[Deprecated] - SUNSPOT log file creation

union isfuzzy=true
(DeviceFileEvents
| where FolderPath endswith "vmware-vmdmp.log"
| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated),
(WindowsEvent
| where EventID == 4663 and EventData has "vmware-vmdmp.log"
| extend ObjectName = tostring(EventData.ObjectName) 
| where ObjectName endswith "vmware-vmdmp.log"
| extend HostCustomEntity = Computer, timestamp=TimeGenerated),
(SecurityEvent
| where EventID == 4663
| where ObjectName endswith "vmware-vmdmp.log"
| extend HostCustomEntity = Computer, timestamp=TimeGenerated),
(imFileEvent
| where TargetFileName endswith "vmware-vmdmp.log"
| extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated
)

kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/SUNSPOTLogFile.yaml
severity: Medium
tags:
- Solorigate
- NOBELIUM
- SchemaVersion: 0.1.0
  Schema: ASIMFileEvent
name: '[Deprecated] - SUNSPOT log file creation'
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: HostCustomEntity
    identifier: FullName
relevantTechniques:
- T1554
queryFrequency: 1d
triggerThreshold: 0
queryPeriod: 1d
description: |
    'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'
id: c0e84221-f240-4dd7-ab1e-37e034ea2a4e
version: 2.0.0
tactics:
- Persistence
query: |
  union isfuzzy=true
  (DeviceFileEvents
  | where FolderPath endswith "vmware-vmdmp.log"
  | extend HostCustomEntity = DeviceName, timestamp=TimeGenerated),
  (WindowsEvent
  | where EventID == 4663 and EventData has "vmware-vmdmp.log"
  | extend ObjectName = tostring(EventData.ObjectName) 
  | where ObjectName endswith "vmware-vmdmp.log"
  | extend HostCustomEntity = Computer, timestamp=TimeGenerated),
  (SecurityEvent
  | where EventID == 4663
  | where ObjectName endswith "vmware-vmdmp.log"
  | extend HostCustomEntity = Computer, timestamp=TimeGenerated),
  (imFileEvent
  | where TargetFileName endswith "vmware-vmdmp.log"
  | extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated
  )  
status: Available
requiredDataConnectors:
- dataTypes:
  - DeviceFileEvents
  connectorId: MicrosoftThreatProtection
- dataTypes:
  - SecurityEvent
  connectorId: SecurityEvents
- dataTypes:
  - SecurityEvents
  connectorId: WindowsSecurityEvents
- dataTypes:
  - WindowsEvent
  connectorId: WindowsForwardedEvents
triggerOperator: gt

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c0e84221-f240-4dd7-ab1e-37e034ea2a4e')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c0e84221-f240-4dd7-ab1e-37e034ea2a4e')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "[Deprecated] - SUNSPOT log file creation",
        "description": "'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "union isfuzzy=true\n(DeviceFileEvents\n| where FolderPath endswith \"vmware-vmdmp.log\"\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated),\n(WindowsEvent\n| where EventID == 4663 and EventData has \"vmware-vmdmp.log\"\n| extend ObjectName = tostring(EventData.ObjectName) \n| where ObjectName endswith \"vmware-vmdmp.log\"\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\n(SecurityEvent\n| where EventID == 4663\n| where ObjectName endswith \"vmware-vmdmp.log\"\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\n(imFileEvent\n| where TargetFileName endswith \"vmware-vmdmp.log\"\n| extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated\n)\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1554"
        ],
        "alertRuleTemplateName": "c0e84221-f240-4dd7-ab1e-37e034ea2a4e",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "HostCustomEntity"
              }
            ]
          }
        ],
        "templateVersion": "2.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/SUNSPOTLogFile.yaml",
        "status": "Available",
        "tags": [
          "Solorigate",
          "NOBELIUM",
          {
            "Schema": "ASIMFileEvent",
            "SchemaVersion": "0.1.0"
          }
        ]
      }
    }
  ]
}