Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. [Deprecated] - SUNSPOT log file creation

[Deprecated] - SUNSPOT log file creation

Back
Idc0e84221-f240-4dd7-ab1e-37e034ea2a4e
Rulename[Deprecated] - SUNSPOT log file creation
DescriptionThis query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft’s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy
SeverityMedium
TacticsPersistence
TechniquesT1554
Required data connectorsMicrosoftThreatProtection
SecurityEvents
WindowsForwardedEvents
WindowsSecurityEvents
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/SUNSPOTLogFile.yaml
Version2.0.0
Arm templatec0e84221-f240-4dd7-ab1e-37e034ea2a4e.json
Deploy To Azure
union isfuzzy=true
(DeviceFileEvents
| where FolderPath endswith "vmware-vmdmp.log"
| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated),
(WindowsEvent
| where EventID == 4663 and EventData has "vmware-vmdmp.log"
| extend ObjectName = tostring(EventData.ObjectName) 
| where ObjectName endswith "vmware-vmdmp.log"
| extend HostCustomEntity = Computer, timestamp=TimeGenerated),
(SecurityEvent
| where EventID == 4663
| where ObjectName endswith "vmware-vmdmp.log"
| extend HostCustomEntity = Computer, timestamp=TimeGenerated),
(imFileEvent
| where TargetFileName endswith "vmware-vmdmp.log"
| extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated
)

query: |
  union isfuzzy=true
  (DeviceFileEvents
  | where FolderPath endswith "vmware-vmdmp.log"
  | extend HostCustomEntity = DeviceName, timestamp=TimeGenerated),
  (WindowsEvent
  | where EventID == 4663 and EventData has "vmware-vmdmp.log"
  | extend ObjectName = tostring(EventData.ObjectName) 
  | where ObjectName endswith "vmware-vmdmp.log"
  | extend HostCustomEntity = Computer, timestamp=TimeGenerated),
  (SecurityEvent
  | where EventID == 4663
  | where ObjectName endswith "vmware-vmdmp.log"
  | extend HostCustomEntity = Computer, timestamp=TimeGenerated),
  (imFileEvent
  | where TargetFileName endswith "vmware-vmdmp.log"
  | extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated
  )  
queryPeriod: 1d
queryFrequency: 1d
status: Available
id: c0e84221-f240-4dd7-ab1e-37e034ea2a4e
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: HostCustomEntity
    identifier: FullName
relevantTechniques:
- T1554
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/SUNSPOTLogFile.yaml
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceFileEvents
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: WindowsSecurityEvents
  dataTypes:
  - SecurityEvents
- connectorId: WindowsForwardedEvents
  dataTypes:
  - WindowsEvent
name: '[Deprecated] - SUNSPOT log file creation'
description: |
    'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'
tactics:
- Persistence
tags:
- Solorigate
- NOBELIUM
- SchemaVersion: 0.1.0
  Schema: ASIMFileEvent
severity: Medium
triggerThreshold: 0
version: 2.0.0
kind: Scheduled
triggerOperator: gt

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c0e84221-f240-4dd7-ab1e-37e034ea2a4e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c0e84221-f240-4dd7-ab1e-37e034ea2a4e')]",
      "properties": {
        "alertRuleTemplateName": "c0e84221-f240-4dd7-ab1e-37e034ea2a4e",
        "customDetails": null,
        "description": "'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'\n",
        "displayName": "[Deprecated] - SUNSPOT log file creation",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostCustomEntity",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/SUNSPOTLogFile.yaml",
        "query": "union isfuzzy=true\n(DeviceFileEvents\n| where FolderPath endswith \"vmware-vmdmp.log\"\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated),\n(WindowsEvent\n| where EventID == 4663 and EventData has \"vmware-vmdmp.log\"\n| extend ObjectName = tostring(EventData.ObjectName) \n| where ObjectName endswith \"vmware-vmdmp.log\"\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\n(SecurityEvent\n| where EventID == 4663\n| where ObjectName endswith \"vmware-vmdmp.log\"\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\n(imFileEvent\n| where TargetFileName endswith \"vmware-vmdmp.log\"\n| extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated\n)\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "tags": [
          "Solorigate",
          "NOBELIUM",
          {
            "Schema": "ASIMFileEvent",
            "SchemaVersion": "0.1.0"
          }
        ],
        "techniques": [
          "T1554"
        ],
        "templateVersion": "2.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}