[Deprecated] - Known Mint Sandstorm group domainsIP - October 2020
| Id | 7249500f-3038-4b83-8549-9cd8dfa2d498 |
| Rulename | [Deprecated] - Known Mint Sandstorm group domains/IP - October 2020 |
| Description | This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft’s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy |
| Severity | High |
| Tactics | CommandAndControl InitialAccess |
| Techniques | T1071 T1566 |
| Required data connectors | AzureFirewall AzureMonitor(VMInsights) CiscoASA DNS Fortinet OfficeATP PaloAltoNetworks Zscaler |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/KnownMintSandstormDomainsIP-October2020.yaml |
| Version | 2.0.0 |
| Arm template | 7249500f-3038-4b83-8549-9cd8dfa2d498.json |
let DomainNames = dynamic(["de-ma.online", "g20saudi.000webhostapp.com", "ksat20.000webhostapp.com"]);
let EmailAddresses = dynamic(["munichconference1962@gmail.com","munichconference@outlook.de", "munichconference@outlook.com", "t20saudiarabia@gmail.com", "t20saudiarabia@hotmail.com", "t20saudiarabia@outlook.sa"]);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
(union isfuzzy=true
(CommonSecurityLog
| parse Message with * '(' DNSName ')' *
| extend MessageIP = extract(IPRegex, 0, Message)
| extend RequestURLIP = extract(IPRegex, 0, Message)
| where (isnotempty(DNSName) and DNSName has_any (DomainNames))
or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames))
or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))
| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = DestinationIP
),
(DnsEvents
| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer
| where DNSName has_any (DomainNames)
| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),
(VMConnection
| parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
| where isnotempty(DNSName)
| where DNSName has_any (DomainNames)
| extend timestamp = TimeGenerated , HostCustomEntity = Computer),
(SecurityAlert
| where ProviderName =~ 'OATP'
| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn,
isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,
isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,
isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,
isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,
isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,
isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,
isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,
isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,
parse_json(Entities)[9].Upn)
| where Entities has_any (EmailAddresses)
| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),
(AzureDiagnostics
| where ResourceType =~ "AZUREFIREWALLS"
| where msg_s has_any (DomainNames)
| extend timestamp = TimeGenerated),
(AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallDnsProxy"
| where msg_s has_any (DomainNames)
| extend timestamp = TimeGenerated),
(AZFWApplicationRule
| where isnotempty(Fqdn)
| where Fqdn has_any (DomainNames)
| extend timestamp = TimeGenerated),
(AZFWDnsQuery
| where isnotempty(QueryName)
| where QueryName has_any (DomainNames)
| extend timestamp = TimeGenerated))
relevantTechniques:
- T1071
- T1566
name: '[Deprecated] - Known Mint Sandstorm group domains/IP - October 2020'
requiredDataConnectors:
- dataTypes:
- DnsEvents
connectorId: DNS
- dataTypes:
- VMConnection
connectorId: AzureMonitor(VMInsights)
- dataTypes:
- CommonSecurityLog (Cisco)
connectorId: CiscoASA
- dataTypes:
- CommonSecurityLog (PaloAlto)
connectorId: PaloAltoNetworks
- dataTypes:
- CommonSecurityLog (Zscaler)
connectorId: Zscaler
- dataTypes:
- CommonSecurityLog (Fortinet)
connectorId: Fortinet
- dataTypes:
- SecurityAlert (OATP)
connectorId: OfficeATP
- dataTypes:
- AzureDiagnostics (Azure Firewall)
- AZFWApplicationRule
- AZFWDnsQuery
connectorId: AzureFirewall
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
entityType: Account
- fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
entityType: Host
- fieldMappings:
- identifier: Address
columnName: IPCustomEntity
entityType: IP
triggerThreshold: 0
id: 7249500f-3038-4b83-8549-9cd8dfa2d498
tactics:
- CommandAndControl
- InitialAccess
version: 2.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/KnownMintSandstormDomainsIP-October2020.yaml
queryPeriod: 1d
kind: Scheduled
queryFrequency: 1d
severity: High
status: Available
description: |
'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'
query: |
let DomainNames = dynamic(["de-ma.online", "g20saudi.000webhostapp.com", "ksat20.000webhostapp.com"]);
let EmailAddresses = dynamic(["munichconference1962@gmail.com","munichconference@outlook.de", "munichconference@outlook.com", "t20saudiarabia@gmail.com", "t20saudiarabia@hotmail.com", "t20saudiarabia@outlook.sa"]);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
(union isfuzzy=true
(CommonSecurityLog
| parse Message with * '(' DNSName ')' *
| extend MessageIP = extract(IPRegex, 0, Message)
| extend RequestURLIP = extract(IPRegex, 0, Message)
| where (isnotempty(DNSName) and DNSName has_any (DomainNames))
or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames))
or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))
| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = DestinationIP
),
(DnsEvents
| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer
| where DNSName has_any (DomainNames)
| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),
(VMConnection
| parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
| where isnotempty(DNSName)
| where DNSName has_any (DomainNames)
| extend timestamp = TimeGenerated , HostCustomEntity = Computer),
(SecurityAlert
| where ProviderName =~ 'OATP'
| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn,
isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,
isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,
isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,
isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,
isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,
isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,
isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,
isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,
parse_json(Entities)[9].Upn)
| where Entities has_any (EmailAddresses)
| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),
(AzureDiagnostics
| where ResourceType =~ "AZUREFIREWALLS"
| where msg_s has_any (DomainNames)
| extend timestamp = TimeGenerated),
(AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallDnsProxy"
| where msg_s has_any (DomainNames)
| extend timestamp = TimeGenerated),
(AZFWApplicationRule
| where isnotempty(Fqdn)
| where Fqdn has_any (DomainNames)
| extend timestamp = TimeGenerated),
(AZFWDnsQuery
| where isnotempty(QueryName)
| where QueryName has_any (DomainNames)
| extend timestamp = TimeGenerated))
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7249500f-3038-4b83-8549-9cd8dfa2d498')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7249500f-3038-4b83-8549-9cd8dfa2d498')]",
"properties": {
"alertRuleTemplateName": "7249500f-3038-4b83-8549-9cd8dfa2d498",
"customDetails": null,
"description": "'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'\n",
"displayName": "[Deprecated] - Known Mint Sandstorm group domains/IP - October 2020",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "HostCustomEntity",
"identifier": "FullName"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPCustomEntity",
"identifier": "Address"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/KnownMintSandstormDomainsIP-October2020.yaml",
"query": "let DomainNames = dynamic([\"de-ma.online\", \"g20saudi.000webhostapp.com\", \"ksat20.000webhostapp.com\"]);\nlet EmailAddresses = dynamic([\"munichconference1962@gmail.com\",\"munichconference@outlook.de\", \"munichconference@outlook.com\", \"t20saudiarabia@gmail.com\", \"t20saudiarabia@hotmail.com\", \"t20saudiarabia@outlook.sa\"]);\nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\n(union isfuzzy=true\n(CommonSecurityLog\n| parse Message with * '(' DNSName ')' *\n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend RequestURLIP = extract(IPRegex, 0, Message)\n| where (isnotempty(DNSName) and DNSName has_any (DomainNames))\n or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames))\n or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))\n| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = DestinationIP\n),\n(DnsEvents\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\n| where DNSName has_any (DomainNames)\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\n(VMConnection\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where isnotempty(DNSName)\n| where DNSName has_any (DomainNames)\n| extend timestamp = TimeGenerated , HostCustomEntity = Computer),\n(SecurityAlert\n| where ProviderName =~ 'OATP'\n| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn,\n isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,\n isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,\n isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,\n isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,\n isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,\n isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,\n isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,\n isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,\n parse_json(Entities)[9].Upn)\n| where Entities has_any (EmailAddresses)\n| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),\n(AzureDiagnostics\n| where ResourceType =~ \"AZUREFIREWALLS\"\n| where msg_s has_any (DomainNames)\n| extend timestamp = TimeGenerated),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| where msg_s has_any (DomainNames)\n| extend timestamp = TimeGenerated),\n(AZFWApplicationRule\n| where isnotempty(Fqdn)\n| where Fqdn has_any (DomainNames) \n| extend timestamp = TimeGenerated),\n(AZFWDnsQuery\n| where isnotempty(QueryName)\n| where QueryName has_any (DomainNames)\n| extend timestamp = TimeGenerated))\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl",
"InitialAccess"
],
"techniques": [
"T1071",
"T1566"
],
"templateVersion": "2.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}