Standalone Content Renaming (#7981)

Detections/ASimProcess/imProcess_MidnightBlizzard_SuspiciousRundll32Exec.yaml

@@ -1,5 +1,5 @@
 id: bdf04f58-242b-4729-b376-577c4bdf5d3a
-name: NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events)
+name: Midnight Blizzard - suspicious rundll32.exe execution of vbscript (Normalized Process Events)
 description: |
   'This query idenifies when rundll32.exe executes a specific set of inline VBScript commands
   References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
@@ -19,7 +19,7 @@ tags:
     version: 1.0.0
   - Schema: ASIMProcessEvent
     SchemaVersion: 0.1.0
-  - NOBELIUM
+  - Midnight Blizzard
 
 query: |
   imProcessCreate
@@ -36,5 +36,5 @@ entityMappings:
     fieldMappings:
       - identifier: FullName
         columnName: HostCustomEntity
-version: 1.1.1
+version: 1.1.2
 kind: Scheduled

Detections/MultipleDataSources/AquaBlizzardFeb2022.yaml

@@ -1,5 +1,5 @@
 id: 38f9d721-70a9-4570-9aff-1471eae7c844
-name: ACTINIUM Actor IOCs - Feb 2022
+name: Aqua Blizzard Actor IOCs - Feb 2022
 description: |
-   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/ActiniumFeb2022.yaml'
-version: 1.1.2
+   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/AquaBlizzardFeb2022.yaml'
+version: 1.1.3

Detections/MultipleDataSources/CadetBlizzard_Jan2022_IOC.yaml

@@ -1,5 +1,5 @@
 id: d0edc52e-2f0a-4183-b5fb-9a73b3cd0393
-name: DEV-0586 Actor IOC - January 2022
+name: Cadet Blizzard Actor IOC - January 2022
 description: |
-   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/Dev-0586_Jan2022_IOC.yaml'
-version: 1.0.3
+   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/CadetBlizzard_Jan2022_IOC.yaml'
+version: 1.0.4

Detections/MultipleDataSources/CaramelTsunami_IOC.yaml

@@ -1,5 +1,5 @@
 id: 2b68903a-cb95-4e31-a2db-4a0a15803761
-name: SOURGUM Actor IOC - July 2021
+name: Caramel Tsunami Actor IOC - July 2021
 description: |
-   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/SOURGUM_IOC.yaml'
-version: 1.2.1
+   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/CaramelTsunami_IOC.yaml'
+version: 1.2.2

Detections/MultipleDataSources/DenimTsunamiAVDetection.yaml

@@ -1,5 +1,5 @@
 id: 69fe6e85-8867-4872-a707-f589d3554375
-name: KNOTWEED AV Detection
+name: Denim Tsunami AV Detection
 description: |
-   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/KNOTWEEDAVDetection.yaml'
-version: 1.0.1
+   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/DenimTsunamiAVDetection.yaml'
+version: 1.0.2

Detections/MultipleDataSources/DenimTsunamiC2DomainsJuly2022.yaml

@@ -1,5 +1,5 @@
 id: 357ce603-e6ac-4afe-a2d8-b3dd8ab1d6e8
-name: KNOTWEED C2 Domains July 2022
+name: Denim Tsunami C2 Domains July 2022
 description: |
-   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/KNOTWEEDC2DomainsJuly2022.yaml'
-version: 1.0.1
+   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/DenimTsunamiC2DomainsJuly2022.yaml'
+version: 1.0.2

Detections/MultipleDataSources/DenimTsunamiFileHashesJuly2022.yaml

@@ -1,5 +1,5 @@
 id: 24e91fb1-01e5-47d0-845d-75d74e9b8a61
-name: KNOTWEED File Hashes July 2022
+name: Denim Tsunami File Hashes July 2022
 description: |
-   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/KNOTWEEDFileHashesJuly2022.yaml'
-version: 1.0.1
+   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/DenimTsunamiFileHashesJuly2022.yaml'
+version: 1.0.2

Detections/MultipleDataSources/DiamondSleetJan272021IOCs.yaml

@@ -1,5 +1,5 @@
 id: 17184571-f7cd-42fb-a6a5-3478f09f5fa0
-name: Known ZINC Comebacker and Klackring malware hashes
+name: Known Diamond Sleet Comebacker and Klackring malware hashes
 description: |
-   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/ZincJan272021IOCs.yaml'
-version: 1.7.1
+   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/DiamondSleetJan272021IOCs.yaml'
+version: 1.7.2

Detections/MultipleDataSources/DiamondSleetOct292020IOCs.yaml

@@ -1,5 +1,5 @@
 id: ba2433b7-da6b-4faa-bdf1-1eae065ef7e9
-name: Known ZINC related maldoc hash
+name: Known Diamond Sleet related maldoc hash
 description: |
-   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/ZincOct292020IOCs.yaml'
-version: 1.0.2
+   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/DiamondSleetOct292020IOCs.yaml'
+version: 1.0.3

Detections/MultipleDataSources/EmeraldSleetIOCs.yaml

@@ -1,5 +1,5 @@
 id: 993b32e3-f097-4fcb-b555-3078a4af63be
-name: THALLIUM domains included in DCU takedown
+name: Emerald Sleet domains included in DCU takedown
 description: |
-   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/ThalliumIOCs.yaml'
-version: 1.5.1
+   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/EmeraldSleetIOCs.yaml'
+version: 1.5.2

Detections/MultipleDataSources/ForestBlizzardJuly2019IOCs.yaml

@@ -1,7 +1,7 @@
 id: 074ce265-f684-41cd-af07-613c5f3e6d0d
-name: Known STRONTIUM group domains - July 2019
+name: Known Forest Blizzard group domains - July 2019
 description: |
-  'Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes.
+  'Matches domain name IOCs related to Forest Blizzard group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes.
   References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.'
 severity: High
 tags:
@@ -116,7 +116,7 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.5.1
+version: 1.5.2
 kind: Scheduled
 metadata:
     source:

Detections/MultipleDataSources/ForestBlizzardOct292020IOCs.yaml

@@ -1,5 +1,5 @@
 id: 9fc7eaad-3cff-4ed0-837a-868ceb3e0886
-name: Possible STRONTIUM attempted credential harvesting - Oct 2020
+name: Possible Forest Blizzard attempted credential harvesting - Oct 2020
 description: |
-   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/STRONTIUMOct292020IOCs.yaml'
-version: 1.0.1
+   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/ForestBlizzardOct292020IOCs.yaml'
+version: 1.0.2

Detections/MultipleDataSources/GraniteTyphoonIOCs.yaml

@@ -1,5 +1,5 @@
 id: 00f44734-35a9-4103-b6b9-fd7752e70385
-name: Known GALLIUM domains and hashes
+name: Known Granite Typhoon domains and hashes
 description: |
-   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/GalliumIOCs.yaml'
-version: 1.6.1
+   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/GraniteTyphoonIOCs.yaml'
+version: 1.6.2

Detections/MultipleDataSources/KnownMintSandstormDomainsIP-October2020.yaml

@@ -1,5 +1,5 @@
 id: 1bcfc5db-042d-4009-9989-45c3abd61352
-name: Known PHOSPHORUS group domains/IP - October 2020
+name: Known Mint Sandstorm group domains/IP - October 2020
 description: |
-   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/KnownPHOSPHORUSDomainsIP-October2020.yaml'
-version: 1.1.1
+   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/KnownMintSandstormDomainsIP-October2020.yaml'
+version: 1.1.2

Detections/MultipleDataSources/MidnightBlizzard_DomainIOCsMarch2021.yaml

@@ -1,5 +1,5 @@
 id: 943923cb-1b6d-4a44-aeee-b0cf393748b3
-name: NOBELIUM - Domain and IP IOCs - March 2021
+name: Midnight Blizzard - Domain and IP IOCs - March 2021
 description: |
-   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/NOBELIUM_DomainIOCsMarch2021.yaml'
-version: 1.4.2
+   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/MidnightBlizzard_DomainIOCsMarch2021.yaml'
+version: 1.4.3

Detections/MultipleDataSources/MidnightBlizzard_FoggyWeb.yaml

@@ -1,5 +1,5 @@
 id: 18119187-a22f-4042-8941-ffcaf62b730f
-name: NOBELIUM IOCs related to FoggyWeb backdoor
+name: Midnight Blizzard IOCs related to FoggyWeb backdoor
 description: |
-   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/Nobelium_FoggyWeb.yaml'
-version: 2.1.3
+   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/MidnightBlizzard_FoggyWeb.yaml'
+version: 2.1.4

Detections/MultipleDataSources/MidnightBlizzard_IOCsMay2021.yaml

@@ -1,5 +1,5 @@
 id: 173be96f-c41a-4f83-a8c0-0bd2609cda14
-name: NOBELIUM - Domain, Hash and IP IOCs - May 2021
+name: Midnight Blizzard - Domain, Hash and IP IOCs - May 2021
 description: |
-   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/NOBELIUM_IOCsMay2021.yaml'
-version: 1.6.2
+   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/MidnightBlizzard_IOCsMay2021.yaml'
+version: 1.6.3

Detections/MultipleDataSources/NylonTyphoonIOCsNov2021.yaml

@@ -1,5 +1,5 @@
-id: 286559b0-d88d-4c9f-bbc4-3b4a57485e5d
-name: Known NICKEL domains and hashes
-description: |
-   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/NICKELIOCsNov2021.yaml'
-version: 1.3.2
+id: 286559b0-d88d-4c9f-bbc4-3b4a57485e5d
+name: Known Nylon Typhoon domains and hashes
+description: |
+   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/NylonTyphoonIOCsNov2021.yaml'
+version: 1.3.3

Detections/MultipleDataSources/PlaidRainIPIoC.yaml

@@ -1,5 +1,5 @@
 id: a514564b-b010-4c0b-bd71-20e0ce814c66
-name: Known POLONIUM IP
+name: Known Plaid Rain IP
 description: |
-   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/POLONIUMIPIoC.yaml'
-version: 1.1.1
+   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/PlaidRainIPIoC.yaml'
+version: 1.1.2

Detections/MultipleDataSources/RubySleetOct292020IOCs.yaml

@@ -1,5 +1,5 @@
 id: 50bf97ef-43f9-470a-a3cd-de15a9204050
-name: Known CERIUM domains and hashes
+name: Known Ruby Sleet domains and hashes
 description: |
-   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/CERIUMOct292020IOCs.yaml'
-version: 1.3.1
+   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/RubySleetOct292020IOCs.yaml'
+version: 1.3.2

Detections/MultipleDataSources/SeashellBlizzardIOCs.yaml

@@ -1,5 +1,5 @@
 id: d9fabf56-2688-454e-a2f3-d0a28c6ff0b8
-name: Known IRIDIUM IP
+name: Known Seashell Blizzard IP
 description: |
-   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/IridiumIOCs.yaml'
-version: 1.5.1
+   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/SeashellBlizzardIOCs.yaml'
+version: 1.5.2

Detections/MultipleDataSources/SilkTyphoonUmServiceSuspiciousFile.yaml

@@ -1,5 +1,5 @@
 id: dd7201f2-8e9b-4f9d-ba2a-1e97a785caa7
-name: HAFNIUM UM Service writing suspicious file
+name: Silk Typhoon UM Service writing suspicious file
 description: |
-   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/HAFNIUMUmServiceSuspiciousFile.yaml'
-version: 1.2.3
+   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/SilkTyphoonUmServiceSuspiciousFile.yaml'
+version: 1.2.4

Detections/MultipleDataSources/StarBlizzardDomainsAugust2022.yaml

@@ -1,7 +1,7 @@
 id: 2149d9bb-8298-444c-8f99-f7bf0274dd05
-name: SEABORGIUM C2 Domains August 2022
+name: Star Blizzard C2 Domains August 2022
 description: |
-  'Identifies a match across various data feeds for domains related to an actor tracked by Microsoft as SEABORGIUM.'
+  'Identifies a match across various data feeds for domains related to an actor tracked by Microsoft as Star Blizzard.'
 severity: High
 requiredDataConnectors:
   - connectorId: AzureMonitor(VMInsights)
@@ -30,7 +30,7 @@ tactics:
 relevantTechniques:
   - T1566
 tags:
-  - SEABORGIUM
+  - Star Blizzard
   - Schema: ASIMDns
     SchemaVersion: 0.1.1
 query: |
@@ -91,7 +91,7 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled
 metadata:
     source:

Detections/MultipleDataSources/powershell_MangoSandstorm.yaml

@@ -1,7 +1,7 @@
 id: ce74dc9a-cb3c-4081-8c2f-7d39f6b7bae1
-name: Identify MERCURY powershell commands  
+name: Identify Mango Sandstorm powershell commands  
 description: |
-  'The query below identifies powershell commands used by the threat actor Mercury.
+  'The query below identifies powershell commands used by the threat actor Mango Sandstorm.
   Reference:  https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/'
 severity: High
 requiredDataConnectors:
@@ -20,7 +20,7 @@ tactics:
 relevantTechniques:
   - T1570
 tags:
-  - Mercury
+  - Mango Sandstorm
   - Schema: ASIMFileEvent
     SchemaVersion: 0.1.0
 query: |
@@ -55,7 +55,7 @@ entityMappings:
     fieldMappings:
       - identifier: ProcessId
         columnName: ProcessCustomEntity
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled
 metadata:
     source:

Detections/OfficeActivity/ForestBlizzardCredHarvesting.yaml

@@ -1,5 +1,5 @@
 id: ad6882a8-7749-471e-b7d6-6c7e42a8eca3
-name: Possible STRONTIUM attempted credential harvesting - Sept 2020
+name: Possible Forest Blizzard attempted credential harvesting - Sept 2020
 description: |
-  'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20365/Analytic%20Rules/StrontiumCredHarvesting.yaml'
-version: 1.0.1
+  'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20365/Analytic%20Rules/ForestBlizzardCredHarvesting.yaml'
+version: 1.0.2

Detections/SecurityAlert/AquaBlizzardAVHits.yaml

@@ -1,4 +1,5 @@
 id: 96c8f92e-a617-4158-94ea-dea51557b40e
-name: ACTINIUM AV hits - Feb 2022
+name: Aqua Blizzard AV hits - Feb 2022
 description: | 
-  'As part of content migration, this file is moved to new location. You can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MicrosoftDefenderForEndpoint/Analytic%20Rules/ActiniumAVHits.yaml'
+  'As part of content migration, this file is moved to new location. You can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MicrosoftDefenderForEndpoint/Analytic%20Rules/AquaBlizzardAVHits.yaml'
+version: 1.1.4

Detections/SecurityEvent/MidnightBlizzard_SuspiciousRundll32Exec.yaml

@@ -1,5 +1,5 @@
 id: d82e1987-4356-4a7b-bc5e-064f29b143c0
-name: NOBELIUM - suspicious rundll32.exe execution of vbscript
+name: Midnight Blizzard - suspicious rundll32.exe execution of vbscript
 description: |
   'This query idenifies when rundll32.exe executes a specific set of inline VBScript commands
    References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/'
@@ -26,7 +26,7 @@ tactics:
 relevantTechniques:
   - T1547
 tags:
-  - NOBELIUM
+  - Midnight Blizzard
 query: |
   (union isfuzzy=true 
   (SecurityEvent
@@ -58,7 +58,7 @@ entityMappings:
     fieldMappings:
       - identifier: FullName
         columnName: HostCustomEntity
-version: 1.1.2
+version: 1.1.3
 kind: Scheduled
 metadata:
     source:

Detections/SecurityEvent/MidnightBlizzard_SuspiciousScriptRegistryWrite.yaml

@@ -1,5 +1,5 @@
 id: 00cb180c-08a8-4e55-a276-63fb1442d5b5
-name: NOBELIUM - Script payload stored in Registry
+name: Midnight Blizzard - Script payload stored in Registry
 description: |
   'This query idenifies when a process execution commandline indicates that a registry value is written to allow for later execution a malicious script
    References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/'
@@ -26,7 +26,7 @@ tactics:
 relevantTechniques:
   - T1059
 tags:
-  - NOBELIUM
+  - Midnight Blizzard
 query: |
   let cmdTokens0 = dynamic(['vbscript','jscript']);
   let cmdTokens1 = dynamic(['mshtml','RunHTMLApplication']);
@@ -70,7 +70,7 @@ entityMappings:
     fieldMappings:
       - identifier: FullName
         columnName: HostCustomEntity
-version: 1.1.2
+version: 1.1.3
 kind: Scheduled
 metadata:
     source:

Detections/SecurityEvent/SilkTyphoonNewUMServiceChildProcess.yaml

@@ -1,5 +1,5 @@
 id: 95a15f39-d9cc-4667-8cdd-58f3113691c9
-name: HAFNIUM New UM Service Child Process
+name: Silk Typhoon New UM Service Child Process
 description: |
   'This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. 
   Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/'
@@ -72,7 +72,7 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.1.2
+version: 1.1.3
 kind: Scheduled
 metadata:
     source:

Detections/SecurityEvent/SilkTyphoonSuspiciousUMServiceError.yaml

@@ -1,5 +1,5 @@
 id: 0625fcce-6d52-491e-8c68-1d9b801d25b9
-name: HAFNIUM Suspicious UM Service Error
+name: Silk Typhoon Suspicious UM Service Error
 description: |
   'This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service. 
   Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/'
@@ -26,7 +26,7 @@ entityMappings:
     fieldMappings:
       - identifier: FullName
         columnName: HostCustomEntity
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled
 metadata:
     source:

Detections/W3CIISLog/SilkTyphoonSuspiciousExchangeRequestPattern.yaml

@@ -1,7 +1,7 @@
 id: 23005e87-2d3a-482b-b03d-edbebd1ae151
-name: HAFNIUM Suspicious Exchange Request
+name: Silk Typhoon Suspicious Exchange Request
 description: |
-  'This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by HAFNIUM actors.
+  'This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by Silk Typhoon actors.
   The same query can be run on HTTPProxy logs from on-premise hosted Exchange servers.
   Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/'
 severity: Medium
@@ -42,7 +42,7 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled
 metadata:
     source:

Detections/WindowsEvents/CaramelTsunami_IOC_WindowsEvent.yaml

@@ -1,5 +1,5 @@
 id: 5c798a48-df20-4cc0-8b56-1e0878be29b0
-name: SOURGUM Actor IOC - July 2021
+name: Caramel Tsunami Actor IOC - July 2021
 description: | 
-  'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Forwarded%20Events/Analytic%20Rules/SOURGUM_IOC_WindowsEvent.yaml'
-version: 1.0.2
+  'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Forwarded%20Events/Analytic%20Rules/CaramelTsunami_IOC_WindowsEvent.yaml'
+version: 1.0.3

Detections/http_proxy_oab_CL/SilkTyphoonSuspiciousFileDownloads.yaml

@@ -1,5 +1,5 @@
 id: 03e04c97-8cae-48b3-9d2f-4ab262e4ffff
-name: HAFNIUM Suspicious File Downloads.
+name: Silk Typhoon Suspicious File Downloads.
 description: |
   'This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. 
   Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/'
@@ -28,7 +28,7 @@ entityMappings:
     fieldMappings:
       - identifier: FullName
         columnName: HostCustomEntity
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled
 metadata:
     source:

Hunting Queries/Microsoft 365 Defender/Campaigns/StarBlizzardDomainIOCsAug2022.yaml

@@ -1,7 +1,7 @@
 id: 4b14590a-a1f0-4756-9f3d-baafa696e051
-name: SEABORGIUM-Domain IOCs
+name: Star Blizzard-Domain IOCs
 description: |
-  'This query identifies matches based on domain IOCs related to SEABORGIUM against Microsoft Defender for Endpoint device network connections'
+  'This query identifies matches based on domain IOCs related to Star Blizzard against Microsoft Defender for Endpoint device network connections'
 severity: High
 requiredDataConnectors:
   - connectorId: MicrosoftThreatProtection

Hunting Queries/MultipleDataSources/ForestBlizzard_IOC_RetroHunt.yaml

@@ -1,4 +1,4 @@
 id: 68f31c3e-2d0c-4984-9700-2fc0b9feed7b
-name: Retrospective hunt for STRONTIUM IP IOCs
+name: Retrospective hunt for Forest Blizzard IP IOCs
 description: |
-   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Hunting%20Queries/STRONTIUM_IOC_RetroHunt.yaml'
+   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Hunting%20Queries/ForestBlizzard_IOC_RetroHunt.yaml'

Hunting Queries/MultipleDataSources/NylonTyphoonCommandLineActivity-Nov2021.yaml

@@ -1,4 +1,4 @@
 id: b05a2ccb-b683-4462-9a87-d878c36e3c28
-name: NICKEL Command Line Activity November 2021
+name: Nylon Typhoon Command Line Activity November 2021
 description: |
-   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Hunting%20Queries/NICKELCommandLineActivity-Nov2021.yaml'
+   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Hunting%20Queries/NylonTyphoonCommandLineActivity-Nov2021.yaml'

Hunting Queries/MultipleDataSources/NylonTyphoonRegIOCPatterns.yaml

@@ -1,4 +1,4 @@
 id: 0516dd04-5944-4ff0-b61f-d80666e433e4
-name: Known NICKEL Registry modifications patterns
+name: Known Nylon Typhoon Registry modifications patterns
 description: |
-   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Hunting%20Queries/NickelRegIOCPatterns.yaml'
+   'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Hunting%20Queries/NylonTyphoonRegIOCPatterns.yaml'