Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. [Deprecated] - Solorigate Network Beacon

[Deprecated] - Solorigate Network Beacon

Back
Idcecdbd4c-4902-403c-8d4b-32eb1efe460b
Rulename[Deprecated] - Solorigate Network Beacon
DescriptionThis query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft’s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy
SeverityHigh
TacticsCommandAndControl
TechniquesT1102
Required data connectorsAzureFirewall
AzureMonitor(VMInsights)
CiscoASA
CiscoUmbrellaDataConnector
Corelight
DNS
GCPDNSDataConnector
InfobloxNIOS
MicrosoftThreatProtection
NXLogDnsLogs
PaloAltoNetworks
Zscaler
KindScheduled
Query frequency6h
Query period6h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/Solorigate-Network-Beacon.yaml
Version2.0.0
Arm templatececdbd4c-4902-403c-8d4b-32eb1efe460b.json
Deploy To Azure
let domains = dynamic(["incomeupdate.com","zupertech.com","databasegalore.com","panhardware.com","avsvmcloud.com","digitalcollege.org","freescanonline.com","deftsecurity.com","thedoccloud.com","virtualdataserver.com","lcomputers.com","webcodez.com","globalnetworkissues.com","kubecloud.com","seobundlekit.com","solartrackingsystem.net","virtualwebdata.com"]);
(union isfuzzy=true
(CommonSecurityLog 
  | parse Message with * '(' DNSName ')' * 
  | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)
  | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP
  ),
(_Im_Dns (domain_has_any=domains)
  | extend DNSName = DnsQuery
  | extend IPCustomEntity = SrcIpAddr
  ),
(VMConnection 
  | parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
  | where isnotempty(DNSName)
  | where DNSName in~ (domains)
  | extend IPCustomEntity = RemoteIp
  ),
(DeviceNetworkEvents 
  | where isnotempty(RemoteUrl) 
  | where RemoteUrl  has_any (domains)  
  | extend DNSName = RemoteUrl
  | extend IPCustomEntity = RemoteIP 
  | extend HostCustomEntity = DeviceName 
  ),
(AzureDiagnostics 
  | where ResourceType == "AZUREFIREWALLS"
  | where Category == "AzureFirewallApplicationRule"
  | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
  | where isnotempty(DestinationHost)
  | where DestinationHost has_any (domains)  
  | extend DNSName = DestinationHost 
  | extend IPCustomEntity = SourceHost
  ),
(AzureDiagnostics
  | where ResourceType == "AZUREFIREWALLS"
  | where Category == "AzureFirewallNetworkRule"
  | where msg_s has_any (domains)
  | parse msg_s with Protocol " request from " SourceIP ":" SourcePortInt:int " to " TargetIP ":" TargetPortInt:int *
  | parse kind=regex flags=U msg_s with * ". Action\\: " Action1a "\\."
  | parse msg_s with * ". Policy: " Policy ". Rule Collection Group: " RuleCollectionGroup "." *
  | parse msg_s with * " Rule Collection: "  RuleCollection ". Rule: " Rule 
  | extend DNSName = TargetIP 
  | extend IPCustomEntity = SourceIP
  ),
(AzureDiagnostics
  | where ResourceType == "AZUREFIREWALLS"
  | where Category == "AzureFirewallDnsProxy"
  | where msg_s has_any (domains)
  | parse msg_s with "DNS Request: " SourceIP ":" SourcePortInt:int " - " QueryID:int " " RequestType " " RequestClass " " hostname ". " protocol " " details
  | extend
      ResponseDuration = extract("[0-9]*.?[0-9]+s$", 0, msg_s),
      SourcePort = tostring(SourcePortInt),
      QueryID =  tostring(QueryID)
  | extend DNSName = hostname
  | extend IPCustomEntity = SourceIP
  | project TimeGenerated,SourceIP,hostname,RequestType,ResponseDuration,details,msg_s
  | order by TimeGenerated
  ),
(AZFWApplicationRule
  | where Fqdn has_any (domains)
  | extend DNSName = Fqdn
  | extend IPCustomEntity = SourceIp
  ),
(AZFWDnsQuery
  | where isnotempty(QueryName)
  | where QueryName has_any (domains)
  | extend DNSName = QueryName
  | extend IPCustomEntity = SourceIp
  )
  )

kind: Scheduled
severity: High
description: |
    'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'
triggerThreshold: 0
tags:
- Solorigate
- NOBELIUM
- SchemaVersion: 0.1.1
  Schema: ASIMDns
status: Available
query: |
  let domains = dynamic(["incomeupdate.com","zupertech.com","databasegalore.com","panhardware.com","avsvmcloud.com","digitalcollege.org","freescanonline.com","deftsecurity.com","thedoccloud.com","virtualdataserver.com","lcomputers.com","webcodez.com","globalnetworkissues.com","kubecloud.com","seobundlekit.com","solartrackingsystem.net","virtualwebdata.com"]);
  (union isfuzzy=true
  (CommonSecurityLog 
    | parse Message with * '(' DNSName ')' * 
    | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)
    | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP
    ),
  (_Im_Dns (domain_has_any=domains)
    | extend DNSName = DnsQuery
    | extend IPCustomEntity = SrcIpAddr
    ),
  (VMConnection 
    | parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
    | where isnotempty(DNSName)
    | where DNSName in~ (domains)
    | extend IPCustomEntity = RemoteIp
    ),
  (DeviceNetworkEvents 
    | where isnotempty(RemoteUrl) 
    | where RemoteUrl  has_any (domains)  
    | extend DNSName = RemoteUrl
    | extend IPCustomEntity = RemoteIP 
    | extend HostCustomEntity = DeviceName 
    ),
  (AzureDiagnostics 
    | where ResourceType == "AZUREFIREWALLS"
    | where Category == "AzureFirewallApplicationRule"
    | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
    | where isnotempty(DestinationHost)
    | where DestinationHost has_any (domains)  
    | extend DNSName = DestinationHost 
    | extend IPCustomEntity = SourceHost
    ),
  (AzureDiagnostics
    | where ResourceType == "AZUREFIREWALLS"
    | where Category == "AzureFirewallNetworkRule"
    | where msg_s has_any (domains)
    | parse msg_s with Protocol " request from " SourceIP ":" SourcePortInt:int " to " TargetIP ":" TargetPortInt:int *
    | parse kind=regex flags=U msg_s with * ". Action\\: " Action1a "\\."
    | parse msg_s with * ". Policy: " Policy ". Rule Collection Group: " RuleCollectionGroup "." *
    | parse msg_s with * " Rule Collection: "  RuleCollection ". Rule: " Rule 
    | extend DNSName = TargetIP 
    | extend IPCustomEntity = SourceIP
    ),
  (AzureDiagnostics
    | where ResourceType == "AZUREFIREWALLS"
    | where Category == "AzureFirewallDnsProxy"
    | where msg_s has_any (domains)
    | parse msg_s with "DNS Request: " SourceIP ":" SourcePortInt:int " - " QueryID:int " " RequestType " " RequestClass " " hostname ". " protocol " " details
    | extend
        ResponseDuration = extract("[0-9]*.?[0-9]+s$", 0, msg_s),
        SourcePort = tostring(SourcePortInt),
        QueryID =  tostring(QueryID)
    | extend DNSName = hostname
    | extend IPCustomEntity = SourceIP
    | project TimeGenerated,SourceIP,hostname,RequestType,ResponseDuration,details,msg_s
    | order by TimeGenerated
    ),
  (AZFWApplicationRule
    | where Fqdn has_any (domains)
    | extend DNSName = Fqdn
    | extend IPCustomEntity = SourceIp
    ),
  (AZFWDnsQuery
    | where isnotempty(QueryName)
    | where QueryName has_any (domains)
    | extend DNSName = QueryName
    | extend IPCustomEntity = SourceIp
    )
    )  
relevantTechniques:
- T1102
version: 2.0.0
triggerOperator: gt
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
  entityType: Account
- fieldMappings:
  - identifier: FullName
    columnName: HostCustomEntity
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
- fieldMappings:
  - identifier: DomainName
    columnName: DNSName
  entityType: DNS
requiredDataConnectors:
- connectorId: DNS
  dataTypes:
  - DnsEvents
- connectorId: AzureMonitor(VMInsights)
  dataTypes:
  - VMConnection
- connectorId: CiscoASA
  dataTypes:
  - CommonSecurityLog
- connectorId: PaloAltoNetworks
  dataTypes:
  - CommonSecurityLog
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceNetworkEvents
- connectorId: AzureFirewall
  dataTypes:
  - AzureDiagnostics
  - AZFWApplicationRule
  - AZFWDnsQuery
- connectorId: Zscaler
  dataTypes:
  - CommonSecurityLog
- connectorId: InfobloxNIOS
  dataTypes:
  - Syslog
- connectorId: GCPDNSDataConnector
  dataTypes:
  - GCP_DNS_CL
- connectorId: NXLogDnsLogs
  dataTypes:
  - NXLog_DNS_Server_CL
- connectorId: CiscoUmbrellaDataConnector
  dataTypes:
  - Cisco_Umbrella_dns_CL
- connectorId: Corelight
  dataTypes:
  - Corelight_CL
queryPeriod: 6h
tactics:
- CommandAndControl
name: '[Deprecated] - Solorigate Network Beacon'
queryFrequency: 6h
id: cecdbd4c-4902-403c-8d4b-32eb1efe460b
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/Solorigate-Network-Beacon.yaml