3CXBeaconingKQLQuery

KQL to detect beaconing to IOCs from the 3CX compromise

Sentinel DNSEvents query

let IOC = dynamic(["akamaicontainer.com","akamaitechcloudservices.com","azuredeploystore.com","azureonlinecloud.com","azureonlinestorage.com","dunamistrd.com","glcloudservice.com","journalide.org","msedgepackageinfo.com","msstorageazure.com","msstorageboxes.com","officeaddons.com","officestoragebox.com","pbxcloudeservices.com","pbxphonenetwork.com","pbxsources.com","qwepoi123098.com","sbmsa.wiki","sourceslabs.com", "visualstudiofactory.com","zacharryblogs.com"]);
DnsEvents
| where Name in~ (IOC)

MDE Advanced Hunting

let IOC = dynamic(["akamaicontainer.com","akamaitechcloudservices.com","azuredeploystore.com","azureonlinecloud.com","azureonlinestorage.com","dunamistrd.com","glcloudservice.com","journalide.org","msedgepackageinfo.com","msstorageazure.com","msstorageboxes.com","officeaddons.com","officestoragebox.com","pbxcloudeservices.com","pbxphonenetwork.com","pbxsources.com","qwepoi123098.com","sbmsa.wiki","sourceslabs.com", "visualstudiofactory.com","zacharryblogs.com"]);
DeviceNetworkEvents
| where RemoteUrl in~ (IOC)

Name		Name	Last commit message	Last commit date
Latest commit History 8 Commits
Azure_Sentinel_analytic_rule.json		Azure_Sentinel_analytic_rule.json
LICENSE		LICENSE
README.md		README.md

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

3CXBeaconingKQLQuery

Sentinel DNSEvents query

MDE Advanced Hunting

About

Releases

Packages

License

PCNZ/3CXBeaconingKQLQuery

Folders and files

Latest commit

History

Repository files navigation

3CXBeaconingKQLQuery

Sentinel DNSEvents query

MDE Advanced Hunting

About

Resources

License

Stars

Watchers

Forks

Releases

Packages 0

Packages