Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

SUNSPOT log file creation

Back
Idc0e84221-f240-4dd7-ab1e-37e034ea2a4e
RulenameSUNSPOT log file creation
DescriptionThis query uses Microsoft Defender for Endpoint data and Windows Event Logs to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.

More details:

- https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/

- https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807
SeverityMedium
TacticsPersistence
TechniquesT1554
Required data connectorsMicrosoftThreatProtection
SecurityEvents
WindowsForwardedEvents
WindowsSecurityEvents
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/SUNSPOTLogFile.yaml
Version1.2.2
Arm templatec0e84221-f240-4dd7-ab1e-37e034ea2a4e.json
Deploy To Azure
union isfuzzy=true
(DeviceFileEvents
| where FolderPath endswith "vmware-vmdmp.log"
| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated),
(WindowsEvent
| where EventID == 4663 and EventData has "vmware-vmdmp.log"
| extend ObjectName = tostring(EventData.ObjectName) 
| where ObjectName endswith "vmware-vmdmp.log"
| extend HostCustomEntity = Computer, timestamp=TimeGenerated),
(SecurityEvent
| where EventID == 4663
| where ObjectName endswith "vmware-vmdmp.log"
| extend HostCustomEntity = Computer, timestamp=TimeGenerated),
(imFileEvent
| where TargetFileName endswith "vmware-vmdmp.log"
| extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated
)
triggerOperator: gt
id: c0e84221-f240-4dd7-ab1e-37e034ea2a4e
queryFrequency: 1d
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: HostCustomEntity
    identifier: FullName
requiredDataConnectors:
- dataTypes:
  - DeviceFileEvents
  connectorId: MicrosoftThreatProtection
- dataTypes:
  - SecurityEvent
  connectorId: SecurityEvents
- dataTypes:
  - SecurityEvents
  connectorId: WindowsSecurityEvents
- dataTypes:
  - WindowsEvent
  connectorId: WindowsForwardedEvents
severity: Medium
triggerThreshold: 0
kind: Scheduled
status: Available
queryPeriod: 1d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/SUNSPOTLogFile.yaml
query: |
  union isfuzzy=true
  (DeviceFileEvents
  | where FolderPath endswith "vmware-vmdmp.log"
  | extend HostCustomEntity = DeviceName, timestamp=TimeGenerated),
  (WindowsEvent
  | where EventID == 4663 and EventData has "vmware-vmdmp.log"
  | extend ObjectName = tostring(EventData.ObjectName) 
  | where ObjectName endswith "vmware-vmdmp.log"
  | extend HostCustomEntity = Computer, timestamp=TimeGenerated),
  (SecurityEvent
  | where EventID == 4663
  | where ObjectName endswith "vmware-vmdmp.log"
  | extend HostCustomEntity = Computer, timestamp=TimeGenerated),
  (imFileEvent
  | where TargetFileName endswith "vmware-vmdmp.log"
  | extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated
  )  
description: |
  'This query uses Microsoft Defender for Endpoint data and Windows Event Logs to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.
  More details: 
    - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ 
    - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807'  
name: SUNSPOT log file creation
relevantTechniques:
- T1554
tactics:
- Persistence
version: 1.2.2
tags:
- Solorigate
- NOBELIUM
- Schema: ASIMFileEvent
  SchemaVersion: 0.1.0
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c0e84221-f240-4dd7-ab1e-37e034ea2a4e')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c0e84221-f240-4dd7-ab1e-37e034ea2a4e')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "SUNSPOT log file creation",
        "description": "'This query uses Microsoft Defender for Endpoint data and Windows Event Logs to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\nMore details: \n  - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \n  - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "union isfuzzy=true\n(DeviceFileEvents\n| where FolderPath endswith \"vmware-vmdmp.log\"\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated),\n(WindowsEvent\n| where EventID == 4663 and EventData has \"vmware-vmdmp.log\"\n| extend ObjectName = tostring(EventData.ObjectName) \n| where ObjectName endswith \"vmware-vmdmp.log\"\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\n(SecurityEvent\n| where EventID == 4663\n| where ObjectName endswith \"vmware-vmdmp.log\"\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\n(imFileEvent\n| where TargetFileName endswith \"vmware-vmdmp.log\"\n| extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated\n)\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1554"
        ],
        "alertRuleTemplateName": "c0e84221-f240-4dd7-ab1e-37e034ea2a4e",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "HostCustomEntity"
              }
            ],
            "entityType": "Host"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/SUNSPOTLogFile.yaml",
        "templateVersion": "1.2.2",
        "tags": [
          "Solorigate",
          "NOBELIUM",
          {
            "Schema": "ASIMFileEvent",
            "SchemaVersion": "0.1.0"
          }
        ],
        "status": "Available"
      }
    }
  ]
}