Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident. For the sysmon events required for this detection, logging for Named Pipe Events needs to be configured in Sysmon config (Event ID 17 and Event ID 18) Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | Standalone Content |
| ID | 11b4c19d-2a79-4da3-af38-b067e1273dee |
| Severity | High |
| Kind | Scheduled |
| Tactics | DefenseEvasion, PrivilegeEscalation |
| Techniques | T1055 |
| Required Connectors | SecurityEvents, WindowsSecurityEvents, WindowsForwardedEvents |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
Event |
✓ | ✓ | ? | |
SecurityEvent |
✓ | ✓ | ? | |
WindowsEvent |
EventID in "17,18,5145" |
✓ | ✓ | ? |
The following connectors provide data for this content item:
Solutions: Microsoft Exchange Security - Exchange On-Premises, Windows Forwarded Events, Windows Security Events
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊