Checking for Malicious Scanning in Microsoft Sentinel With Custom Queries
Mar 25, 2022 | Industry Insight
In response to our recent LinkedIn post, we have had requests on how Microsoft Sentinel users can check their environment for any potentially malicious Russian scanning activity. SecureSky and other providers have been seeing the following indicators, and thousands of others, based on volumes, behavior, and threat intelligence, such as the FBI's latest report referenced below. Below are hunting queries you can use to check your environments.
URL reference to FBI Flash Report on Cyber Actors Perform Increased Reconnaissance of US Energy Sector Networks from Russia-Based IP Addresses:
https://www.politico.com/f/?id=0000017f-b3dc-d9e9-a57f-b3dd0a2b0000
To be clear, many of these IP addresses have been scanning for years. This technique is used not only by state actors, but also cyber criminals, to discover parameter exposures of organizations.
CAUTION: Many of these IPs may produce false-positives, all threat intelligence indicators need to be maintained, curated, and situationally evaluated.
Query 1: Russian IP Traffic Volume - From FortiGate Firewall Logs Using Sentinel's Watchlist
let lookbacktime=60d;
_GetWatchlist('RussianScanners220324')
|join CommonSecurityLog
on $left.IPAddress == $right.SourceIP
|where TimeGenerated >ago(lookbacktime)
|extend Activity=case(Activity contains "deny","deny",Activity contains "accept", "accept",Activity contains "timeout","timeout",Activity)
| where Activity !contains "deny"
|summarize sum=count() by bin(TimeGenerated,1d),Activity, SourceIP, DestinationIP//,DestinationPort, Message, DeviceInboundInterface, DeviceOutboundInterface
Query 2: Russian IP Traffic Volume - From FortiGate Firewall Logs Not Using Sentinel's Watchlist
let lookbacktime=60d;
let RussianScanners220324 = datatable(RussianIP:string)
["109.237.103.38","151.236.101.19","151.236.104.2","151.236.106.4","151.236.110.2","151.236.115.20","151.236.118.2","151.236.119.2","151.236.126.6","151.236.127.2","151.236.64.24","151.236.81.2","151.236.82.3","151.236.89.13","151.236.89.26","151.236.92.2","151.236.95.2","151.236.99.9","162.62.191.231","178.46.212.0","178.49.133.3","185.167.121.66","185.177.114.98","185.25.61.6","185.3.142.3","185.31.114.25","185.31.115.10","185.94.111.1","188.127.251.15","188.191.1.66","188.43.225.61","193.169.53.130","193.33.133.130","195.210.169.98","212.109.204.130","212.188.11.50","212.188.22.66","212.19.24.64","212.83.8.79","217.13.220.66","217.150.58.9","31.200.250.4","31.28.1.226","37.60.16.54","37.8.145.2","46.161.54.57","5.188.152.194","5.61.11.123","62.152.61.227","62.78.86.130","77.243.112.122","79.141.210.2","81.163.32.42","84.47.151.67","89.188.167.130","89.223.4.2","91.231.236.41","91.231.237.2","91.231.239.2","91.238.110.2","91.238.111.8","92.63.196.25","92.63.196.61","92.63.197.71","93.92.69.34","95.182.106.43","109.95.198.12","176.192.99.26","213.110.249.145","80.254.126.75","92.124.140.196","95.182.105.135","185.141.225.2","185.214.76.130","31.180.165.127","46.149.110.195","5.45.234.205","37.18.24.16","194.190.76.41","213.155.156.184","94.100.180.197","194.190.76.44","151.236.127.145","213.180.204.90","81.19.74.2","104.16.18.94","104.16.19.94","104.18.10.207","104.18.11.207"
"104.46.162.224","104.46.162.226","13.69.109.130","13.69.109.131","13.69.116.104","13.69.239.72","13.69.239.73","13.69.239.74","13.78.111.198","144.172.118.37","146.88.240.248","146.88.240.4","149.154.167.51","149.154.167.91","149.154.175.100","149.154.175.50","149.154.175.55","154.89.5.86","183.136.226.3","183.136.226.4","185.184.8.65","193.107.216.228","193.46.255.60","20.50.201.195","20.50.201.200","20.50.73.10","20.50.80.209","20.50.80.210","20.54.89.106","20.54.89.15","200.73.138.230","3.126.56.137","31.220.3.140","34.98.64.218","35.190.43.134","35.244.159.8","40.79.197.35","45.143.200.50","45.143.203.3","45.146.165.165","45.146.165.37","45.148.10.241","51.104.15.252","51.105.71.136","51.132.193.105","51.89.124.57","62.210.13.20","80.82.77.193","89.248.163.140","89.248.165.202","89.248.165.60"];
RussianScanners220324
|join CommonSecurityLog
on $left.RussianIP == $right.SourceIP
|where TimeGenerated >ago(lookbacktime)
|where TimeGenerated >ago(lookbacktime)
|extend Activity=case(Activity contains "deny","deny",Activity contains "accept", "accept",Activity contains "timeout","timeout",Activity)
| where Activity !contains "deny"
|summarize sum=count() by bin(TimeGenerated,1d),Activity, SourceIP, DestinationIP//,DestinationPort, Message, DeviceInboundInterface, DeviceOutboundInterface
Query 3.A: Query Any IPs Within SigninLogs
let lookbacktime=100d;
_GetWatchlist('RussianScanners220324')
|join SigninLogs
on $left.RussianIP == $right.IPAddress
|where TimeGenerated >ago(lookbacktime)
Query 3.B: Query Any IPs Within Okta Logs
let lookbacktime=100d;
RussianScanners220324
|join Okta_CL
on $left.RussianIP == $right.client_ipAddress_s
|where TimeGenerated >ago(lookbacktime)
Query 3.C: Query Any IPs Within Azure VMs
let lookbacktime=60d;
_GetWatchlist('RussianScanners220324')
|join VMConnection
on $left.IPAddress == $right.SourceIp
|where TimeGenerated >ago(lookbacktime)
|summarize sum=count() by bin(TimeGenerated,1d), SourceIp, DestinationIp,DestinationPort,Direction
If you need any additional help or details on how to integrate IOCs into Sentinel's threat intelligence repository, workbooks, hunting queries, etc. feel free to reach out to us. Please subscribe to our blog to stay updated on security trends and threats.