// Name: Retrospective hunt for STRONTIUM IP IOCs
// Description: This query searches for activity related to the STRONTIUM threat actor IOCs published in
// https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/. The query is scoped in
// the time window that these IOCs were active.
//
// Id: b8b7574f-1cd6-4308-822a-ab07256106f8
//
// DataSource: #CommonSecurityLog, #SecurityAlert DataTypes: #NetworkDeviceLogs, #ASCIoT
//
// Tactics: #CommandAndControl
//
let STRONTIUM_IPS = dynamic(["82.118.242.171" , "167.114.153.55" , "94.237.37.28", "31.220.61.251" , "128.199.199.187" ]);
(union isfuzzy=true
(CommonSecurityLog
| where TimeGenerated between (startofday(datetime(2019-02-01)) .. endofday(datetime(2019-08-05)))
| where SourceIP in (STRONTIUM_IPS) or DestinationIP in (STRONTIUM_IPS)
| extend IPCustomEntity = SourceIP
),
(SecurityAlert
| where TimeGenerated between (startofday(datetime(2019-02-01)) .. endofday(datetime(2019-08-05)))
| extend RemoteAddress = iff(ExtendedProperties has "RemoteAddress", tostring(parse_json(ExtendedProperties)["RemoteAddress"]), "None")
| where RemoteAddress != "None"
| where RemoteAddress in (STRONTIUM_IPS)
| extend IPCustomEntity = RemoteAddress
)
)cloudflare/Azure-Sentinel
Publicmirrored fromhttps://github.com/cloudflare/Azure-Sentinel
Hunting Queries/MultipleDataSources/STRONTIUM_IOC_RetroHunt.yaml
26lines · modepreview
unknown