[Deprecated] - Exchange Server Vulnerabilities Disclosed March 2021 IoC Match
| Id | d804b39c-03a4-417c-a949-bdbf21fa3305 |
| Rulename | [Deprecated] - Exchange Server Vulnerabilities Disclosed March 2021 IoC Match |
| Description | This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft’s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy |
| Severity | Medium |
| Tactics | InitialAccess |
| Techniques | T1190 |
| Required data connectors | AWSS3 AzureMonitor(IIS) AzureMonitor(WireData) CEF CheckPoint CiscoASA CiscoUmbrellaDataConnector Corelight DNS F5 Fortinet GCPDNSDataConnector InfobloxNIOS MicrosoftSysmonForLinux NXLogDnsLogs PaloAltoNetworks SecurityEvents WindowsFirewall WindowsForwardedEvents Zscaler |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml |
| Version | 2.0.0 |
| Arm template | d804b39c-03a4-417c-a949-bdbf21fa3305.json |
let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)
[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv"] with (format="csv", ignoreFirstRecord=True);
let file_paths = (iocs | where Type =~ "filepath" | project IoC);
let sha256s = (iocs | where Type =~ "sha256" | project IoC);
let ips = (iocs | where Type =~ "ip" | project IoC);
let domains = (iocs | where Type =~ "domainname" | project IoC);
let dyndomains = todynamic(toscalar((domains | summarize make_set(IoC))));
union isfuzzy=true
(SecurityEvent
| where EventID == 4663
| where ObjectName in (file_paths)
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
),
(WindowsEvent
| where EventID == 4663 and EventData has_any (file_paths)
| extend ObjectName = tostring(EventData.ObjectName)
| where ObjectName in (file_paths)
| extend Account = strcat(tostring(EventData.SubjectDomainName), "\\", tostring(EventData.SubjectUserName))
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
),
(imFileEvent
| where TargetFileName in (file_paths)
or
TargetFileSHA256 in (sha256s)
| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname
),
(DeviceFileEvents
| where FolderPath in (file_paths)
| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName
),
(DeviceEvents
| where InitiatingProcessSHA256 in (sha256s)
| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName
),
(CommonSecurityLog
| where FileHash in (sha256s)
| extend timestamp = TimeGenerated
),
(Event // File iocs
//This query uses sysmon data depending on table name used this may need updating
| where Source == "Microsoft-Windows-Sysmon"
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| extend Hashes = EventDetail.[16].["#text"]
| where isnotempty(Hashes)
| parse Hashes with * 'SHA256=' SHA256 ',' *
| where SHA256 in~ (sha256s)
| extend Type = strcat(Type, ": ", Source), Account = UserName, FileHash = Hashes
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
),
(CommonSecurityLog
| where isnotempty(SourceIP) or isnotempty(DestinationIP)
| where (SourceIP in (ips) or DestinationIP in (ips) or Message has_any (ips)) or (RequestURL has_any (domains))
| extend IPMatch = case(SourceIP in (ips), "SourceIP", DestinationIP in (ips), "DestinationIP", "Message")
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch
| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, "IP in Message Field")
),
(Event
| where Source == "Microsoft-Windows-Sysmon"
| where EventID == 3
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| extend SourceIP = EventDetail.[9].["#text"], DestinationIP = EventDetail.[14].["#text"]
| where SourceIP in (ips) or DestinationIP in (ips)
| extend IPMatch = case( SourceIP in (ips), "SourceIP", DestinationIP in (ips), "DestinationIP", "None")
| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, "None")
),
(WireData
| where isnotempty(RemoteIP)
| where RemoteIP in (ips)
| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer
),
(W3CIISLog
| where isnotempty(cIP)
| where cIP in (ips)
| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName
),
(
WindowsFirewall
| where SourceIP in (ips) or DestinationIP in (ips)
| extend IPMatch = case( SourceIP in (ips), "SourceIP", DestinationIP in (ips), "DestinationIP", "None")
),
(
_Im_NetworkSession(srcipaddr_has_any_prefix=ips)
| extend IPCustomEntity = SrcIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname
),
(
_Im_NetworkSession(dstipaddr_has_any_prefix=ips)
| extend IPCustomEntity = DstIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname
),
(_Im_Dns(domain_has_any=dyndomains)
| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc
)
relevantTechniques:
- T1190
name: '[Deprecated] - Exchange Server Vulnerabilities Disclosed March 2021 IoC Match'
requiredDataConnectors:
- datatypes:
- AWSVPCFlow
connectorId: AWSS3
- dataTypes:
- WindowsEvent
connectorId: WindowsForwardedEvents
- dataTypes:
- W3CIISLog
connectorId: AzureMonitor(IIS)
- dataTypes:
- WireData
connectorId: AzureMonitor(WireData)
- dataTypes:
- CommonSecurityLog (CheckPoint)
connectorId: CheckPoint
- dataTypes:
- CommonSecurityLog (Cisco)
connectorId: CiscoASA
- dataTypes:
- CommonSecurityLog
connectorId: CEF
- dataTypes:
- CommonSecurityLog (F5)
connectorId: F5
- dataTypes:
- CommonSecurityLog (Fortinet)
connectorId: Fortinet
- dataTypes:
- CommonSecurityLog (PaloAlto)
connectorId: PaloAltoNetworks
- dataTypes:
- SecurityEvents
connectorId: SecurityEvents
- dataTypes:
- WindowsFirewall
connectorId: WindowsFirewall
- dataTypes:
- DnsEvents
connectorId: DNS
- dataTypes:
- CommonSecurityLog
connectorId: Zscaler
- dataTypes:
- Syslog
connectorId: InfobloxNIOS
- dataTypes:
- Syslog
connectorId: MicrosoftSysmonForLinux
- dataTypes:
- GCP_DNS_CL
connectorId: GCPDNSDataConnector
- dataTypes:
- WindowsEvent
connectorId: WindowsForwardedEvents
- dataTypes:
- NXLog_DNS_Server_CL
connectorId: NXLogDnsLogs
- dataTypes:
- Cisco_Umbrella_dns_CL
connectorId: CiscoUmbrellaDataConnector
- dataTypes:
- Corelight_CL
connectorId: Corelight
entityMappings:
- fieldMappings:
- identifier: Address
columnName: IPCustomEntity
entityType: IP
- fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
entityType: Account
- fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
entityType: Host
- fieldMappings:
- identifier: Address
columnName: IPCustomEntity
entityType: IP
triggerThreshold: 0
id: d804b39c-03a4-417c-a949-bdbf21fa3305
tactics:
- InitialAccess
version: 2.0.0
queryPeriod: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml
triggerOperator: gt
kind: Scheduled
tags:
- Schema: ASIMDns
SchemaVersion: 0.1.1
- Schema: ASIMFileEvent
SchemaVersion: 0.1.0
queryFrequency: 1h
severity: Medium
status: Available
description: |
'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'
query: |
let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)
[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv"] with (format="csv", ignoreFirstRecord=True);
let file_paths = (iocs | where Type =~ "filepath" | project IoC);
let sha256s = (iocs | where Type =~ "sha256" | project IoC);
let ips = (iocs | where Type =~ "ip" | project IoC);
let domains = (iocs | where Type =~ "domainname" | project IoC);
let dyndomains = todynamic(toscalar((domains | summarize make_set(IoC))));
union isfuzzy=true
(SecurityEvent
| where EventID == 4663
| where ObjectName in (file_paths)
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
),
(WindowsEvent
| where EventID == 4663 and EventData has_any (file_paths)
| extend ObjectName = tostring(EventData.ObjectName)
| where ObjectName in (file_paths)
| extend Account = strcat(tostring(EventData.SubjectDomainName), "\\", tostring(EventData.SubjectUserName))
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
),
(imFileEvent
| where TargetFileName in (file_paths)
or
TargetFileSHA256 in (sha256s)
| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname
),
(DeviceFileEvents
| where FolderPath in (file_paths)
| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName
),
(DeviceEvents
| where InitiatingProcessSHA256 in (sha256s)
| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName
),
(CommonSecurityLog
| where FileHash in (sha256s)
| extend timestamp = TimeGenerated
),
(Event // File iocs
//This query uses sysmon data depending on table name used this may need updating
| where Source == "Microsoft-Windows-Sysmon"
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| extend Hashes = EventDetail.[16].["#text"]
| where isnotempty(Hashes)
| parse Hashes with * 'SHA256=' SHA256 ',' *
| where SHA256 in~ (sha256s)
| extend Type = strcat(Type, ": ", Source), Account = UserName, FileHash = Hashes
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
),
(CommonSecurityLog
| where isnotempty(SourceIP) or isnotempty(DestinationIP)
| where (SourceIP in (ips) or DestinationIP in (ips) or Message has_any (ips)) or (RequestURL has_any (domains))
| extend IPMatch = case(SourceIP in (ips), "SourceIP", DestinationIP in (ips), "DestinationIP", "Message")
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch
| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, "IP in Message Field")
),
(Event
| where Source == "Microsoft-Windows-Sysmon"
| where EventID == 3
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| extend SourceIP = EventDetail.[9].["#text"], DestinationIP = EventDetail.[14].["#text"]
| where SourceIP in (ips) or DestinationIP in (ips)
| extend IPMatch = case( SourceIP in (ips), "SourceIP", DestinationIP in (ips), "DestinationIP", "None")
| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, "None")
),
(WireData
| where isnotempty(RemoteIP)
| where RemoteIP in (ips)
| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer
),
(W3CIISLog
| where isnotempty(cIP)
| where cIP in (ips)
| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName
),
(
WindowsFirewall
| where SourceIP in (ips) or DestinationIP in (ips)
| extend IPMatch = case( SourceIP in (ips), "SourceIP", DestinationIP in (ips), "DestinationIP", "None")
),
(
_Im_NetworkSession(srcipaddr_has_any_prefix=ips)
| extend IPCustomEntity = SrcIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname
),
(
_Im_NetworkSession(dstipaddr_has_any_prefix=ips)
| extend IPCustomEntity = DstIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname
),
(_Im_Dns(domain_has_any=dyndomains)
| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc
)
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d804b39c-03a4-417c-a949-bdbf21fa3305')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d804b39c-03a4-417c-a949-bdbf21fa3305')]",
"properties": {
"alertRuleTemplateName": "d804b39c-03a4-417c-a949-bdbf21fa3305",
"customDetails": null,
"description": "'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'\n",
"displayName": "[Deprecated] - Exchange Server Vulnerabilities Disclosed March 2021 IoC Match",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPCustomEntity",
"identifier": "Address"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "HostCustomEntity",
"identifier": "FullName"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPCustomEntity",
"identifier": "Address"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml",
"query": "let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\n[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet file_paths = (iocs | where Type =~ \"filepath\" | project IoC);\nlet sha256s = (iocs | where Type =~ \"sha256\" | project IoC);\nlet ips = (iocs | where Type =~ \"ip\" | project IoC);\nlet domains = (iocs | where Type =~ \"domainname\" | project IoC);\nlet dyndomains = todynamic(toscalar((domains | summarize make_set(IoC))));\nunion isfuzzy=true\n(SecurityEvent\n| where EventID == 4663\n| where ObjectName in (file_paths)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n),\n(WindowsEvent\n| where EventID == 4663 and EventData has_any (file_paths)\n| extend ObjectName = tostring(EventData.ObjectName) \n| where ObjectName in (file_paths)\n| extend Account = strcat(tostring(EventData.SubjectDomainName), \"\\\\\", tostring(EventData.SubjectUserName))\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n),\n(imFileEvent\n| where TargetFileName in (file_paths)\n or\n TargetFileSHA256 in (sha256s)\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\n),\n(DeviceFileEvents\n| where FolderPath in (file_paths)\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\n),\n(DeviceEvents\n| where InitiatingProcessSHA256 in (sha256s)\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\n),\n (CommonSecurityLog\n| where FileHash in (sha256s)\n| extend timestamp = TimeGenerated\n),\n(Event // File iocs\n//This query uses sysmon data depending on table name used this may need updating\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend Hashes = EventDetail.[16].[\"#text\"]\n| where isnotempty(Hashes)\n| parse Hashes with * 'SHA256=' SHA256 ',' *\n| where SHA256 in~ (sha256s)\n| extend Type = strcat(Type, \": \", Source), Account = UserName, FileHash = Hashes\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n),\n(CommonSecurityLog\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\n| where (SourceIP in (ips) or DestinationIP in (ips) or Message has_any (ips)) or (RequestURL has_any (domains))\n| extend IPMatch = case(SourceIP in (ips), \"SourceIP\", DestinationIP in (ips), \"DestinationIP\", \"Message\")\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"IP in Message Field\")\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 3\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend SourceIP = EventDetail.[9].[\"#text\"], DestinationIP = EventDetail.[14].[\"#text\"]\n| where SourceIP in (ips) or DestinationIP in (ips)\n| extend IPMatch = case( SourceIP in (ips), \"SourceIP\", DestinationIP in (ips), \"DestinationIP\", \"None\")\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n),\n(WireData\n| where isnotempty(RemoteIP)\n| where RemoteIP in (ips)\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer\n),\n(W3CIISLog\n| where isnotempty(cIP)\n| where cIP in (ips)\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\n),\n(\nWindowsFirewall\n| where SourceIP in (ips) or DestinationIP in (ips)\n| extend IPMatch = case( SourceIP in (ips), \"SourceIP\", DestinationIP in (ips), \"DestinationIP\", \"None\")\n),\n(\n _Im_NetworkSession(srcipaddr_has_any_prefix=ips) \n | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\n),\n (\n _Im_NetworkSession(dstipaddr_has_any_prefix=ips) \n | extend IPCustomEntity = DstIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\n),\n(_Im_Dns(domain_has_any=dyndomains)\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\n)\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"InitialAccess"
],
"tags": [
{
"Schema": "ASIMDns",
"SchemaVersion": "0.1.1"
},
{
"Schema": "ASIMFileEvent",
"SchemaVersion": "0.1.0"
}
],
"techniques": [
"T1190"
],
"templateVersion": "2.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}