[Deprecated] - SUNSPOT log file creation
| Id | c0e84221-f240-4dd7-ab1e-37e034ea2a4e |
| Rulename | [Deprecated] - SUNSPOT log file creation |
| Description | This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft’s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy |
| Severity | Medium |
| Tactics | Persistence |
| Techniques | T1554 |
| Required data connectors | MicrosoftThreatProtection SecurityEvents WindowsForwardedEvents WindowsSecurityEvents |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/SUNSPOTLogFile.yaml |
| Version | 2.0.0 |
| Arm template | c0e84221-f240-4dd7-ab1e-37e034ea2a4e.json |
union isfuzzy=true
(DeviceFileEvents
| where FolderPath endswith "vmware-vmdmp.log"
| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated),
(WindowsEvent
| where EventID == 4663 and EventData has "vmware-vmdmp.log"
| extend ObjectName = tostring(EventData.ObjectName)
| where ObjectName endswith "vmware-vmdmp.log"
| extend HostCustomEntity = Computer, timestamp=TimeGenerated),
(SecurityEvent
| where EventID == 4663
| where ObjectName endswith "vmware-vmdmp.log"
| extend HostCustomEntity = Computer, timestamp=TimeGenerated),
(imFileEvent
| where TargetFileName endswith "vmware-vmdmp.log"
| extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated
)
status: Available
queryFrequency: 1d
id: c0e84221-f240-4dd7-ab1e-37e034ea2a4e
tactics:
- Persistence
entityMappings:
- fieldMappings:
- columnName: HostCustomEntity
identifier: FullName
entityType: Host
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileEvents
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
- connectorId: WindowsSecurityEvents
dataTypes:
- SecurityEvents
- connectorId: WindowsForwardedEvents
dataTypes:
- WindowsEvent
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/SUNSPOTLogFile.yaml
version: 2.0.0
tags:
- Solorigate
- NOBELIUM
- SchemaVersion: 0.1.0
Schema: ASIMFileEvent
description: |
'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'
relevantTechniques:
- T1554
triggerThreshold: 0
queryPeriod: 1d
triggerOperator: gt
name: '[Deprecated] - SUNSPOT log file creation'
severity: Medium
kind: Scheduled
query: |
union isfuzzy=true
(DeviceFileEvents
| where FolderPath endswith "vmware-vmdmp.log"
| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated),
(WindowsEvent
| where EventID == 4663 and EventData has "vmware-vmdmp.log"
| extend ObjectName = tostring(EventData.ObjectName)
| where ObjectName endswith "vmware-vmdmp.log"
| extend HostCustomEntity = Computer, timestamp=TimeGenerated),
(SecurityEvent
| where EventID == 4663
| where ObjectName endswith "vmware-vmdmp.log"
| extend HostCustomEntity = Computer, timestamp=TimeGenerated),
(imFileEvent
| where TargetFileName endswith "vmware-vmdmp.log"
| extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated
)