Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

[Deprecated] - Known Mint Sandstorm group domainsIP - October 2020

Back
Id7249500f-3038-4b83-8549-9cd8dfa2d498
Rulename[Deprecated] - Known Mint Sandstorm group domains/IP - October 2020
DescriptionThis query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft’s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy
SeverityHigh
TacticsCommandAndControl
InitialAccess
TechniquesT1071
T1566
Required data connectorsAzureFirewall
AzureMonitor(VMInsights)
CiscoASA
DNS
Fortinet
OfficeATP
PaloAltoNetworks
Zscaler
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/KnownMintSandstormDomainsIP-October2020.yaml
Version2.0.0
Arm template7249500f-3038-4b83-8549-9cd8dfa2d498.json
Deploy To Azure
let DomainNames = dynamic(["de-ma.online", "g20saudi.000webhostapp.com", "ksat20.000webhostapp.com"]);
let EmailAddresses = dynamic(["munichconference1962@gmail.com","munichconference@outlook.de", "munichconference@outlook.com", "t20saudiarabia@gmail.com", "t20saudiarabia@hotmail.com", "t20saudiarabia@outlook.sa"]);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
(union isfuzzy=true
(CommonSecurityLog
| parse Message with * '(' DNSName ')' *
| extend MessageIP = extract(IPRegex, 0, Message)
| extend RequestURLIP = extract(IPRegex, 0, Message)
| where (isnotempty(DNSName) and DNSName has_any (DomainNames))
  or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames))
  or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))
| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = DestinationIP
),
(DnsEvents
| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer
| where DNSName has_any (DomainNames)
| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),
(VMConnection
| parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
| where isnotempty(DNSName)
| where DNSName has_any (DomainNames)
| extend timestamp = TimeGenerated , HostCustomEntity = Computer),
(SecurityAlert
| where ProviderName =~ 'OATP'
| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn,
                    isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,
                    isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,
                    isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,
                    isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,
                    isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,
                    isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,
                    isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,
                    isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,
                    parse_json(Entities)[9].Upn)
| where Entities has_any (EmailAddresses)
| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),
(AzureDiagnostics
| where ResourceType =~ "AZUREFIREWALLS"
| where msg_s has_any (DomainNames)
| extend timestamp = TimeGenerated),
(AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallDnsProxy"
| where msg_s has_any (DomainNames)
| extend timestamp = TimeGenerated),
(AZFWApplicationRule
| where isnotempty(Fqdn)
| where Fqdn has_any (DomainNames)  
| extend timestamp = TimeGenerated),
(AZFWDnsQuery
| where isnotempty(QueryName)
| where QueryName has_any (DomainNames)
| extend timestamp = TimeGenerated))
name: '[Deprecated] - Known Mint Sandstorm group domains/IP - October 2020'
triggerOperator: gt
status: Available
relevantTechniques:
- T1071
- T1566
query: |
  let DomainNames = dynamic(["de-ma.online", "g20saudi.000webhostapp.com", "ksat20.000webhostapp.com"]);
  let EmailAddresses = dynamic(["munichconference1962@gmail.com","munichconference@outlook.de", "munichconference@outlook.com", "t20saudiarabia@gmail.com", "t20saudiarabia@hotmail.com", "t20saudiarabia@outlook.sa"]);
  let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
  (union isfuzzy=true
  (CommonSecurityLog
  | parse Message with * '(' DNSName ')' *
  | extend MessageIP = extract(IPRegex, 0, Message)
  | extend RequestURLIP = extract(IPRegex, 0, Message)
  | where (isnotempty(DNSName) and DNSName has_any (DomainNames))
    or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames))
    or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))
  | extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = DestinationIP
  ),
  (DnsEvents
  | extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer
  | where DNSName has_any (DomainNames)
  | extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),
  (VMConnection
  | parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
  | where isnotempty(DNSName)
  | where DNSName has_any (DomainNames)
  | extend timestamp = TimeGenerated , HostCustomEntity = Computer),
  (SecurityAlert
  | where ProviderName =~ 'OATP'
  | extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn,
                      isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,
                      isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,
                      isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,
                      isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,
                      isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,
                      isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,
                      isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,
                      isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,
                      parse_json(Entities)[9].Upn)
  | where Entities has_any (EmailAddresses)
  | extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),
  (AzureDiagnostics
  | where ResourceType =~ "AZUREFIREWALLS"
  | where msg_s has_any (DomainNames)
  | extend timestamp = TimeGenerated),
  (AzureDiagnostics
  | where ResourceType == "AZUREFIREWALLS"
  | where Category == "AzureFirewallDnsProxy"
  | where msg_s has_any (DomainNames)
  | extend timestamp = TimeGenerated),
  (AZFWApplicationRule
  | where isnotempty(Fqdn)
  | where Fqdn has_any (DomainNames)  
  | extend timestamp = TimeGenerated),
  (AZFWDnsQuery
  | where isnotempty(QueryName)
  | where QueryName has_any (DomainNames)
  | extend timestamp = TimeGenerated))  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/KnownMintSandstormDomainsIP-October2020.yaml
description: |
    'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'
triggerThreshold: 0
id: 7249500f-3038-4b83-8549-9cd8dfa2d498
kind: Scheduled
severity: High
version: 2.0.0
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
  entityType: Account
- fieldMappings:
  - identifier: FullName
    columnName: HostCustomEntity
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
queryFrequency: 1d
queryPeriod: 1d
requiredDataConnectors:
- dataTypes:
  - DnsEvents
  connectorId: DNS
- dataTypes:
  - VMConnection
  connectorId: AzureMonitor(VMInsights)
- dataTypes:
  - CommonSecurityLog (Cisco)
  connectorId: CiscoASA
- dataTypes:
  - CommonSecurityLog (PaloAlto)
  connectorId: PaloAltoNetworks
- dataTypes:
  - CommonSecurityLog (Zscaler)
  connectorId: Zscaler
- dataTypes:
  - CommonSecurityLog (Fortinet)
  connectorId: Fortinet
- dataTypes:
  - SecurityAlert (OATP)
  connectorId: OfficeATP
- dataTypes:
  - AzureDiagnostics (Azure Firewall)
  - AZFWApplicationRule
  - AZFWDnsQuery
  connectorId: AzureFirewall
tactics:
- CommandAndControl
- InitialAccess
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7249500f-3038-4b83-8549-9cd8dfa2d498')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7249500f-3038-4b83-8549-9cd8dfa2d498')]",
      "properties": {
        "alertRuleTemplateName": "7249500f-3038-4b83-8549-9cd8dfa2d498",
        "customDetails": null,
        "description": "'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'\n",
        "displayName": "[Deprecated] - Known Mint Sandstorm group domains/IP - October 2020",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/KnownMintSandstormDomainsIP-October2020.yaml",
        "query": "let DomainNames = dynamic([\"de-ma.online\", \"g20saudi.000webhostapp.com\", \"ksat20.000webhostapp.com\"]);\nlet EmailAddresses = dynamic([\"munichconference1962@gmail.com\",\"munichconference@outlook.de\", \"munichconference@outlook.com\", \"t20saudiarabia@gmail.com\", \"t20saudiarabia@hotmail.com\", \"t20saudiarabia@outlook.sa\"]);\nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\n(union isfuzzy=true\n(CommonSecurityLog\n| parse Message with * '(' DNSName ')' *\n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend RequestURLIP = extract(IPRegex, 0, Message)\n| where (isnotempty(DNSName) and DNSName has_any (DomainNames))\n  or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames))\n  or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))\n| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = DestinationIP\n),\n(DnsEvents\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\n| where DNSName has_any (DomainNames)\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\n(VMConnection\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where isnotempty(DNSName)\n| where DNSName has_any (DomainNames)\n| extend timestamp = TimeGenerated , HostCustomEntity = Computer),\n(SecurityAlert\n| where ProviderName =~ 'OATP'\n| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn,\n                    isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,\n                    isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,\n                    isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,\n                    isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,\n                    isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,\n                    isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,\n                    isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,\n                    isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,\n                    parse_json(Entities)[9].Upn)\n| where Entities has_any (EmailAddresses)\n| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),\n(AzureDiagnostics\n| where ResourceType =~ \"AZUREFIREWALLS\"\n| where msg_s has_any (DomainNames)\n| extend timestamp = TimeGenerated),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| where msg_s has_any (DomainNames)\n| extend timestamp = TimeGenerated),\n(AZFWApplicationRule\n| where isnotempty(Fqdn)\n| where Fqdn has_any (DomainNames)  \n| extend timestamp = TimeGenerated),\n(AZFWDnsQuery\n| where isnotempty(QueryName)\n| where QueryName has_any (DomainNames)\n| extend timestamp = TimeGenerated))\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "High",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "InitialAccess"
        ],
        "techniques": [
          "T1071",
          "T1566"
        ],
        "templateVersion": "2.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}