This commit is contained in:
v-vdixit 2023-05-08 18:52:09 +05:30 коммит произвёл GitHub
Родитель 30bdd35e39
Коммит 3fab76c6ad
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
37 изменённых файлов: 108 добавлений и 107 удалений

Просмотреть файл

@ -1,5 +1,5 @@
id: bdf04f58-242b-4729-b376-577c4bdf5d3a
name: NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events)
name: Midnight Blizzard - suspicious rundll32.exe execution of vbscript (Normalized Process Events)
description: |
'This query idenifies when rundll32.exe executes a specific set of inline VBScript commands
References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
@ -19,7 +19,7 @@ tags:
version: 1.0.0
- Schema: ASIMProcessEvent
SchemaVersion: 0.1.0
- NOBELIUM
- Midnight Blizzard
query: |
imProcessCreate
@ -36,5 +36,5 @@ entityMappings:
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
version: 1.1.1
version: 1.1.2
kind: Scheduled

Просмотреть файл

@ -1,5 +1,5 @@
id: 38f9d721-70a9-4570-9aff-1471eae7c844
name: ACTINIUM Actor IOCs - Feb 2022
name: Aqua Blizzard Actor IOCs - Feb 2022
description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/ActiniumFeb2022.yaml'
version: 1.1.2
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/AquaBlizzardFeb2022.yaml'
version: 1.1.3

Просмотреть файл

@ -1,5 +1,5 @@
id: d0edc52e-2f0a-4183-b5fb-9a73b3cd0393
name: DEV-0586 Actor IOC - January 2022
name: Cadet Blizzard Actor IOC - January 2022
description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/Dev-0586_Jan2022_IOC.yaml'
version: 1.0.3
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/CadetBlizzard_Jan2022_IOC.yaml'
version: 1.0.4

Просмотреть файл

@ -1,5 +1,5 @@
id: 2b68903a-cb95-4e31-a2db-4a0a15803761
name: SOURGUM Actor IOC - July 2021
name: Caramel Tsunami Actor IOC - July 2021
description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/SOURGUM_IOC.yaml'
version: 1.2.1
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/CaramelTsunami_IOC.yaml'
version: 1.2.2

Просмотреть файл

@ -1,5 +1,5 @@
id: 69fe6e85-8867-4872-a707-f589d3554375
name: KNOTWEED AV Detection
name: Denim Tsunami AV Detection
description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/KNOTWEEDAVDetection.yaml'
version: 1.0.1
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/DenimTsunamiAVDetection.yaml'
version: 1.0.2

Просмотреть файл

@ -1,5 +1,5 @@
id: 357ce603-e6ac-4afe-a2d8-b3dd8ab1d6e8
name: KNOTWEED C2 Domains July 2022
name: Denim Tsunami C2 Domains July 2022
description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/KNOTWEEDC2DomainsJuly2022.yaml'
version: 1.0.1
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/DenimTsunamiC2DomainsJuly2022.yaml'
version: 1.0.2

Просмотреть файл

@ -1,5 +1,5 @@
id: 24e91fb1-01e5-47d0-845d-75d74e9b8a61
name: KNOTWEED File Hashes July 2022
name: Denim Tsunami File Hashes July 2022
description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/KNOTWEEDFileHashesJuly2022.yaml'
version: 1.0.1
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/DenimTsunamiFileHashesJuly2022.yaml'
version: 1.0.2

Просмотреть файл

@ -1,5 +1,5 @@
id: 17184571-f7cd-42fb-a6a5-3478f09f5fa0
name: Known ZINC Comebacker and Klackring malware hashes
name: Known Diamond Sleet Comebacker and Klackring malware hashes
description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/ZincJan272021IOCs.yaml'
version: 1.7.1
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/DiamondSleetJan272021IOCs.yaml'
version: 1.7.2

Просмотреть файл

@ -1,5 +1,5 @@
id: ba2433b7-da6b-4faa-bdf1-1eae065ef7e9
name: Known ZINC related maldoc hash
name: Known Diamond Sleet related maldoc hash
description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/ZincOct292020IOCs.yaml'
version: 1.0.2
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/DiamondSleetOct292020IOCs.yaml'
version: 1.0.3

Просмотреть файл

@ -1,5 +1,5 @@
id: 993b32e3-f097-4fcb-b555-3078a4af63be
name: THALLIUM domains included in DCU takedown
name: Emerald Sleet domains included in DCU takedown
description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/ThalliumIOCs.yaml'
version: 1.5.1
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/EmeraldSleetIOCs.yaml'
version: 1.5.2

Просмотреть файл

@ -1,7 +1,7 @@
id: 074ce265-f684-41cd-af07-613c5f3e6d0d
name: Known STRONTIUM group domains - July 2019
name: Known Forest Blizzard group domains - July 2019
description: |
'Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes.
'Matches domain name IOCs related to Forest Blizzard group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes.
References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.'
severity: High
tags:
@ -116,7 +116,7 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.5.1
version: 1.5.2
kind: Scheduled
metadata:
source:

Просмотреть файл

@ -1,5 +1,5 @@
id: 9fc7eaad-3cff-4ed0-837a-868ceb3e0886
name: Possible STRONTIUM attempted credential harvesting - Oct 2020
name: Possible Forest Blizzard attempted credential harvesting - Oct 2020
description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/STRONTIUMOct292020IOCs.yaml'
version: 1.0.1
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/ForestBlizzardOct292020IOCs.yaml'
version: 1.0.2

Просмотреть файл

@ -1,5 +1,5 @@
id: 00f44734-35a9-4103-b6b9-fd7752e70385
name: Known GALLIUM domains and hashes
name: Known Granite Typhoon domains and hashes
description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/GalliumIOCs.yaml'
version: 1.6.1
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/GraniteTyphoonIOCs.yaml'
version: 1.6.2

Просмотреть файл

@ -1,5 +1,5 @@
id: 1bcfc5db-042d-4009-9989-45c3abd61352
name: Known PHOSPHORUS group domains/IP - October 2020
name: Known Mint Sandstorm group domains/IP - October 2020
description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/KnownPHOSPHORUSDomainsIP-October2020.yaml'
version: 1.1.1
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/KnownMintSandstormDomainsIP-October2020.yaml'
version: 1.1.2

Просмотреть файл

@ -1,5 +1,5 @@
id: 943923cb-1b6d-4a44-aeee-b0cf393748b3
name: NOBELIUM - Domain and IP IOCs - March 2021
name: Midnight Blizzard - Domain and IP IOCs - March 2021
description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/NOBELIUM_DomainIOCsMarch2021.yaml'
version: 1.4.2
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/MidnightBlizzard_DomainIOCsMarch2021.yaml'
version: 1.4.3

Просмотреть файл

@ -1,5 +1,5 @@
id: 18119187-a22f-4042-8941-ffcaf62b730f
name: NOBELIUM IOCs related to FoggyWeb backdoor
name: Midnight Blizzard IOCs related to FoggyWeb backdoor
description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/Nobelium_FoggyWeb.yaml'
version: 2.1.3
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/MidnightBlizzard_FoggyWeb.yaml'
version: 2.1.4

Просмотреть файл

@ -1,5 +1,5 @@
id: 173be96f-c41a-4f83-a8c0-0bd2609cda14
name: NOBELIUM - Domain, Hash and IP IOCs - May 2021
name: Midnight Blizzard - Domain, Hash and IP IOCs - May 2021
description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/NOBELIUM_IOCsMay2021.yaml'
version: 1.6.2
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/MidnightBlizzard_IOCsMay2021.yaml'
version: 1.6.3

Просмотреть файл

@ -1,5 +1,5 @@
id: 286559b0-d88d-4c9f-bbc4-3b4a57485e5d
name: Known NICKEL domains and hashes
description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/NICKELIOCsNov2021.yaml'
version: 1.3.2
id: 286559b0-d88d-4c9f-bbc4-3b4a57485e5d
name: Known Nylon Typhoon domains and hashes
description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/NylonTyphoonIOCsNov2021.yaml'
version: 1.3.3

Просмотреть файл

@ -1,5 +1,5 @@
id: a514564b-b010-4c0b-bd71-20e0ce814c66
name: Known POLONIUM IP
name: Known Plaid Rain IP
description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/POLONIUMIPIoC.yaml'
version: 1.1.1
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/PlaidRainIPIoC.yaml'
version: 1.1.2

Просмотреть файл

@ -1,5 +1,5 @@
id: 50bf97ef-43f9-470a-a3cd-de15a9204050
name: Known CERIUM domains and hashes
name: Known Ruby Sleet domains and hashes
description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/CERIUMOct292020IOCs.yaml'
version: 1.3.1
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/RubySleetOct292020IOCs.yaml'
version: 1.3.2

Просмотреть файл

@ -1,5 +1,5 @@
id: d9fabf56-2688-454e-a2f3-d0a28c6ff0b8
name: Known IRIDIUM IP
name: Known Seashell Blizzard IP
description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/IridiumIOCs.yaml'
version: 1.5.1
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/SeashellBlizzardIOCs.yaml'
version: 1.5.2

Просмотреть файл

@ -1,5 +1,5 @@
id: dd7201f2-8e9b-4f9d-ba2a-1e97a785caa7
name: HAFNIUM UM Service writing suspicious file
name: Silk Typhoon UM Service writing suspicious file
description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/HAFNIUMUmServiceSuspiciousFile.yaml'
version: 1.2.3
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/SilkTyphoonUmServiceSuspiciousFile.yaml'
version: 1.2.4

Просмотреть файл

@ -1,7 +1,7 @@
id: 2149d9bb-8298-444c-8f99-f7bf0274dd05
name: SEABORGIUM C2 Domains August 2022
name: Star Blizzard C2 Domains August 2022
description: |
'Identifies a match across various data feeds for domains related to an actor tracked by Microsoft as SEABORGIUM.'
'Identifies a match across various data feeds for domains related to an actor tracked by Microsoft as Star Blizzard.'
severity: High
requiredDataConnectors:
- connectorId: AzureMonitor(VMInsights)
@ -30,7 +30,7 @@ tactics:
relevantTechniques:
- T1566
tags:
- SEABORGIUM
- Star Blizzard
- Schema: ASIMDns
SchemaVersion: 0.1.1
query: |
@ -91,7 +91,7 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.1
version: 1.0.2
kind: Scheduled
metadata:
source:

Просмотреть файл

@ -1,7 +1,7 @@
id: ce74dc9a-cb3c-4081-8c2f-7d39f6b7bae1
name: Identify MERCURY powershell commands
name: Identify Mango Sandstorm powershell commands
description: |
'The query below identifies powershell commands used by the threat actor Mercury.
'The query below identifies powershell commands used by the threat actor Mango Sandstorm.
Reference: https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/'
severity: High
requiredDataConnectors:
@ -20,7 +20,7 @@ tactics:
relevantTechniques:
- T1570
tags:
- Mercury
- Mango Sandstorm
- Schema: ASIMFileEvent
SchemaVersion: 0.1.0
query: |
@ -55,7 +55,7 @@ entityMappings:
fieldMappings:
- identifier: ProcessId
columnName: ProcessCustomEntity
version: 1.0.1
version: 1.0.2
kind: Scheduled
metadata:
source:

Просмотреть файл

@ -1,5 +1,5 @@
id: ad6882a8-7749-471e-b7d6-6c7e42a8eca3
name: Possible STRONTIUM attempted credential harvesting - Sept 2020
name: Possible Forest Blizzard attempted credential harvesting - Sept 2020
description: |
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20365/Analytic%20Rules/StrontiumCredHarvesting.yaml'
version: 1.0.1
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20365/Analytic%20Rules/ForestBlizzardCredHarvesting.yaml'
version: 1.0.2

Просмотреть файл

@ -1,4 +1,5 @@
id: 96c8f92e-a617-4158-94ea-dea51557b40e
name: ACTINIUM AV hits - Feb 2022
name: Aqua Blizzard AV hits - Feb 2022
description: |
'As part of content migration, this file is moved to new location. You can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MicrosoftDefenderForEndpoint/Analytic%20Rules/ActiniumAVHits.yaml'
'As part of content migration, this file is moved to new location. You can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MicrosoftDefenderForEndpoint/Analytic%20Rules/AquaBlizzardAVHits.yaml'
version: 1.1.4

Просмотреть файл

@ -1,5 +1,5 @@
id: d82e1987-4356-4a7b-bc5e-064f29b143c0
name: NOBELIUM - suspicious rundll32.exe execution of vbscript
name: Midnight Blizzard - suspicious rundll32.exe execution of vbscript
description: |
'This query idenifies when rundll32.exe executes a specific set of inline VBScript commands
References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/'
@ -26,7 +26,7 @@ tactics:
relevantTechniques:
- T1547
tags:
- NOBELIUM
- Midnight Blizzard
query: |
(union isfuzzy=true
(SecurityEvent
@ -58,7 +58,7 @@ entityMappings:
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
version: 1.1.2
version: 1.1.3
kind: Scheduled
metadata:
source:

Просмотреть файл

@ -1,5 +1,5 @@
id: 00cb180c-08a8-4e55-a276-63fb1442d5b5
name: NOBELIUM - Script payload stored in Registry
name: Midnight Blizzard - Script payload stored in Registry
description: |
'This query idenifies when a process execution commandline indicates that a registry value is written to allow for later execution a malicious script
References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/'
@ -26,7 +26,7 @@ tactics:
relevantTechniques:
- T1059
tags:
- NOBELIUM
- Midnight Blizzard
query: |
let cmdTokens0 = dynamic(['vbscript','jscript']);
let cmdTokens1 = dynamic(['mshtml','RunHTMLApplication']);
@ -70,7 +70,7 @@ entityMappings:
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
version: 1.1.2
version: 1.1.3
kind: Scheduled
metadata:
source:

Просмотреть файл

@ -1,5 +1,5 @@
id: 95a15f39-d9cc-4667-8cdd-58f3113691c9
name: HAFNIUM New UM Service Child Process
name: Silk Typhoon New UM Service Child Process
description: |
'This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before.
Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/'
@ -72,7 +72,7 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.1.2
version: 1.1.3
kind: Scheduled
metadata:
source:

Просмотреть файл

@ -1,5 +1,5 @@
id: 0625fcce-6d52-491e-8c68-1d9b801d25b9
name: HAFNIUM Suspicious UM Service Error
name: Silk Typhoon Suspicious UM Service Error
description: |
'This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service.
Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/'
@ -26,7 +26,7 @@ entityMappings:
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
version: 1.0.1
version: 1.0.2
kind: Scheduled
metadata:
source:

Просмотреть файл

@ -1,7 +1,7 @@
id: 23005e87-2d3a-482b-b03d-edbebd1ae151
name: HAFNIUM Suspicious Exchange Request
name: Silk Typhoon Suspicious Exchange Request
description: |
'This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by HAFNIUM actors.
'This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by Silk Typhoon actors.
The same query can be run on HTTPProxy logs from on-premise hosted Exchange servers.
Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/'
severity: Medium
@ -42,7 +42,7 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.1
version: 1.0.2
kind: Scheduled
metadata:
source:

Просмотреть файл

@ -1,5 +1,5 @@
id: 5c798a48-df20-4cc0-8b56-1e0878be29b0
name: SOURGUM Actor IOC - July 2021
name: Caramel Tsunami Actor IOC - July 2021
description: |
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Forwarded%20Events/Analytic%20Rules/SOURGUM_IOC_WindowsEvent.yaml'
version: 1.0.2
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Forwarded%20Events/Analytic%20Rules/CaramelTsunami_IOC_WindowsEvent.yaml'
version: 1.0.3

Просмотреть файл

@ -1,5 +1,5 @@
id: 03e04c97-8cae-48b3-9d2f-4ab262e4ffff
name: HAFNIUM Suspicious File Downloads.
name: Silk Typhoon Suspicious File Downloads.
description: |
'This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query.
Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/'
@ -28,7 +28,7 @@ entityMappings:
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
version: 1.0.1
version: 1.0.2
kind: Scheduled
metadata:
source:

Просмотреть файл

@ -1,7 +1,7 @@
id: 4b14590a-a1f0-4756-9f3d-baafa696e051
name: SEABORGIUM-Domain IOCs
name: Star Blizzard-Domain IOCs
description: |
'This query identifies matches based on domain IOCs related to SEABORGIUM against Microsoft Defender for Endpoint device network connections'
'This query identifies matches based on domain IOCs related to Star Blizzard against Microsoft Defender for Endpoint device network connections'
severity: High
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection

Просмотреть файл

@ -1,4 +1,4 @@
id: 68f31c3e-2d0c-4984-9700-2fc0b9feed7b
name: Retrospective hunt for STRONTIUM IP IOCs
name: Retrospective hunt for Forest Blizzard IP IOCs
description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Hunting%20Queries/STRONTIUM_IOC_RetroHunt.yaml'
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Hunting%20Queries/ForestBlizzard_IOC_RetroHunt.yaml'

Просмотреть файл

@ -1,4 +1,4 @@
id: b05a2ccb-b683-4462-9a87-d878c36e3c28
name: NICKEL Command Line Activity November 2021
name: Nylon Typhoon Command Line Activity November 2021
description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Hunting%20Queries/NICKELCommandLineActivity-Nov2021.yaml'
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Hunting%20Queries/NylonTyphoonCommandLineActivity-Nov2021.yaml'

Просмотреть файл

@ -1,4 +1,4 @@
id: 0516dd04-5944-4ff0-b61f-d80666e433e4
name: Known NICKEL Registry modifications patterns
name: Known Nylon Typhoon Registry modifications patterns
description: |
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Hunting%20Queries/NickelRegIOCPatterns.yaml'
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Hunting%20Queries/NylonTyphoonRegIOCPatterns.yaml'