Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. [Deprecated] - Denim Tsunami AV Detection

[Deprecated] - Denim Tsunami AV Detection

Back
Id9f9c1e51-4fb1-4510-a675-c7c2fb32f47e
Rulename[Deprecated] - Denim Tsunami AV Detection
DescriptionThis query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft’s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy
SeverityHigh
TacticsExecution
TechniquesT1203
Required data connectorsMicrosoftThreatProtection
SecurityEvents
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/DenimTsunamiAVDetection.yaml
Version2.0.0
Arm template9f9c1e51-4fb1-4510-a675-c7c2fb32f47e.json
Deploy To Azure
let knotweed_sigs = dynamic(["JumplumpDropper", "Jumplump", "Corelump", "Medcerc", "SuspModuleLoad", "Mexlib"]);
  let mde_data = (DeviceInfo
    | extend DeviceName = tolower(DeviceName)
    | join kind=rightouter ( SecurityAlert
    | where ProviderName =~ "MDATP"
    | extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
    | extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)
    | where ThreatFamilyName in~ (knotweed_sigs)
    | extend CompromisedEntity = tolower(CompromisedEntity)
    ) on $left.DeviceName == $right.CompromisedEntity);
  let event_data = ( Event
    | where EventID in (1006, 1009, 1116, 1119)
    | extend ThreatData = parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_xml(EventData).DataItem)).EventData)).Data))
    | mv-expand ThreatData
    | where tostring(ThreatData.["@Name"]) == "Threat Name"
    | extend EventData = parse_xml(EventData)
    | where tostring(ThreatData.["#text"]) has_any (knotweed_sigs));
  union mde_data, event_data
  | extend ThreatName = iif(isnotempty(ThreatName), ThreatName, tostring(ThreatData.["#text"]))
  | extend ThreatFamilyName = iif(isnotempty(ThreatFamilyName), ThreatFamilyName, split(tostring(ThreatData.["#text"]), "/")[-1])
  | extend TimeGenerated = iif(isnotempty(TimeGenerated), TimeGenerated, TimeGenerated1)
  | extend DeviceName = iif(isnotempty(DeviceName), DeviceName, Computer)
  | project-reorder TimeGenerated, CompromisedEntity, ThreatName, ThreatFamilyName

query: |
  let knotweed_sigs = dynamic(["JumplumpDropper", "Jumplump", "Corelump", "Medcerc", "SuspModuleLoad", "Mexlib"]);
    let mde_data = (DeviceInfo
      | extend DeviceName = tolower(DeviceName)
      | join kind=rightouter ( SecurityAlert
      | where ProviderName =~ "MDATP"
      | extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
      | extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)
      | where ThreatFamilyName in~ (knotweed_sigs)
      | extend CompromisedEntity = tolower(CompromisedEntity)
      ) on $left.DeviceName == $right.CompromisedEntity);
    let event_data = ( Event
      | where EventID in (1006, 1009, 1116, 1119)
      | extend ThreatData = parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_xml(EventData).DataItem)).EventData)).Data))
      | mv-expand ThreatData
      | where tostring(ThreatData.["@Name"]) == "Threat Name"
      | extend EventData = parse_xml(EventData)
      | where tostring(ThreatData.["#text"]) has_any (knotweed_sigs));
    union mde_data, event_data
    | extend ThreatName = iif(isnotempty(ThreatName), ThreatName, tostring(ThreatData.["#text"]))
    | extend ThreatFamilyName = iif(isnotempty(ThreatFamilyName), ThreatFamilyName, split(tostring(ThreatData.["#text"]), "/")[-1])
    | extend TimeGenerated = iif(isnotempty(TimeGenerated), TimeGenerated, TimeGenerated1)
    | extend DeviceName = iif(isnotempty(DeviceName), DeviceName, Computer)
    | project-reorder TimeGenerated, CompromisedEntity, ThreatName, ThreatFamilyName  
queryPeriod: 1d
queryFrequency: 1d
status: Available
id: 9f9c1e51-4fb1-4510-a675-c7c2fb32f47e
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: DeviceName
    identifier: HostName
relevantTechniques:
- T1203
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/DenimTsunamiAVDetection.yaml
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceInfo
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
name: '[Deprecated] - Denim Tsunami AV Detection'
description: |
    'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'
tactics:
- Execution
tags:
- Denim Tsunami
severity: High
triggerThreshold: 0
version: 2.0.0
kind: Scheduled
triggerOperator: gt

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9f9c1e51-4fb1-4510-a675-c7c2fb32f47e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9f9c1e51-4fb1-4510-a675-c7c2fb32f47e')]",
      "properties": {
        "alertRuleTemplateName": "9f9c1e51-4fb1-4510-a675-c7c2fb32f47e",
        "customDetails": null,
        "description": "'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'\n",
        "displayName": "[Deprecated] - Denim Tsunami AV Detection",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/DenimTsunamiAVDetection.yaml",
        "query": "let knotweed_sigs = dynamic([\"JumplumpDropper\", \"Jumplump\", \"Corelump\", \"Medcerc\", \"SuspModuleLoad\", \"Mexlib\"]);\n  let mde_data = (DeviceInfo\n    | extend DeviceName = tolower(DeviceName)\n    | join kind=rightouter ( SecurityAlert\n    | where ProviderName =~ \"MDATP\"\n    | extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\n    | extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\n    | where ThreatFamilyName in~ (knotweed_sigs)\n    | extend CompromisedEntity = tolower(CompromisedEntity)\n    ) on $left.DeviceName == $right.CompromisedEntity);\n  let event_data = ( Event\n    | where EventID in (1006, 1009, 1116, 1119)\n    | extend ThreatData = parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_xml(EventData).DataItem)).EventData)).Data))\n    | mv-expand ThreatData\n    | where tostring(ThreatData.[\"@Name\"]) == \"Threat Name\"\n    | extend EventData = parse_xml(EventData)\n    | where tostring(ThreatData.[\"#text\"]) has_any (knotweed_sigs));\n  union mde_data, event_data\n  | extend ThreatName = iif(isnotempty(ThreatName), ThreatName, tostring(ThreatData.[\"#text\"]))\n  | extend ThreatFamilyName = iif(isnotempty(ThreatFamilyName), ThreatFamilyName, split(tostring(ThreatData.[\"#text\"]), \"/\")[-1])\n  | extend TimeGenerated = iif(isnotempty(TimeGenerated), TimeGenerated, TimeGenerated1)\n  | extend DeviceName = iif(isnotempty(DeviceName), DeviceName, Computer)\n  | project-reorder TimeGenerated, CompromisedEntity, ThreatName, ThreatFamilyName\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution"
        ],
        "tags": [
          "Denim Tsunami"
        ],
        "techniques": [
          "T1203"
        ],
        "templateVersion": "2.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}