Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

[Deprecated] - Known Seashell Blizzard IP

Back
Id7ee72a9e-2e54-459c-bc8a-8c08a6532a63
Rulename[Deprecated] - Known Seashell Blizzard IP
DescriptionThis query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft’s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy
SeverityHigh
TacticsCommandAndControl
Required data connectorsAWS
AWSS3
AzureActiveDirectory
AzureActivity
AzureFirewall
AzureMonitor(IIS)
AzureMonitor(VMInsights)
CiscoASA
CiscoUmbrellaDataConnector
Corelight
DNS
GCPDNSDataConnector
InfobloxNIOS
MicrosoftSysmonForLinux
MicrosoftThreatProtection
NXLogDnsLogs
Office365
PaloAltoNetworks
SecurityEvents
SquidProxy
WindowsForwardedEvents
Zscaler
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/SeashellBlizzardIOCs.yaml
Version2.0.0
Arm template7ee72a9e-2e54-459c-bc8a-8c08a6532a63.json
Deploy To Azure
let IPList = dynamic(["154.223.45.38","185.141.207.140","185.234.73.19","216.245.210.106","51.91.48.210","46.255.230.229"]);
(union isfuzzy=true
(CommonSecurityLog
| where isnotempty(SourceIP) or isnotempty(DestinationIP)
| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)
| extend IPMatch = case(SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP", "Message") 
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch
| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, "IP in Message Field") 
),
(OfficeActivity
|extend SourceIPAddress = ClientIP, Account = UserId
| where  SourceIPAddress in (IPList)
| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account
),
(_Im_Dns (response_has_any_prefix=IPList)
| extend DestinationIPAddress = DnsResponseName,  Host = Dvc
| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host, AccountCustomEntity=User
),
(_Im_WebSession (srcipaddr_has_any_prefix=IPList)
| extend DestinationIPAddress = DstIpAddr,  Host = Dvc
| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host
),
(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)
| extend DestinationIPAddress = DstIpAddr,  Host = Dvc
| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host
),
(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)
| extend DestinationIPAddress = DstIpAddr,  Host = Dvc
| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host
),
(SigninLogs
| where isnotempty(IPAddress)
| where IPAddress in (IPList)
| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress
),
(AADNonInteractiveUserSignInLogs
| where isnotempty(IPAddress)
| where IPAddress in (IPList)
| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress
),
(W3CIISLog 
| where isnotempty(cIP)
| where cIP in (IPList)
| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName
),
(AzureActivity 
| where isnotempty(CallerIpAddress)
| where CallerIpAddress in (IPList)
| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller
),
(
AWSCloudTrail
| where isnotempty(SourceIpAddress)
| where SourceIpAddress in (IPList)
| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName
),
(
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallApplicationRule"
| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
| where isnotempty(DestinationHost)
| where DestinationHost has_any (IPList)  
| extend DestinationIP = DestinationHost 
| extend IPCustomEntity = SourceHost
),
(
AZFWApplicationRule
| where isnotempty(Fqdn)
| where Fqdn has_any (IPList)  
| extend DestinationIP = Fqdn 
| extend IPCustomEntity = SourceIp
),
(AZFWNetworkRule
| where isnotempty(DestinationIp)
| where DestinationIp  has_any (IPList)  
| extend DestinationIP = DestinationIp 
| extend IPCustomEntity = SourceIp
),
(Event
| where Source == "Microsoft-Windows-Sysmon"
| where EventID == 3
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| extend SourceIP = EventDetail.[9].["#text"], DestinationIP = EventDetail.[14].["#text"]
| where SourceIP in (IPList) or DestinationIP in (IPList) 
| extend IPMatch = case( SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP", "None") 
| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, "None")
)
)
name: '[Deprecated] - Known Seashell Blizzard IP'
triggerOperator: gt
status: Available
query: |
  let IPList = dynamic(["154.223.45.38","185.141.207.140","185.234.73.19","216.245.210.106","51.91.48.210","46.255.230.229"]);
  (union isfuzzy=true
  (CommonSecurityLog
  | where isnotempty(SourceIP) or isnotempty(DestinationIP)
  | where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)
  | extend IPMatch = case(SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP", "Message") 
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch
  | extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, "IP in Message Field") 
  ),
  (OfficeActivity
  |extend SourceIPAddress = ClientIP, Account = UserId
  | where  SourceIPAddress in (IPList)
  | extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account
  ),
  (_Im_Dns (response_has_any_prefix=IPList)
  | extend DestinationIPAddress = DnsResponseName,  Host = Dvc
  | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host, AccountCustomEntity=User
  ),
  (_Im_WebSession (srcipaddr_has_any_prefix=IPList)
  | extend DestinationIPAddress = DstIpAddr,  Host = Dvc
  | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host
  ),
  (_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)
  | extend DestinationIPAddress = DstIpAddr,  Host = Dvc
  | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host
  ),
  (_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)
  | extend DestinationIPAddress = DstIpAddr,  Host = Dvc
  | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host
  ),
  (SigninLogs
  | where isnotempty(IPAddress)
  | where IPAddress in (IPList)
  | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress
  ),
  (AADNonInteractiveUserSignInLogs
  | where isnotempty(IPAddress)
  | where IPAddress in (IPList)
  | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress
  ),
  (W3CIISLog 
  | where isnotempty(cIP)
  | where cIP in (IPList)
  | extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName
  ),
  (AzureActivity 
  | where isnotempty(CallerIpAddress)
  | where CallerIpAddress in (IPList)
  | extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller
  ),
  (
  AWSCloudTrail
  | where isnotempty(SourceIpAddress)
  | where SourceIpAddress in (IPList)
  | extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName
  ),
  (
  AzureDiagnostics
  | where ResourceType == "AZUREFIREWALLS"
  | where Category == "AzureFirewallApplicationRule"
  | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
  | where isnotempty(DestinationHost)
  | where DestinationHost has_any (IPList)  
  | extend DestinationIP = DestinationHost 
  | extend IPCustomEntity = SourceHost
  ),
  (
  AZFWApplicationRule
  | where isnotempty(Fqdn)
  | where Fqdn has_any (IPList)  
  | extend DestinationIP = Fqdn 
  | extend IPCustomEntity = SourceIp
  ),
  (AZFWNetworkRule
  | where isnotempty(DestinationIp)
  | where DestinationIp  has_any (IPList)  
  | extend DestinationIP = DestinationIp 
  | extend IPCustomEntity = SourceIp
  ),
  (Event
  | where Source == "Microsoft-Windows-Sysmon"
  | where EventID == 3
  | extend EvData = parse_xml(EventData)
  | extend EventDetail = EvData.DataItem.EventData.Data
  | extend SourceIP = EventDetail.[9].["#text"], DestinationIP = EventDetail.[14].["#text"]
  | where SourceIP in (IPList) or DestinationIP in (IPList) 
  | extend IPMatch = case( SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP", "None") 
  | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, "None")
  )
  )  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/SeashellBlizzardIOCs.yaml
description: |
    'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'
triggerThreshold: 0
tags:
- Schema: ASIMDns
  SchemaVersion: 0.1.1
id: 7ee72a9e-2e54-459c-bc8a-8c08a6532a63
kind: Scheduled
severity: High
version: 2.0.0
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
  entityType: Account
- fieldMappings:
  - identifier: FullName
    columnName: HostCustomEntity
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
queryFrequency: 1d
queryPeriod: 1d
requiredDataConnectors:
- datatypes:
  - AWSVPCFlow
  connectorId: AWSS3
- dataTypes:
  - WindowsEvent
  connectorId: WindowsForwardedEvents
- dataTypes:
  - SquidProxy_CL
  connectorId: SquidProxy
- dataTypes:
  - DeviceNetworkEvents
  connectorId: MicrosoftThreatProtection
- dataTypes:
  - SecurityEvent
  connectorId: SecurityEvents
- dataTypes:
  - Syslog
  connectorId: MicrosoftSysmonForLinux
- dataTypes:
  - OfficeActivity
  connectorId: Office365
- dataTypes:
  - DnsEvents
  connectorId: DNS
- dataTypes:
  - VMConnection
  connectorId: AzureMonitor(VMInsights)
- dataTypes:
  - CommonSecurityLog
  connectorId: CiscoASA
- dataTypes:
  - CommonSecurityLog
  connectorId: PaloAltoNetworks
- dataTypes:
  - SecurityEvent
  connectorId: SecurityEvents
- dataTypes:
  - SigninLogs
  connectorId: AzureActiveDirectory
- dataTypes:
  - AADNonInteractiveUserSignInLogs
  connectorId: AzureActiveDirectory
- dataTypes:
  - W3CIISLog
  connectorId: AzureMonitor(IIS)
- dataTypes:
  - AzureActivity
  connectorId: AzureActivity
- dataTypes:
  - AWSCloudTrail
  connectorId: AWS
- dataTypes:
  - AzureDiagnostics
  - AZFWApplicationRule
  - AZFWNetworkRule
  connectorId: AzureFirewall
- dataTypes:
  - CommonSecurityLog
  connectorId: Zscaler
- dataTypes:
  - Syslog
  connectorId: InfobloxNIOS
- dataTypes:
  - GCP_DNS_CL
  connectorId: GCPDNSDataConnector
- dataTypes:
  - NXLog_DNS_Server_CL
  connectorId: NXLogDnsLogs
- dataTypes:
  - Cisco_Umbrella_dns_CL
  connectorId: CiscoUmbrellaDataConnector
- dataTypes:
  - Corelight_CL
  connectorId: Corelight
tactics:
- CommandAndControl
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7ee72a9e-2e54-459c-bc8a-8c08a6532a63')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7ee72a9e-2e54-459c-bc8a-8c08a6532a63')]",
      "properties": {
        "alertRuleTemplateName": "7ee72a9e-2e54-459c-bc8a-8c08a6532a63",
        "customDetails": null,
        "description": "'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'\n",
        "displayName": "[Deprecated] - Known Seashell Blizzard IP",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/SeashellBlizzardIOCs.yaml",
        "query": "let IPList = dynamic([\"154.223.45.38\",\"185.141.207.140\",\"185.234.73.19\",\"216.245.210.106\",\"51.91.48.210\",\"46.255.230.229\"]);\n(union isfuzzy=true\n(CommonSecurityLog\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"Message\") \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"IP in Message Field\") \n),\n(OfficeActivity\n|extend SourceIPAddress = ClientIP, Account = UserId\n| where  SourceIPAddress in (IPList)\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\n),\n(_Im_Dns (response_has_any_prefix=IPList)\n| extend DestinationIPAddress = DnsResponseName,  Host = Dvc\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host, AccountCustomEntity=User\n),\n(_Im_WebSession (srcipaddr_has_any_prefix=IPList)\n| extend DestinationIPAddress = DstIpAddr,  Host = Dvc\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\n),\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\n| extend DestinationIPAddress = DstIpAddr,  Host = Dvc\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\n),\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\n| extend DestinationIPAddress = DstIpAddr,  Host = Dvc\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\n),\n(SigninLogs\n| where isnotempty(IPAddress)\n| where IPAddress in (IPList)\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n),\n(AADNonInteractiveUserSignInLogs\n| where isnotempty(IPAddress)\n| where IPAddress in (IPList)\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n),\n(W3CIISLog \n| where isnotempty(cIP)\n| where cIP in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\n),\n(AzureActivity \n| where isnotempty(CallerIpAddress)\n| where CallerIpAddress in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\n),\n(\nAWSCloudTrail\n| where isnotempty(SourceIpAddress)\n| where SourceIpAddress in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\n),\n(\nAzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (IPList)  \n| extend DestinationIP = DestinationHost \n| extend IPCustomEntity = SourceHost\n),\n(\nAZFWApplicationRule\n| where isnotempty(Fqdn)\n| where Fqdn has_any (IPList)  \n| extend DestinationIP = Fqdn \n| extend IPCustomEntity = SourceIp\n),\n(AZFWNetworkRule\n| where isnotempty(DestinationIp)\n| where DestinationIp  has_any (IPList)  \n| extend DestinationIP = DestinationIp \n| extend IPCustomEntity = SourceIp\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 3\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend SourceIP = EventDetail.[9].[\"#text\"], DestinationIP = EventDetail.[14].[\"#text\"]\n| where SourceIP in (IPList) or DestinationIP in (IPList) \n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\") \n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n)\n)\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "High",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "tags": [
          {
            "Schema": "ASIMDns",
            "SchemaVersion": "0.1.1"
          }
        ],
        "templateVersion": "2.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}