Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. AV detections related to Ukraine threats

AV detections related to Ukraine threats

Back
Idb6685757-3ed1-4b05-a5bd-2cacadc86c2a
RulenameAV detections related to Ukraine threats
DescriptionThis query looks for Microsoft Defender AV detections for malware observed in relation to the war in Ukraine.

Ref: https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/
SeverityHigh
TacticsImpact
TechniquesT1485
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/AVdetectionsrelatedtoUkrainebasedthreats.yaml
Version1.1.3
Arm templateb6685757-3ed1-4b05-a5bd-2cacadc86c2a.json
Deploy To Azure
let UA_threats = dynamic(["FoxBlade", "WhisperGate", "Lasainraw", "SonicVote", "CaddyWiper", "AprilAxe", "FiberLake", "Industroyer", "DesertBlade"]);
SecurityAlert
| where ProviderName =~ "MDATP"
| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)
| where ThreatFamilyName in~ (UA_threats)
| extend HostName = tostring(split(CompromisedEntity, ".")[0]), DomainIndex = toint(indexof(CompromisedEntity, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)

description: |
  'This query looks for Microsoft Defender AV detections for malware observed in relation to the war in Ukraine.
    Ref: https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/ '  
kind: Scheduled
tactics:
- Impact
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - SecurityAlert
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/AVdetectionsrelatedtoUkrainebasedthreats.yaml
severity: High
name: AV detections related to Ukraine threats
triggerThreshold: 0
queryPeriod: 1d
query: |
  let UA_threats = dynamic(["FoxBlade", "WhisperGate", "Lasainraw", "SonicVote", "CaddyWiper", "AprilAxe", "FiberLake", "Industroyer", "DesertBlade"]);
  SecurityAlert
  | where ProviderName =~ "MDATP"
  | extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)
  | where ThreatFamilyName in~ (UA_threats)
  | extend HostName = tostring(split(CompromisedEntity, ".")[0]), DomainIndex = toint(indexof(CompromisedEntity, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)  
relevantTechniques:
- T1485
id: b6685757-3ed1-4b05-a5bd-2cacadc86c2a
queryFrequency: 1d
status: Available
triggerOperator: gt
version: 1.1.3
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: CompromisedEntity
    identifier: FullName
  - columnName: HostName
    identifier: HostName
  - columnName: HostNameDomain
    identifier: DnsDomain