Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

[Deprecated] - Denim Tsunami C2 Domains July 2022

Back
Idce02935c-cc67-4b77-9b96-93d9947e119a
Rulename[Deprecated] - Denim Tsunami C2 Domains July 2022
DescriptionThis query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft’s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy
SeverityHigh
TacticsCommandAndControl
TechniquesT1071
Required data connectorsAzureMonitor(VMInsights)
DNS
MicrosoftThreatProtection
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/DenimTsunamiC2DomainsJuly2022.yaml
Version2.0.0
Arm templatece02935c-cc67-4b77-9b96-93d9947e119a.json
Deploy To Azure
let DomainNames = dynamic(["acrobatrelay.com", "finconsult.cc", "realmetaldns.com"]); 
(union isfuzzy=true 
(CommonSecurityLog  
| parse Message with * '(' DNSName ')' *  
| where DNSName in~ (DomainNames) 
| extend Account = SourceUserID, Computer = DeviceName, IPAddress =  DestinationIP 
), 
(_Im_Dns (domain_has_any=DomainNames)
| extend DNSName = DnsQuery 
| extend IPAddress =  SrcIpAddr, Computer = Dvc
), 
(_Im_WebSession (url_has_any=DomainNames)
| extend DNSName = tostring(parse_url(Url)["Host"])
| extend IPAddress =  SrcIpAddr, Computer = Dvc
), 
(VMConnection  
| parse RemoteDnsCanonicalNames with * '["' DNSName '"]' * 
| where isnotempty(DNSName) 
| where DNSName  in~ (DomainNames) 
| extend IPAddress = RemoteIp 
), 
( 
 DeviceNetworkEvents 
| where isnotempty(RemoteUrl) 
| where RemoteUrl  has_any (DomainNames)  
| extend IPAddress = RemoteIP 
| extend Computer = DeviceName 
),
(AzureDiagnostics 
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallApplicationRule"
| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
| where isnotempty(DestinationHost)
| where DestinationHost has_any (DomainNames)  
| extend DNSName = DestinationHost 
| extend IPAddress = SourceHost
) 
) 
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress 
kind: Scheduled
status: Available
requiredDataConnectors:
- dataTypes:
  - VMConnection
  connectorId: AzureMonitor(VMInsights)
- dataTypes:
  - DnsEvents
  connectorId: DNS
- dataTypes:
  - DeviceNetworkEvents
  connectorId: MicrosoftThreatProtection
queryFrequency: 1d
version: 2.0.0
id: ce02935c-cc67-4b77-9b96-93d9947e119a
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/DenimTsunamiC2DomainsJuly2022.yaml
relevantTechniques:
- T1071
query: |
  let DomainNames = dynamic(["acrobatrelay.com", "finconsult.cc", "realmetaldns.com"]); 
  (union isfuzzy=true 
  (CommonSecurityLog  
  | parse Message with * '(' DNSName ')' *  
  | where DNSName in~ (DomainNames) 
  | extend Account = SourceUserID, Computer = DeviceName, IPAddress =  DestinationIP 
  ), 
  (_Im_Dns (domain_has_any=DomainNames)
  | extend DNSName = DnsQuery 
  | extend IPAddress =  SrcIpAddr, Computer = Dvc
  ), 
  (_Im_WebSession (url_has_any=DomainNames)
  | extend DNSName = tostring(parse_url(Url)["Host"])
  | extend IPAddress =  SrcIpAddr, Computer = Dvc
  ), 
  (VMConnection  
  | parse RemoteDnsCanonicalNames with * '["' DNSName '"]' * 
  | where isnotempty(DNSName) 
  | where DNSName  in~ (DomainNames) 
  | extend IPAddress = RemoteIp 
  ), 
  ( 
   DeviceNetworkEvents 
  | where isnotempty(RemoteUrl) 
  | where RemoteUrl  has_any (DomainNames)  
  | extend IPAddress = RemoteIP 
  | extend Computer = DeviceName 
  ),
  (AzureDiagnostics 
  | where ResourceType == "AZUREFIREWALLS"
  | where Category == "AzureFirewallApplicationRule"
  | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
  | where isnotempty(DestinationHost)
  | where DestinationHost has_any (DomainNames)  
  | extend DNSName = DestinationHost 
  | extend IPAddress = SourceHost
  ) 
  ) 
  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress   
name: '[Deprecated] - Denim Tsunami C2 Domains July 2022'
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: HostCustomEntity
    identifier: HostName
  entityType: Host
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
severity: High
tags:
- Denim Tsunami
triggerThreshold: 0
tactics:
- CommandAndControl
queryPeriod: 1d
description: |
    'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ce02935c-cc67-4b77-9b96-93d9947e119a')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ce02935c-cc67-4b77-9b96-93d9947e119a')]",
      "properties": {
        "alertRuleTemplateName": "ce02935c-cc67-4b77-9b96-93d9947e119a",
        "customDetails": null,
        "description": "'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'\n",
        "displayName": "[Deprecated] - Denim Tsunami C2 Domains July 2022",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostCustomEntity",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/DenimTsunamiC2DomainsJuly2022.yaml",
        "query": "let DomainNames = dynamic([\"acrobatrelay.com\", \"finconsult.cc\", \"realmetaldns.com\"]); \n(union isfuzzy=true \n(CommonSecurityLog  \n| parse Message with * '(' DNSName ')' *  \n| where DNSName in~ (DomainNames) \n| extend Account = SourceUserID, Computer = DeviceName, IPAddress =  DestinationIP \n), \n(_Im_Dns (domain_has_any=DomainNames)\n| extend DNSName = DnsQuery \n| extend IPAddress =  SrcIpAddr, Computer = Dvc\n), \n(_Im_WebSession (url_has_any=DomainNames)\n| extend DNSName = tostring(parse_url(Url)[\"Host\"])\n| extend IPAddress =  SrcIpAddr, Computer = Dvc\n), \n(VMConnection  \n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' * \n| where isnotempty(DNSName) \n| where DNSName  in~ (DomainNames) \n| extend IPAddress = RemoteIp \n), \n( \n DeviceNetworkEvents \n| where isnotempty(RemoteUrl) \n| where RemoteUrl  has_any (DomainNames)  \n| extend IPAddress = RemoteIP \n| extend Computer = DeviceName \n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames)  \n| extend DNSName = DestinationHost \n| extend IPAddress = SourceHost\n) \n) \n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress \n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "tags": [
          "Denim Tsunami"
        ],
        "techniques": [
          "T1071"
        ],
        "templateVersion": "2.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}