Known Forest Blizzard group domains - July 2019

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

---

Matches domain name IOCs related to Forest Blizzard group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.

Attribute	Value
Type	Analytic Rule
Solution	Standalone Content
ID	074ce265-f684-41cd-af07-613c5f3e6d0d
Severity	High
Kind	Scheduled
Tactics	CommandAndControl
Techniques	T1071
Required Connectors	DNS, AzureMonitor(VMInsights), CiscoASA, PaloAltoNetworks, AzureFirewall, Zscaler, InfobloxNIOS, GCPDNSDataConnector, NXLogDnsLogs, CiscoUmbrellaDataConnector, Corelight
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Transformations	Ingestion API	Lake-Only
AZFWApplicationRule	✓	✗	?
AZFWDnsQuery	✓	✗	?
AzureDiagnostics 🔶	?	✗	?
CommonSecurityLog	✓	✓	?
VMConnection	?	✗	?

Associated Connectors

The following connectors provide data for this content item:

Connector	Solution
CefAma	Common Event Format
CloudNSSAuditLogs_ccp	Zscaler Internet Access
CloudNSSCASBActivityLogs_ccp	Zscaler Internet Access
CloudNSSCASBCRMLogs_ccp	Zscaler Internet Access
CloudNSSCASBCloudStorageLogs_ccp	Zscaler Internet Access
CloudNSSCASBCollabLogs_ccp	Zscaler Internet Access
CloudNSSCASBEmailLogs_ccp	Zscaler Internet Access
CloudNSSCASBFileSharingLogs_ccp	Zscaler Internet Access
CloudNSSCASBITSMLogs_ccp	Zscaler Internet Access
CloudNSSCASBRepoLogs_ccp	Zscaler Internet Access
CloudNSSDNSLogs_ccp	Zscaler Internet Access
CloudNSSEmailDLPLogs_ccp	Zscaler Internet Access
CloudNSSEndpointDLPLogs_ccp	Zscaler Internet Access
CloudNSSFWLogs_ccp	Zscaler Internet Access
CloudNSSTunnelLogs_ccp	Zscaler Internet Access
CloudNSSWebLogs_ccp	Zscaler Internet Access
VirtualMetricDirectorProxy	VirtualMetric DataStream
VirtualMetricMSSentinelConnector	VirtualMetric DataStream
VirtualMetricMSSentinelDataLakeConnector	VirtualMetric DataStream

Solutions: Common Event Format, VirtualMetric DataStream, Zscaler Internet Access

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Analytic Rules