/
AVdetectionsrelatedtoUkrainebasedthreats.yaml
38 lines (38 loc) · 1.4 KB
/
AVdetectionsrelatedtoUkrainebasedthreats.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
id: b6685757-3ed1-4b05-a5bd-2cacadc86c2a
name: AV detections related to Ukraine threats
description: |
'This query looks for Microsoft Defender AV detections for malware observed in relation to the war in Ukraine.
Ref: https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/ '
severity: High
status: Available
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- SecurityAlert
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Impact
relevantTechniques:
- T1485
query: |
let UA_threats = dynamic(["FoxBlade", "WhisperGate", "Lasainraw", "SonicVote", "CaddyWiper", "AprilAxe", "FiberLake", "Industroyer", "DesertBlade"]);
SecurityAlert
| where ProviderName =~ "MDATP"
| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)
| where ThreatFamilyName in~ (UA_threats)
| extend HostName = tostring(split(CompromisedEntity, ".")[0]), DomainIndex = toint(indexof(CompromisedEntity, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)
entityMappings:
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: CompromisedEntity
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: HostNameDomain
version: 1.1.3
kind: Scheduled