In light of growing cybersecurity concerns and response to our community's feedback on a recent LinkedIn update, there's a pressing need for Microsoft Sentinel users to effectively monitor their digital environments for suspicious activities, particularly those originating from potentially malicious sources. SecureSky, alongside other cybersecurity entities, has observed a notable uptick in scanning activities that bear the hallmarks of sophisticated cyber threats, as highlighted by recent threat intelligence reports, including those from the FBI.
The ability to proactively search for and identify these threats within your environment is crucial for maintaining a robust cybersecurity posture. To aid in this endeavor, we're sharing custom hunting queries specifically designed for Microsoft Sentinel. These queries are tailored to detect signs of malicious scanning activities, leveraging insights from observed indicators of compromise (IOCs), behavioral patterns, and the latest cybersecurity intelligence.
Custom Hunting Queries for Microsoft Sentinel
The essence of these hunting queries lies in their ability to sift through vast amounts of data to pinpoint activities that could signify a breach or an attempted breach. By focusing on specific indicators and patterns associated with malicious Russian scanning activities, among others, these queries enable security teams to take a proactive stance in their cybersecurity efforts.
Here's how you can implement these custom queries within your Microsoft Sentinel environment to enhance your threat detection capabilities:
To be clear, many of these IP addresses have been scanned for years. This technique is used not only by state actors but also by cybercriminals, to discover parameter exposures of organizations.
CAUTION: Many of these IPs may produce false positives, all threat intelligence indicators need to be maintained, curated, and situationally evaluated.
Query 1: Russian IP Traffic Volume - From FortiGate Firewall Logs Using Sentinel's Watchlist
let lookbacktime=60d;
_GetWatchlist('RussianScanners220324')
|join CommonSecurityLog
on $left.IPAddress == $right.SourceIP
|where TimeGenerated >ago(lookbacktime)
|extend Activity=case(Activity contains "deny","deny",Activity contains "accept", "accept",Activity contains "timeout","timeout",Activity)
| where Activity !contains "deny"
|summarize sum=count() by bin(TimeGenerated,1d),Activity, SourceIP, DestinationIP//,DestinationPort, Message, DeviceInboundInterface, DeviceOutboundInterface
Query 2: Russian IP Traffic Volume - From FortiGate Firewall Logs Not Using Sentinel's Watchlist
let lookbacktime=60d;
let RussianScanners220324 = datatable(RussianIP:string)
["109.237.103.38","151.236.101.19","151.236.104.2","151.236.106.4","151.236.110.2","151.236.115.20","151.236.118.2","151.236.119.2","151.236.126.6","151.236.127.2","151.236.64.24","151.236.81.2","151.236.82.3","151.236.89.13","151.236.89.26","151.236.92.2","151.236.95.2","151.236.99.9","162.62.191.231","178.46.212.0","178.49.133.3","185.167.121.66","185.177.114.98","185.25.61.6","185.3.142.3","185.31.114.25","185.31.115.10","185.94.111.1","188.127.251.15","188.191.1.66","188.43.225.61","193.169.53.130","193.33.133.130","195.210.169.98","212.109.204.130","212.188.11.50","212.188.22.66","212.19.24.64","212.83.8.79","217.13.220.66","217.150.58.9","31.200.250.4","31.28.1.226","37.60.16.54","37.8.145.2","46.161.54.57","5.188.152.194","5.61.11.123","62.152.61.227","62.78.86.130","77.243.112.122","79.141.210.2","81.163.32.42","84.47.151.67","89.188.167.130","89.223.4.2","91.231.236.41","91.231.237.2","91.231.239.2","91.238.110.2","91.238.111.8","92.63.196.25","92.63.196.61","92.63.197.71","93.92.69.34","95.182.106.43","109.95.198.12","176.192.99.26","213.110.249.145","80.254.126.75","92.124.140.196","95.182.105.135","185.141.225.2","185.214.76.130","31.180.165.127","46.149.110.195","5.45.234.205","37.18.24.16","194.190.76.41","213.155.156.184","94.100.180.197","194.190.76.44","151.236.127.145","213.180.204.90","81.19.74.2","104.16.18.94","104.16.19.94","104.18.10.207","104.18.11.207"
"104.46.162.224","104.46.162.226","13.69.109.130","13.69.109.131","13.69.116.104","13.69.239.72","13.69.239.73","13.69.239.74","13.78.111.198","144.172.118.37","146.88.240.248","146.88.240.4","149.154.167.51","149.154.167.91","149.154.175.100","149.154.175.50","149.154.175.55","154.89.5.86","183.136.226.3","183.136.226.4","185.184.8.65","193.107.216.228","193.46.255.60","20.50.201.195","20.50.201.200","20.50.73.10","20.50.80.209","20.50.80.210","20.54.89.106","20.54.89.15","200.73.138.230","3.126.56.137","31.220.3.140","34.98.64.218","35.190.43.134","35.244.159.8","40.79.197.35","45.143.200.50","45.143.203.3","45.146.165.165","45.146.165.37","45.148.10.241","51.104.15.252","51.105.71.136","51.132.193.105","51.89.124.57","62.210.13.20","80.82.77.193","89.248.163.140","89.248.165.202","89.248.165.60"];
RussianScanners220324
|join CommonSecurityLog
on $left.RussianIP == $right.SourceIP
|where TimeGenerated >ago(lookbacktime)
|where TimeGenerated >ago(lookbacktime)
|extend Activity=case(Activity contains "deny","deny",Activity contains "accept", "accept",Activity contains "timeout","timeout",Activity)
| where Activity !contains "deny"
|summarize sum=count() by bin(TimeGenerated,1d),Activity, SourceIP, DestinationIP//,DestinationPort, Message, DeviceInboundInterface, DeviceOutboundInterface
Query 3.A: Query Any IPs Within SigninLogs
let lookbacktime=100d;
_GetWatchlist('RussianScanners220324')
|join SigninLogs
on $left.RussianIP == $right.IPAddress
|where TimeGenerated >ago(lookbacktime)
Query 3.B: Query Any IPs Within Okta Logs
let lookbacktime=100d;
RussianScanners220324
|join Okta_CL
on $left.RussianIP == $right.client_ipAddress_s
|where TimeGenerated >ago(lookbacktime)
Query 3.C: Query Any IPs Within Azure VMs
let lookbacktime=60d;
_GetWatchlist('RussianScanners220324')
|join VMConnection
on $left.IPAddress == $right.SourceIp
|where TimeGenerated >ago(lookbacktime)
|summarize sum=count() by bin(TimeGenerated,1d), SourceIp, DestinationIp,DestinationPort,Direction
Implementing Effective Cybersecurity Measures
The deployment of these hunting queries within Microsoft Sentinel is just one component of a comprehensive cybersecurity strategy. Organizations must also ensure they have the right mix of preventive measures, detection capabilities, and response protocols in place to effectively counteract the myriad of threats facing their digital assets today.
SecureSky remains committed to providing actionable insights and tools to help organizations navigate the complex cybersecurity landscape. By leveraging Microsoft Sentinel's powerful capabilities in conjunction with custom hunting queries, security teams can significantly enhance their ability to detect and respond to malicious scanning activities and other cyber threats.
For more detailed guidance on implementing these hunting queries and bolstering your cybersecurity defenses, visit SecureSky's blog and resource center.