Back Id 825991eb-ea39-4590-9de2-ee97ef42eb93 Rulename [Deprecated] - Aqua Blizzard Actor IOCs - Feb 2022 Description This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft’s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed.
Back Id 18dbdc22-b69f-4109-9e39-723d9465f45f Rulename Aqua Blizzard AV hits - Feb 2022 Description Identifies a match in the Security Alert table for MDATP hits related to the Aqua Blizzard actor Severity High Tactics Persistence Techniques T1137 Required data connectors MicrosoftDefenderAdvancedThreatProtection Kind Scheduled Query frequency 6h Query period 6h Trigger threshold 0 Trigger operator gt Source Uri https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MicrosoftDefenderForEndpoint/Analytic Rules/AquaBlizzardAVHits.yaml Version 1.0.2 Arm template 18dbdc22-b69f-4109-9e39-723d9465f45f.json
KQL let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv"] with (format="csv", ignoreFirstRecord=True); let AVHits = (iocs | where Type =~ "AVDetection"| project IoC); SecurityAlert | where ProviderName == 'MDATP' | extend ThreatName_ = tostring(parse_json(ExtendedProperties).
