Legacy IOC based Threat Protection
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Publisher | Microsoft Corporation |
| Support Tier | Microsoft |
| Support Link | https://support.microsoft.com |
| Categories | domains |
| Version | 3.0.5 |
| Author | Microsoft - support@microsoft.com |
| First Published | 2022-12-19 |
| Solution Folder | Legacy IOC based Threat Protection |
| Marketplace | Azure Marketplace · Popularity: 🔵 Medium (56%) |
| Pre-requisites | SquidProxy, Windows Server DNS, CiscoASA, PaloAlto-PAN-OS, Microsoft Defender XDR, Azure Firewall, zscaler1579058425289.zscaler_internet_access_mss, Infoblox NIOS, GoogleCloudPlatformDNS, NXLogDNSLogs, CiscoUmbrella, Corelight, Amazon Web Services, Windows Forwarded Events, Microsoft Sysmon For Linux, Microsoft 365, Windows Security Events, Microsoft Entra ID, Azure Activity, F5 Big-IP, Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel, Check Point, Common Event Format, Windows Firewall |
Microsoft Security Research, based on ongoing trends and exploits creates content that help identify existence of known IOCs based on known prevalent attacks and threat actor tactics/techniques, such as Nobelium, Gallium, Solorigate, etc. This solution contains packaged content written on some legacy IOCs that have been prevalent in the past but may still be relevant.
For details on the required solutions, see the Pre-requisites section below.
Contents
Pre-requisites
This solution depends on 23 other solution(s):
Data Connectors
This solution does not include its own data connectors but uses connectors from dependency solutions:
- Windows DNS Events via AMA (dependency on Windows Server DNS)
- Amazon Web Services (dependency on Amazon Web Services)
- Amazon Web Services S3 (dependency on Amazon Web Services)
- Amazon Web Services S3 WAF (dependency on Amazon Web Services)
- Microsoft Entra ID (dependency on Microsoft Entra ID)
- Azure Activity (dependency on Azure Activity)
- Azure Firewall (dependency on Azure Firewall)
- Common Event Format (CEF) (dependency on Common Event Format)
- Common Event Format (CEF) via AMA (dependency on Common Event Format)
- Cisco ASA via Legacy Agent (dependency on CiscoASA)
- Cisco ASA/FTD via AMA (dependency on CiscoASA)
- Cisco Cloud Security (dependency on CiscoUmbrella)
- Cisco Cloud Security (using elastic premium plan) (dependency on CiscoUmbrella)
- Corelight Connector Exporter (dependency on Corelight)
- DNS (dependency on Windows Server DNS)
- F5 BIG-IP (dependency on F5 Big-IP)
- [Deprecated] Fortinet via Legacy Agent (dependency on Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel)
- [Deprecated] Fortinet via AMA (dependency on Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel)
- [DEPRECATED] Google Cloud Platform DNS (dependency on GoogleCloudPlatformDNS)
- Google Cloud Platform DNS (via Codeless Connector Framework) (dependency on GoogleCloudPlatformDNS)
- [Deprecated] Infoblox NIOS (dependency on Infoblox NIOS)
- [Deprecated] Microsoft Sysmon For Linux (dependency on Microsoft Sysmon For Linux)
- Microsoft Defender XDR (dependency on Microsoft Defender XDR)
- NXLog DNS Logs (dependency on NXLogDNSLogs)
- Microsoft 365 (formerly, Office 365) (dependency on Microsoft 365)
- [Deprecated] Palo Alto Networks (Firewall) via Legacy Agent (dependency on PaloAlto-PAN-OS)
- [Deprecated] Palo Alto Networks (Firewall) via AMA (dependency on PaloAlto-PAN-OS)
- Security Events via Legacy Agent (dependency on Windows Security Events)
- [Deprecated] Squid Proxy (dependency on SquidProxy)
- Windows Firewall (dependency on Windows Firewall)
- Windows Firewall Events via AMA (dependency on Windows Firewall)
- Windows Forwarded Events (dependency on Windows Forwarded Events)
- Windows Security Events via AMA (dependency on Windows Security Events)
Tables Used
This solution queries 9 table(s) from its content items:
| Table | Used By Content |
|---|---|
AzureDiagnostics |
Hunting |
AzureNetworkAnalytics_CL |
Hunting |
CommonSecurityLog |
Hunting |
DeviceFileEvents |
Hunting |
DeviceProcessEvents |
Hunting |
Event |
Hunting |
SecurityEvent |
Hunting |
VMConnection |
Hunting |
WindowsEvent |
Hunting |
Internal Tables
The following 1 table(s) are used internally by this solution's content items:
| Table | Used By Content |
|---|---|
SecurityAlert |
Hunting |
Content Items
This solution includes 10 content item(s):
| Content Type | Count |
|---|---|
| Hunting Queries | 10 |
Hunting Queries
Release Notes
| Version | Date Modified (DD-MM-YYYY) | Change History |
|---|---|---|
| 3.0.5 | 03-06-2024 | Added missing AMA Data Connector reference in Hunting Query |
| 3.0.4 | 22-02-2024 | Tagged for dependent solutions for deployment |
| 3.0.3 | 19-12-2023 | Corrected typo mistake Microsoft Windows DNS to Windows Server DNS |
| 3.0.2 | 12-12-2023 | Removed deprecated Analytical Rules |
| 3.0.1 | 07-11-2023 | Changes for rebranding from Azure Active Directory to Microsoft Entra ID & Microsoft 365 Defender to Microsoft Defender XDR |
| 3.0.0 | 19-05-2023 | Deprecating outdated IOC Based Analytic Rules |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊