From e018c343fffdab8fb3099039e4dacc895da47498 Mon Sep 17 00:00:00 2001
From: tali-ash <63594865+tali-ash@users.noreply.github.com>
Date: Thu, 7 Jan 2021 16:54:53 +0200
Subject: [PATCH] Update c2-lookup-response[Solorigate].md

---
 Campaigns/c2-lookup-response[Solorigate].md | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/Campaigns/c2-lookup-response[Solorigate].md b/Campaigns/c2-lookup-response[Solorigate].md
index 81297578..20779d06 100644
--- a/Campaigns/c2-lookup-response[Solorigate].md
+++ b/Campaigns/c2-lookup-response[Solorigate].md
@@ -14,6 +14,12 @@ More Solorigate-related queries can be found listed under the [See also](#see-al
 DeviceEvents
 | where ActionType == "DnsQueryResponse" //DNS Query Response
 and AdditionalFields has ".avsvmcloud"
+
+IdentityQueryEvents
+| where ActionType == "DNS query"
+| where QueryTarget has "appsync-api" or QueryTarget has "avsvmcloud.com"
+| project Timestamp, QueryTarget, DeviceName ,IPAddress,ReportId
+
 ```
 
 ## Category
@@ -51,4 +57,4 @@ This query can be used to detect the following attack techniques and tactics ([s
 
 ## Contributor info
 
-**Contributor:** Microsoft Threat Protection team
+**Contributor:** Microsoft 365 Defender team