[Deprecated] - Known Manganese IP and UserAgent activity
| Id | a04cf847-a832-4c60-b687-b0b6147da219 |
| Rulename | [Deprecated] - Known Manganese IP and UserAgent activity |
| Description | This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft’s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy |
| Severity | High |
| Tactics | InitialAccess Collection |
| Techniques | T1133 T1114 |
| Required data connectors | Office365 |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/Manganese_VPN-IOCs.yaml |
| Version | 2.0.1 |
| Arm template | a04cf847-a832-4c60-b687-b0b6147da219.json |
let IPList = dynamic(["45.63.52.41","140.82.17.161","207.148.101.95","45.32.87.51","66.42.98.156","45.76.144.105","217.163.28.35","45.32.141.174","149.28.165.249","209.250.225.247","45.63.100.115","95.179.229.230","209.250.233.247","45.77.121.232","45.76.175.65","104.238.160.237","45.77.181.97","95.179.192.125","149.28.93.184","140.82.16.81","45.76.173.103","45.77.255.22","45.32.11.71","149.28.77.26","45.32.54.50","104.156.233.156","45.32.21.118","45.63.62.109","45.77.244.202","149.248.11.205","104.238.190.244"]);
let IOCTerms = "\\?lang=[/..]*/dev/cmdb/sslvpn_websession|/dana-na/jam/[/..]*home/webserver/htdocs/dana/html5acc/guacamole[/..]*etc/passwd\\?";
(union isfuzzy=true
(CommonSecurityLog
| where isnotempty(SourceIP) or isnotempty(DestinationIP)
| where SourceIP in (IPList) or DestinationIP in (IPList) or has_any_ipv4 (Message, IPList)
| extend IPMatch = case(
SourceIP in (IPList), "SourceIP",
DestinationIP in (IPList), "DestinationIP",
"Message")
| where Message matches regex IOCTerms
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch
| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, "IP in Message Field")
),
(OfficeActivity
| where isnotempty(UserAgent) and ClientIP in (IPList)
| where UserAgent contains "ExchangeServicesClient/0.0.0.0"
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP = ClientIP, Account = UserId, Type, RecordType, OfficeWorkload, UserAgent, OfficeObjectId, IPMatch = "ClientIP"
| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP
)
)
query: |
let IPList = dynamic(["45.63.52.41","140.82.17.161","207.148.101.95","45.32.87.51","66.42.98.156","45.76.144.105","217.163.28.35","45.32.141.174","149.28.165.249","209.250.225.247","45.63.100.115","95.179.229.230","209.250.233.247","45.77.121.232","45.76.175.65","104.238.160.237","45.77.181.97","95.179.192.125","149.28.93.184","140.82.16.81","45.76.173.103","45.77.255.22","45.32.11.71","149.28.77.26","45.32.54.50","104.156.233.156","45.32.21.118","45.63.62.109","45.77.244.202","149.248.11.205","104.238.190.244"]);
let IOCTerms = "\\?lang=[/..]*/dev/cmdb/sslvpn_websession|/dana-na/jam/[/..]*home/webserver/htdocs/dana/html5acc/guacamole[/..]*etc/passwd\\?";
(union isfuzzy=true
(CommonSecurityLog
| where isnotempty(SourceIP) or isnotempty(DestinationIP)
| where SourceIP in (IPList) or DestinationIP in (IPList) or has_any_ipv4 (Message, IPList)
| extend IPMatch = case(
SourceIP in (IPList), "SourceIP",
DestinationIP in (IPList), "DestinationIP",
"Message")
| where Message matches regex IOCTerms
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch
| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, "IP in Message Field")
),
(OfficeActivity
| where isnotempty(UserAgent) and ClientIP in (IPList)
| where UserAgent contains "ExchangeServicesClient/0.0.0.0"
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP = ClientIP, Account = UserId, Type, RecordType, OfficeWorkload, UserAgent, OfficeObjectId, IPMatch = "ClientIP"
| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP
)
)
queryPeriod: 1d
queryFrequency: 1d
status: Available
id: a04cf847-a832-4c60-b687-b0b6147da219
entityMappings:
- entityType: Account
fieldMappings:
- columnName: AccountCustomEntity
identifier: FullName
- entityType: IP
fieldMappings:
- columnName: IPCustomEntity
identifier: Address
relevantTechniques:
- T1133
- T1114
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/Manganese_VPN-IOCs.yaml
requiredDataConnectors:
- connectorId: Office365
dataTypes:
- OfficeActivity
name: '[Deprecated] - Known Manganese IP and UserAgent activity'
description: |
'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'
tactics:
- InitialAccess
- Collection
severity: High
triggerThreshold: 0
version: 2.0.1
kind: Scheduled
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a04cf847-a832-4c60-b687-b0b6147da219')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a04cf847-a832-4c60-b687-b0b6147da219')]",
"properties": {
"alertRuleTemplateName": "a04cf847-a832-4c60-b687-b0b6147da219",
"customDetails": null,
"description": "'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'\n",
"displayName": "[Deprecated] - Known Manganese IP and UserAgent activity",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPCustomEntity",
"identifier": "Address"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/Manganese_VPN-IOCs.yaml",
"query": "let IPList = dynamic([\"45.63.52.41\",\"140.82.17.161\",\"207.148.101.95\",\"45.32.87.51\",\"66.42.98.156\",\"45.76.144.105\",\"217.163.28.35\",\"45.32.141.174\",\"149.28.165.249\",\"209.250.225.247\",\"45.63.100.115\",\"95.179.229.230\",\"209.250.233.247\",\"45.77.121.232\",\"45.76.175.65\",\"104.238.160.237\",\"45.77.181.97\",\"95.179.192.125\",\"149.28.93.184\",\"140.82.16.81\",\"45.76.173.103\",\"45.77.255.22\",\"45.32.11.71\",\"149.28.77.26\",\"45.32.54.50\",\"104.156.233.156\",\"45.32.21.118\",\"45.63.62.109\",\"45.77.244.202\",\"149.248.11.205\",\"104.238.190.244\"]);\nlet IOCTerms = \"\\\\?lang=[/..]*/dev/cmdb/sslvpn_websession|/dana-na/jam/[/..]*home/webserver/htdocs/dana/html5acc/guacamole[/..]*etc/passwd\\\\?\";\n(union isfuzzy=true\n(CommonSecurityLog\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\n| where SourceIP in (IPList) or DestinationIP in (IPList) or has_any_ipv4 (Message, IPList)\n| extend IPMatch = case(\nSourceIP in (IPList), \"SourceIP\",\nDestinationIP in (IPList), \"DestinationIP\",\n\"Message\")\n| where Message matches regex IOCTerms\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"IP in Message Field\")\n),\n(OfficeActivity\n| where isnotempty(UserAgent) and ClientIP in (IPList)\n| where UserAgent contains \"ExchangeServicesClient/0.0.0.0\"\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP = ClientIP, Account = UserId, Type, RecordType, OfficeWorkload, UserAgent, OfficeObjectId, IPMatch = \"ClientIP\"\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP\n)\n)\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Collection",
"InitialAccess"
],
"techniques": [
"T1114",
"T1133"
],
"templateVersion": "2.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}