey.outlookservce.site\", \"team.itemdb.com\", \"temp221.com\", \"test.microsoftprod.com\", \n \"thisisaaa.000webhostapp.com\", \"token.dns04.com\", \"token.dns05.com\", \"transferdkim.xyz\", \n \"travelsanignacio.com\", \"update08.com\", \"updated08.com\", \"updatenai.com\", \"wantforspeed.com\",\n \"web.mircosoftdoc.com\", \"webmail.pornotime.co\", \"webwhois.team.itemdb.com\", \"windowsdefende.com\", \"wnswindows.com\",\n \"ashcrack.freetcp.com\", \"battllestategames.com\", \"binannce.com\", \"cdsend.xyz\", \"comcleanner.info\", \"microsock.website\", \n \"microsocks.net\", \"microsoftsonline.net\", \"mlcrosoft.site\", \"notify.serveuser.com\", \"ns1.microsoftprod.com\", \n \"ns2.microsoftprod.com\", \"pricingdmdk.com\", \"steamappstore.com\", \"update08.com\", \"wnswindows.com\", \n \"youtube.dns05.com\", \"z1.zalofilescdn.com\", \"z2.zalofilescdn.com\", \"zalofilescdn.com\"]); \n(union isfuzzy=true \n (CommonSecurityLog \n | parse Message with * '(' DNSName ')' * \n | where DNSName in~ (DomainNames) \n | extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \n ), \n (_Im_Dns (domain_has_any=DomainNames)\n | extend DNSName = DnsQuery \n | extend IPAddress = SrcIpAddr, Computer = Dvc\n ), \n (_Im_WebSession (url_has_any=DomainNames)\n | extend DNSName = tostring(parse_url(Url)[\"Host\"])\n | extend IPAddress = SrcIpAddr, Computer = Dvc\n ), \n (VMConnection \n | parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' * \n | where isnotempty(DNSName) \n | where DNSName in~ (DomainNames) \n | extend IPAddress = RemoteIp \n ), \n ( \n DeviceNetworkEvents \n | where isnotempty(RemoteUrl) \n | where RemoteUrl in~ (DomainNames) \n | extend IPAddress = RemoteIP \n | extend Computer = DeviceName \n ),\n (AzureDiagnostics \n | where ResourceType == \"AZUREFIREWALLS\"\n | where Category == \"AzureFirewallApplicationRule\"\n | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n | where isnotempty(DestinationHost)\n | where DestinationHost has_any (DomainNames) \n | extend DNSName = DestinationHost \n | extend IPCustomEntity = SourceHost\n ),\n (AzureDiagnostics\n | where ResourceType == \"AZUREFIREWALLS\"\n | where Category == \"AzureFirewallNetworkRule\"\n | where msg_s has_any (DomainNames)\n | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int *\n | parse kind=regex flags=U msg_s with * \". Action\\\\: \" Action1a \"\\\\.\"\n | parse msg_s with * \". Policy: \" Policy \". Rule Collection Group: \" RuleCollectionGroup \".\" *\n | parse msg_s with * \" Rule Collection: \" RuleCollection \". Rule: \" Rule \n | extend IPCustomEntity = SourceIP\n ),\n (AzureDiagnostics\n | where ResourceType == \"AZUREFIREWALLS\"\n | where Category == \"AzureFirewallDnsProxy\"\n | where msg_s has_any (DomainNames)\n | parse msg_s with \"DNS Request: \" SourceIP \":\" SourcePortInt:int \" - \" QueryID:int \" \" RequestType \" \" RequestClass \" \" hostname \". \" protocol \" \" details\n | extend\n ResponseDuration = extract(\"[0-9]*.?[0-9]+s$\", 0, msg_s),\n SourcePort = tostring(SourcePortInt),\n QueryID = tostring(QueryID)\n | project TimeGenerated,SourceIP,hostname,RequestType,ResponseDuration,details,msg_s\n | order by TimeGenerated\n | extend IPCustomEntity = SourceIP\n ),\n (AZFWApplicationRule\n | where Fqdn has_any (DomainNames)\n | extend IPCustomEntity = SourceIp\n ),\n (AZFWDnsQuery\n | where isnotempty(QueryName)\n | where QueryName has_any (DomainNames)\n | extend DNSName = QueryName\n | extend IPCustomEntity = SourceIp\n )\n ) \n | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress \n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl"
],
"alertRuleTemplateName": "70b12a3b-4899-42cb-910c-5ffaf9d7997d",
"customDetails": null,
"entityMappings": [
{
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
],
"entityType": "Account"
},
{
"fieldMappings": [
{
"columnName": "HostCustomEntity",
"identifier": "FullName"
}
],
"entityType": "Host"
},
{
"fieldMappings": [
{
"columnName": "IPCustomEntity",
"identifier": "Address"
}
],
"entityType": "IP"
}
],
"status": "Available",
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/BariumDomainIOC112020.yaml",
"templateVersion": "2.0.0",
"tags": [
{
"Schema": "ASIMDns",
"SchemaVersion": "0.1.1"
}
]
}
}
]
}