Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. [Deprecated] - Solorigate Domains Found in VM Insights

[Deprecated] - Solorigate Domains Found in VM Insights

Back
Idab4b6944-a20d-42ab-8b63-238426525801
Rulename[Deprecated] - Solorigate Domains Found in VM Insights
DescriptionThis query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft’s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy
SeverityHigh
TacticsCommandAndControl
TechniquesT1102
Required data connectorsAzureMonitor(VMInsights)
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/Solorigate-VM-Network.yaml
Version2.0.0
Arm templateab4b6944-a20d-42ab-8b63-238426525801.json
Deploy To Azure

let domains = dynamic(["incomeupdate.com","zupertech.com","databasegalore.com","panhardware.com","avsvmcloud.com","digitalcollege.org","freescanonline.com","deftsecurity.com","thedoccloud.com","virtualdataserver.com","lcomputers.com","webcodez.com","globalnetworkissues.com","kubecloud.com","seobundlekit.com","solartrackingsystem.net","virtualwebdata.com"]);
let timeframe = 1h;
let connections = VMConnection 
    | where TimeGenerated >= ago(timeframe)
    | extend DNSName = set_union(todynamic(RemoteDnsCanonicalNames),todynamic(RemoteDnsQuestions))
    | mv-expand DNSName
    | where isnotempty(DNSName)
    | where DNSName has_any (domains)
    | extend IPCustomEntity = RemoteIp
    | summarize TimeGenerated = arg_min(TimeGenerated, *), requests = count() by IPCustomEntity, DNSName = tostring(DNSName), AgentId, Machine, Process;
let processes = VMProcess
    | where TimeGenerated >= ago(timeframe)
    | project AgentId, Machine, Process, UserName, UserDomain, ExecutablePath, CommandLine, FirstPid
    | extend exePathArr = split(ExecutablePath, "\\")
    | extend DirectoryName = array_strcat(array_slice(exePathArr, 0, array_length(exePathArr) - 2), "\\")
    | extend Filename = array_strcat(array_slice(exePathArr, array_length(exePathArr) - 1, array_length(exePathArr)), "\\")
    | project-away exePathArr;
let computers = VMComputer
    | where TimeGenerated >= ago(timeframe)
    | project HostCustomEntity = HostName, AzureResourceId = _ResourceId, AgentId, Machine;
connections | join kind = inner (processes) on AgentId, Machine, Process
            | join kind = inner (computers) on AgentId, Machine
             

kind: Scheduled
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: HostCustomEntity
    identifier: HostName
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
- entityType: DNS
  fieldMappings:
  - columnName: DNSName
    identifier: DomainName
- entityType: Process
  fieldMappings:
  - columnName: FirstPid
    identifier: ProcessId
  - columnName: CommandLine
    identifier: CommandLine
- entityType: File
  fieldMappings:
  - columnName: DirectoryName
    identifier: Directory
  - columnName: Filename
    identifier: Name
description: |
    'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'
severity: High
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1102
tags:
- Solorigate
- NOBELIUM
status: Available
tactics:
- CommandAndControl
name: '[Deprecated] - Solorigate Domains Found in VM Insights'
id: ab4b6944-a20d-42ab-8b63-238426525801
query: "\nlet domains = dynamic([\"incomeupdate.com\",\"zupertech.com\",\"databasegalore.com\",\"panhardware.com\",\"avsvmcloud.com\",\"digitalcollege.org\",\"freescanonline.com\",\"deftsecurity.com\",\"thedoccloud.com\",\"virtualdataserver.com\",\"lcomputers.com\",\"webcodez.com\",\"globalnetworkissues.com\",\"kubecloud.com\",\"seobundlekit.com\",\"solartrackingsystem.net\",\"virtualwebdata.com\"]);\nlet timeframe = 1h;\nlet connections = VMConnection \n    | where TimeGenerated >= ago(timeframe)\n    | extend DNSName = set_union(todynamic(RemoteDnsCanonicalNames),todynamic(RemoteDnsQuestions))\n    | mv-expand DNSName\n    | where isnotempty(DNSName)\n    | where DNSName has_any (domains)\n    | extend IPCustomEntity = RemoteIp\n    | summarize TimeGenerated = arg_min(TimeGenerated, *), requests = count() by IPCustomEntity, DNSName = tostring(DNSName), AgentId, Machine, Process;\nlet processes = VMProcess\n    | where TimeGenerated >= ago(timeframe)\n    | project AgentId, Machine, Process, UserName, UserDomain, ExecutablePath, CommandLine, FirstPid\n    | extend exePathArr = split(ExecutablePath, \"\\\\\")\n    | extend DirectoryName = array_strcat(array_slice(exePathArr, 0, array_length(exePathArr) - 2), \"\\\\\")\n    | extend Filename = array_strcat(array_slice(exePathArr, array_length(exePathArr) - 1, array_length(exePathArr)), \"\\\\\")\n    | project-away exePathArr;\nlet computers = VMComputer\n    | where TimeGenerated >= ago(timeframe)\n    | project HostCustomEntity = HostName, AzureResourceId = _ResourceId, AgentId, Machine;\nconnections | join kind = inner (processes) on AgentId, Machine, Process\n            | join kind = inner (computers) on AgentId, Machine\n             \n"
requiredDataConnectors:
- dataTypes:
  - VMConnection
  connectorId: AzureMonitor(VMInsights)
- dataTypes:
  - VMProcess
  connectorId: AzureMonitor(VMInsights)
- dataTypes:
  - VMComputer
  connectorId: AzureMonitor(VMInsights)
version: 2.0.0
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/Solorigate-VM-Network.yaml
queryPeriod: 1h

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ab4b6944-a20d-42ab-8b63-238426525801')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ab4b6944-a20d-42ab-8b63-238426525801')]",
      "properties": {
        "alertRuleTemplateName": "ab4b6944-a20d-42ab-8b63-238426525801",
        "customDetails": null,
        "description": "'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'\n",
        "displayName": "[Deprecated] - Solorigate Domains Found in VM Insights",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostCustomEntity",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "DNS",
            "fieldMappings": [
              {
                "columnName": "DNSName",
                "identifier": "DomainName"
              }
            ]
          },
          {
            "entityType": "Process",
            "fieldMappings": [
              {
                "columnName": "FirstPid",
                "identifier": "ProcessId"
              },
              {
                "columnName": "CommandLine",
                "identifier": "CommandLine"
              }
            ]
          },
          {
            "entityType": "File",
            "fieldMappings": [
              {
                "columnName": "DirectoryName",
                "identifier": "Directory"
              },
              {
                "columnName": "Filename",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/Solorigate-VM-Network.yaml",
        "query": "\nlet domains = dynamic([\"incomeupdate.com\",\"zupertech.com\",\"databasegalore.com\",\"panhardware.com\",\"avsvmcloud.com\",\"digitalcollege.org\",\"freescanonline.com\",\"deftsecurity.com\",\"thedoccloud.com\",\"virtualdataserver.com\",\"lcomputers.com\",\"webcodez.com\",\"globalnetworkissues.com\",\"kubecloud.com\",\"seobundlekit.com\",\"solartrackingsystem.net\",\"virtualwebdata.com\"]);\nlet timeframe = 1h;\nlet connections = VMConnection \n    | where TimeGenerated >= ago(timeframe)\n    | extend DNSName = set_union(todynamic(RemoteDnsCanonicalNames),todynamic(RemoteDnsQuestions))\n    | mv-expand DNSName\n    | where isnotempty(DNSName)\n    | where DNSName has_any (domains)\n    | extend IPCustomEntity = RemoteIp\n    | summarize TimeGenerated = arg_min(TimeGenerated, *), requests = count() by IPCustomEntity, DNSName = tostring(DNSName), AgentId, Machine, Process;\nlet processes = VMProcess\n    | where TimeGenerated >= ago(timeframe)\n    | project AgentId, Machine, Process, UserName, UserDomain, ExecutablePath, CommandLine, FirstPid\n    | extend exePathArr = split(ExecutablePath, \"\\\\\")\n    | extend DirectoryName = array_strcat(array_slice(exePathArr, 0, array_length(exePathArr) - 2), \"\\\\\")\n    | extend Filename = array_strcat(array_slice(exePathArr, array_length(exePathArr) - 1, array_length(exePathArr)), \"\\\\\")\n    | project-away exePathArr;\nlet computers = VMComputer\n    | where TimeGenerated >= ago(timeframe)\n    | project HostCustomEntity = HostName, AzureResourceId = _ResourceId, AgentId, Machine;\nconnections | join kind = inner (processes) on AgentId, Machine, Process\n            | join kind = inner (computers) on AgentId, Machine\n             \n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "tags": [
          "Solorigate",
          "NOBELIUM"
        ],
        "techniques": [
          "T1102"
        ],
        "templateVersion": "2.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}