[Deprecated] - Denim Tsunami AV Detection
| Id | 9f9c1e51-4fb1-4510-a675-c7c2fb32f47e |
| Rulename | [Deprecated] - Denim Tsunami AV Detection |
| Description | This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft’s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy |
| Severity | High |
| Tactics | Execution |
| Techniques | T1203 |
| Required data connectors | MicrosoftThreatProtection SecurityEvents |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/DenimTsunamiAVDetection.yaml |
| Version | 2.0.0 |
| Arm template | 9f9c1e51-4fb1-4510-a675-c7c2fb32f47e.json |
let knotweed_sigs = dynamic(["JumplumpDropper", "Jumplump", "Corelump", "Medcerc", "SuspModuleLoad", "Mexlib"]);
let mde_data = (DeviceInfo
| extend DeviceName = tolower(DeviceName)
| join kind=rightouter ( SecurityAlert
| where ProviderName =~ "MDATP"
| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)
| where ThreatFamilyName in~ (knotweed_sigs)
| extend CompromisedEntity = tolower(CompromisedEntity)
) on $left.DeviceName == $right.CompromisedEntity);
let event_data = ( Event
| where EventID in (1006, 1009, 1116, 1119)
| extend ThreatData = parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_xml(EventData).DataItem)).EventData)).Data))
| mv-expand ThreatData
| where tostring(ThreatData.["@Name"]) == "Threat Name"
| extend EventData = parse_xml(EventData)
| where tostring(ThreatData.["#text"]) has_any (knotweed_sigs));
union mde_data, event_data
| extend ThreatName = iif(isnotempty(ThreatName), ThreatName, tostring(ThreatData.["#text"]))
| extend ThreatFamilyName = iif(isnotempty(ThreatFamilyName), ThreatFamilyName, split(tostring(ThreatData.["#text"]), "/")[-1])
| extend TimeGenerated = iif(isnotempty(TimeGenerated), TimeGenerated, TimeGenerated1)
| extend DeviceName = iif(isnotempty(DeviceName), DeviceName, Computer)
| project-reorder TimeGenerated, CompromisedEntity, ThreatName, ThreatFamilyName
id: 9f9c1e51-4fb1-4510-a675-c7c2fb32f47e
tactics:
- Execution
queryPeriod: 1d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/DenimTsunamiAVDetection.yaml
triggerThreshold: 0
name: '[Deprecated] - Denim Tsunami AV Detection'
query: |
let knotweed_sigs = dynamic(["JumplumpDropper", "Jumplump", "Corelump", "Medcerc", "SuspModuleLoad", "Mexlib"]);
let mde_data = (DeviceInfo
| extend DeviceName = tolower(DeviceName)
| join kind=rightouter ( SecurityAlert
| where ProviderName =~ "MDATP"
| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)
| where ThreatFamilyName in~ (knotweed_sigs)
| extend CompromisedEntity = tolower(CompromisedEntity)
) on $left.DeviceName == $right.CompromisedEntity);
let event_data = ( Event
| where EventID in (1006, 1009, 1116, 1119)
| extend ThreatData = parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_xml(EventData).DataItem)).EventData)).Data))
| mv-expand ThreatData
| where tostring(ThreatData.["@Name"]) == "Threat Name"
| extend EventData = parse_xml(EventData)
| where tostring(ThreatData.["#text"]) has_any (knotweed_sigs));
union mde_data, event_data
| extend ThreatName = iif(isnotempty(ThreatName), ThreatName, tostring(ThreatData.["#text"]))
| extend ThreatFamilyName = iif(isnotempty(ThreatFamilyName), ThreatFamilyName, split(tostring(ThreatData.["#text"]), "/")[-1])
| extend TimeGenerated = iif(isnotempty(TimeGenerated), TimeGenerated, TimeGenerated1)
| extend DeviceName = iif(isnotempty(DeviceName), DeviceName, Computer)
| project-reorder TimeGenerated, CompromisedEntity, ThreatName, ThreatFamilyName
severity: High
triggerOperator: gt
kind: Scheduled
relevantTechniques:
- T1203
tags:
- Denim Tsunami
queryFrequency: 1d
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceInfo
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
description: |
'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'
status: Available
version: 2.0.0
entityMappings:
- fieldMappings:
- columnName: DeviceName
identifier: HostName
entityType: Host
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9f9c1e51-4fb1-4510-a675-c7c2fb32f47e')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9f9c1e51-4fb1-4510-a675-c7c2fb32f47e')]",
"properties": {
"alertRuleTemplateName": "9f9c1e51-4fb1-4510-a675-c7c2fb32f47e",
"customDetails": null,
"description": "'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'\n",
"displayName": "[Deprecated] - Denim Tsunami AV Detection",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DeviceName",
"identifier": "HostName"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/DenimTsunamiAVDetection.yaml",
"query": "let knotweed_sigs = dynamic([\"JumplumpDropper\", \"Jumplump\", \"Corelump\", \"Medcerc\", \"SuspModuleLoad\", \"Mexlib\"]);\n let mde_data = (DeviceInfo\n | extend DeviceName = tolower(DeviceName)\n | join kind=rightouter ( SecurityAlert\n | where ProviderName =~ \"MDATP\"\n | extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\n | extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\n | where ThreatFamilyName in~ (knotweed_sigs)\n | extend CompromisedEntity = tolower(CompromisedEntity)\n ) on $left.DeviceName == $right.CompromisedEntity);\n let event_data = ( Event\n | where EventID in (1006, 1009, 1116, 1119)\n | extend ThreatData = parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_xml(EventData).DataItem)).EventData)).Data))\n | mv-expand ThreatData\n | where tostring(ThreatData.[\"@Name\"]) == \"Threat Name\"\n | extend EventData = parse_xml(EventData)\n | where tostring(ThreatData.[\"#text\"]) has_any (knotweed_sigs));\n union mde_data, event_data\n | extend ThreatName = iif(isnotempty(ThreatName), ThreatName, tostring(ThreatData.[\"#text\"]))\n | extend ThreatFamilyName = iif(isnotempty(ThreatFamilyName), ThreatFamilyName, split(tostring(ThreatData.[\"#text\"]), \"/\")[-1])\n | extend TimeGenerated = iif(isnotempty(TimeGenerated), TimeGenerated, TimeGenerated1)\n | extend DeviceName = iif(isnotempty(DeviceName), DeviceName, Computer)\n | project-reorder TimeGenerated, CompromisedEntity, ThreatName, ThreatFamilyName\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Execution"
],
"tags": [
"Denim Tsunami"
],
"techniques": [
"T1203"
],
"templateVersion": "2.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}