{ "id": "419ba02a-69c8-44f4-9332-34bd868ebc70", "created_at": "2026-04-06T00:18:55.700099Z", "updated_at": "2026-04-10T03:24:44.600323Z", "deleted_at": null, "sha1_hash": "a9e9b9d06eb74e7b7b852ff10ad439527675f2ef", "title": "SolarWinds Post-Compromise Hunting with Azure Sentinel", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 378828, "plain_text": "SolarWinds Post-Compromise Hunting with Azure Sentinel\r\nBy shainw\r\nPublished: 2020-12-16 · Archived: 2026-04-05 13:26:22 UTC\r\n\"}},\"componentScriptGroups({\\\"componentId\\\":\\\"custom.widget.SocialSharing\\\"})\":\r\n{\"__typename\":\"ComponentScriptGroups\",\"scriptGroups\":\r\n{\"__typename\":\"ComponentScriptGroupsDefinition\",\"afterInteractive\":\r\n{\"__typename\":\"PageScriptGroupDefinition\",\"group\":\"AFTER_INTERACTIVE\",\"scriptIds\":[]},\"lazyOnLoad\":\r\n{\"__typename\":\"PageScriptGroupDefinition\",\"group\":\"LAZY_ON_LOAD\",\"scriptIds\":[]}},\"componentScripts\":\r\n[]},\"component({\\\"componentId\\\":\\\"custom.widget.MicrosoftFooter\\\"})\":\r\n{\"__typename\":\"Component\",\"render({\\\"context\\\":{\\\"component\\\":{\\\"entities\\\":[],\\\"props\\\":{}},\\\"page\\\":{\\\"entities\\\":\r\n[\\\"message:1995095\\\"],\\\"name\\\":\\\"BlogMessagePage\\\",\\\"props\\\":\r\n{},\\\"url\\\":\\\"https://techcommunity.microsoft.com/blog/microsoftsentinelblog/solarwinds-post-compromise-hunting-with-azure-sentinel/1995095\\\"}}})\":{\"__typename\":\"ComponentRenderResult\",\"html\":\"\r\n\"}},\"componentScriptGroups({\\\"componentId\\\":\\\"custom.widget.MicrosoftFooter\\\"})\":\r\n{\"__typename\":\"ComponentScriptGroups\",\"scriptGroups\":\r\n{\"__typename\":\"ComponentScriptGroupsDefinition\",\"afterInteractive\":\r\n{\"__typename\":\"PageScriptGroupDefinition\",\"group\":\"AFTER_INTERACTIVE\",\"scriptIds\":[]},\"lazyOnLoad\":\r\n{\"__typename\":\"PageScriptGroupDefinition\",\"group\":\"LAZY_ON_LOAD\",\"scriptIds\":[]}},\"componentScripts\":\r\n[]},\"cachedText({\\\"lastModified\\\":\\\"1775111750899\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"components/community/NavbarDropdownToggle\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-components/community/NavbarDropdownToggle-1775111750899\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111750899\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"components/messages/MessageCoverImage\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-components/messages/MessageCoverImage-1775111750899\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111750899\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"shared/client/components/nodes/NodeTitle\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-shared/client/components/nodes/NodeTitle-1775111750899\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111750899\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"components/messages/MessageTimeToRead\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-components/messages/MessageTimeToRead-1775111750899\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111750899\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"components/messages/MessageSubject\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-components/messages/MessageSubject-1775111750899\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111750899\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"components/users/UserLink\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-components/users/UserLink-1775111750899\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111750899\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"shared/client/components/users/UserRank\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-shared/client/components/users/UserRank-1775111750899\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111750899\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"components/messages/MessageTime\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-components/messages/MessageTime-1775111750899\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111750899\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"components/messages/MessageBody\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-components/messages/MessageBody-1775111750899\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111750899\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"components/messages/MessageCustomFields\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-components/messages/MessageCustomFields-1775111750899\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111750899\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"components/messages/MessageRevision\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-components/messages/MessageRevision-1775111750899\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111750899\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"shared/client/components/common/QueryHandler\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-shared/client/components/common/QueryHandler-1775111750899\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111750899\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"components/tags/TagList\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-components/tags/TagList-1775111750899\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111750899\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"components/messages/MessageReplyButton\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-components/messages/MessageReplyButton-1775111750899\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111750899\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"components/messages/MessageAuthorBio\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-components/messages/MessageAuthorBio-1775111750899\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111750899\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"shared/client/components/users/UserAvatar\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 1 of 65\n\nshared/client/components/users/UserAvatar-1775111750899\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111750899\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"shared/client/components/ranks/UserRankLabel\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-shared/client/components/ranks/UserRankLabel-1775111750899\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111750899\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"components/tags/TagView/TagViewChip\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-components/tags/TagView/TagViewChip-1775111750899\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111750899\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"components/users/UserRegistrationDate\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-components/users/UserRegistrationDate-1775111750899\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111750899\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"shared/client/components/nodes/NodeAvatar\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-shared/client/components/nodes/NodeAvatar-1775111750899\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111750899\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"shared/client/components/nodes/NodeDescription\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-shared/client/components/nodes/NodeDescription-1775111750899\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111750899\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"shared/client/components/nodes/NodeIcon\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-shared/client/components/nodes/NodeIcon-1775111750899\"}]},\"Theme:customTheme1\":\r\n{\"__typename\":\"Theme\",\"id\":\"customTheme1\"},\"User:user:-1\":\r\n{\"__typename\":\"User\",\"id\":\"user:-1\",\"entityType\":\"USER\",\"eventPath\":\"community:gxcuf89792/user:-1\",\"uid\":-1,\"login\":\"Deleted\",\"email\":\"\",\"avatar\":\r\n{\"__typename\":\"RegistrationData\",\"status\":\"ANONYMOUS\",\"registrationTime\":null,\"confirmEmailStatus\":false,\"registrationAccessLevel\":\"VIEW\",\"ss\r\n[]},\"ssoId\":null,\"profileSettings\":{\"__typename\":\"ProfileSettings\",\"dateDisplayStyle\":\r\n{\"__typename\":\"InheritableStringSettingWithPossibleValues\",\"key\":\"layout.friendly_dates_enabled\",\"value\":\"false\",\"localValue\":\"true\",\"possibleValues\"\r\n[\"true\",\"false\"]},\"dateDisplayFormat\":\r\n{\"__typename\":\"InheritableStringSetting\",\"key\":\"layout.format_pattern_date\",\"value\":\"MMM dd yyyy\",\"localValue\":\"MM-dd-yyyy\"},\"language\":{\"__typename\":\"InheritableStringSettingWithPossibleValues\",\"key\":\"profile.language\",\"value\":\"en-US\",\"localValue\":null,\"possibleValues\":[\"en-US\",\"es-ES\"]},\"repliesSortOrder\":\r\n{\"__typename\":\"InheritableStringSettingWithPossibleValues\",\"key\":\"config.user_replies_sort_order\",\"value\":\"DEFAULT\",\"localValue\":\"DEFAULT\",\"po\r\n[\"DEFAULT\",\"LIKES\",\"PUBLISH_TIME\",\"REVERSE_PUBLISH_TIME\"]}},\"deleted\":false},\"CachedAsset:pages-1775111737667\":{\"__typename\":\"CachedAsset\",\"id\":\"pages-1775111737667\",\"value\":\r\n[{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"BlogViewAllPostsPage\",\"type\":\"BLOG\",\"urlPath\":\"/category/:categoryId/blog/:boardId/all-posts/(/:after|/:before)?\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"CasePortalPage\",\"type\":\"CASE_PORTAL\",\"urlPath\":\"/caseportal\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"CreateGroupHubPage\",\"type\":\"GROUP_HUB\",\"urlPath\":\"/groups/create\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"CaseViewPage\",\"type\":\"CASE_DETAILS\",\"urlPath\":\"/case/:caseId/:caseNumber\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"InboxPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/inbox\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"HelpFAQPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/help\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"IdeaMessagePage\",\"type\":\"IDEA_POST\",\"urlPath\":\"/idea/:boardId/:messageSubject/:messageId\",\"__typename\":\"PageDescriptor\"},\"__typename\"\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"IdeaViewAllIdeasPage\",\"type\":\"IDEA\",\"urlPath\":\"/category/:categoryId/ideas/:boardId/all-ideas/(/:after|/:before)?\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"LoginPage\",\"type\":\"USER\",\"urlPath\":\"/signin\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"WorkstreamsPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/workstreams\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"BlogPostPage\",\"type\":\"BLOG\",\"urlPath\":\"/category/:categoryId/blogs/:boardId/create\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageRes\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"UserBlogPermissions.Page\",\"type\":\"COMMUNITY\",\"urlPath\":\"/c/user-blog-permissions/page\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"ThemeEditorPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/designer/themes\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"TkbViewAllArticlesPage\",\"type\":\"TKB\",\"urlPath\":\"/category/:categoryId/kb/:boardId/all-articles/(/:after|/:before)?\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1730819800000,\"localOverride\":null,\"page\":\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 2 of 65\n\n{\"id\":\"AllEvents\",\"type\":\"CUSTOM\",\"urlPath\":\"/Events\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"OccasionEditPage\",\"type\":\"EVENT\",\"urlPath\":\"/event/:boardId/:messageSubject/:messageId/edit\",\"__typename\":\"PageDescriptor\"},\"__typename\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"OAuthAuthorizationAllowPage\",\"type\":\"USER\",\"urlPath\":\"/auth/authorize/allow\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"PageEditorPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/designer/pages\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"PostPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/category/:categoryId/:boardId/create\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResou\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"CreateUserGroup.Page\",\"type\":\"COMMUNITY\",\"urlPath\":\"/c/create-user-group/page\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"ForumBoardPage\",\"type\":\"FORUM\",\"urlPath\":\"/category/:categoryId/discussions/:boardId\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"Pag\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"TkbBoardPage\",\"type\":\"TKB\",\"urlPath\":\"/category/:categoryId/kb/:boardId\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"EventPostPage\",\"type\":\"EVENT\",\"urlPath\":\"/category/:categoryId/events/:boardId/create\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageR\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"UserBadgesPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/users/:login/:userId/badges\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResourc\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"GroupHubMembershipAction\",\"type\":\"GROUP_HUB\",\"urlPath\":\"/membership/join/:nodeId/:membershipType\",\"__typename\":\"PageDescriptor\"}\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"MaintenancePage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/maintenance\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"IdeaReplyPage\",\"type\":\"IDEA_REPLY\",\"urlPath\":\"/idea/:boardId/:messageSubject/:messageId/comments/:replyId\",\"__typename\":\"PageDescripto\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"UserSettingsPage\",\"type\":\"USER\",\"urlPath\":\"/mysettings/:userSettingsTab\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"GroupHubsPage\",\"type\":\"GROUP_HUB\",\"urlPath\":\"/groups\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"ForumPostPage\",\"type\":\"FORUM\",\"urlPath\":\"/category/:categoryId/discussions/:boardId/create\",\"__typename\":\"PageDescriptor\"},\"__typename\":\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"OccasionRsvpActionPage\",\"type\":\"OCCASION\",\"urlPath\":\"/event/:boardId/:messageSubject/:messageId/rsvp/:responseType\",\"__typename\":\"Pag\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"VerifyUserEmailPage\",\"type\":\"USER\",\"urlPath\":\"/verifyemail/:userId/:verifyEmailToken\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageR\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"AllOccasionsPage\",\"type\":\"OCCASION\",\"urlPath\":\"/category/:categoryId/events/:boardId/all-events/(/:after|/:before)?\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"EventBoardPage\",\"type\":\"EVENT\",\"urlPath\":\"/category/:categoryId/events/:boardId\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResou\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"TkbReplyPage\",\"type\":\"TKB_REPLY\",\"urlPath\":\"/kb/:boardId/:messageSubject/:messageId/comments/:replyId\",\"__typename\":\"PageDescriptor\"}\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"IdeaBoardPage\",\"type\":\"IDEA\",\"urlPath\":\"/category/:categoryId/ideas/:boardId\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"CommunityGuideLinesPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/communityguidelines\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageR\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"CaseCreatePage\",\"type\":\"SALESFORCE_CASE_CREATION\",\"urlPath\":\"/caseportal/create\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"Pa\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"TkbEditPage\",\"type\":\"TKB\",\"urlPath\":\"/kb/:boardId/:messageSubject/:messageId/edit\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageRes\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"ForgotPasswordPage\",\"type\":\"USER\",\"urlPath\":\"/forgotpassword\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"IdeaEditPage\",\"type\":\"IDEA\",\"urlPath\":\"/idea/:boardId/:messageSubject/:messageId/edit\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageR\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"TagPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/tag/:tagName\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"BlogBoardPage\",\"type\":\"BLOG\",\"urlPath\":\"/category/:categoryId/blog/:boardId\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"OccasionMessagePage\",\"type\":\"OCCASION_TOPIC\",\"urlPath\":\"/event/:boardId/:messageSubject/:messageId\",\"__typename\":\"PageDescriptor\"},\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"ManageContentPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/managecontent\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 3 of 65\n\n{\"id\":\"ClosedMembershipNodeNonMembersPage\",\"type\":\"GROUP_HUB\",\"urlPath\":\"/closedgroup/:groupHubId\",\"__typename\":\"PageDescriptor\"},\"__t\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"CommunityPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"ForumMessagePage\",\"type\":\"FORUM_TOPIC\",\"urlPath\":\"/discussions/:boardId/:messageSubject/:messageId\",\"__typename\":\"PageDescriptor\"},\"\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"IdeaPostPage\",\"type\":\"IDEA\",\"urlPath\":\"/category/:categoryId/ideas/:boardId/create\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResou\r\n{\"lastUpdatedTime\":1730819800000,\"localOverride\":null,\"page\":\r\n{\"id\":\"CommunityHub.Page\",\"type\":\"CUSTOM\",\"urlPath\":\"/Directory\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"BlogMessagePage\",\"type\":\"BLOG_ARTICLE\",\"urlPath\":\"/blog/:boardId/:messageSubject/:messageId\",\"__typename\":\"PageDescriptor\"},\"__typen\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"RegistrationPage\",\"type\":\"USER\",\"urlPath\":\"/register\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"EditGroupHubPage\",\"type\":\"GROUP_HUB\",\"urlPath\":\"/group/:groupHubId/edit\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"ForumEditPage\",\"type\":\"FORUM\",\"urlPath\":\"/discussions/:boardId/:messageSubject/:messageId/edit\",\"__typename\":\"PageDescriptor\"},\"__typena\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"ResetPasswordPage\",\"type\":\"USER\",\"urlPath\":\"/resetpassword/:userId/:resetPasswordToken\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"Pa\r\n{\"lastUpdatedTime\":1730819800000,\"localOverride\":null,\"page\":\r\n{\"id\":\"AllBlogs.Page\",\"type\":\"CUSTOM\",\"urlPath\":\"/blogs\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"TkbMessagePage\",\"type\":\"TKB_ARTICLE\",\"urlPath\":\"/kb/:boardId/:messageSubject/:messageId\",\"__typename\":\"PageDescriptor\"},\"__typename\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"BlogEditPage\",\"type\":\"BLOG\",\"urlPath\":\"/blog/:boardId/:messageSubject/:messageId/edit\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"Page\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"ManageUsersPage\",\"type\":\"USER\",\"urlPath\":\"/users/manage/:tab?/:manageUsersTab?\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageRes\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"ForumReplyPage\",\"type\":\"FORUM_REPLY\",\"urlPath\":\"/discussions/:boardId/:messageSubject/:messageId/replies/:replyId\",\"__typename\":\"PageD\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"PrivacyPolicyPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/privacypolicy\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"NotificationPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/notifications\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"UserPage\",\"type\":\"USER\",\"urlPath\":\"/users/:login/:userId\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"HealthCheckPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/health\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"OccasionReplyPage\",\"type\":\"OCCASION_REPLY\",\"urlPath\":\"/event/:boardId/:messageSubject/:messageId/comments/:replyId\",\"__typename\":\"P\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"ManageMembersPage\",\"type\":\"GROUP_HUB\",\"urlPath\":\"/group/:groupHubId/manage/:tab?\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"P\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"SearchResultsPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/search\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"BlogReplyPage\",\"type\":\"BLOG_REPLY\",\"urlPath\":\"/blog/:boardId/:messageSubject/:messageId/replies/:replyId\",\"__typename\":\"PageDescriptor\"\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"GroupHubPage\",\"type\":\"GROUP_HUB\",\"urlPath\":\"/group/:groupHubId\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"TermsOfServicePage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/termsofservice\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"CategoryPage\",\"type\":\"CATEGORY\",\"urlPath\":\"/category/:categoryId\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"ForumViewAllTopicsPage\",\"type\":\"FORUM\",\"urlPath\":\"/category/:categoryId/discussions/:boardId/all-topics/(/:after|/:before)?\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"TkbPostPage\",\"type\":\"TKB\",\"urlPath\":\"/category/:categoryId/kbs/:boardId/create\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\r\n{\"lastUpdatedTime\":1775111737667,\"localOverride\":null,\"page\":\r\n{\"id\":\"GroupHubPostPage\",\"type\":\"GROUP_HUB\",\"urlPath\":\"/group/:groupHubId/:boardId/create\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"Pa\r\ncomponents/context/AppContext/AppContextProvider-0\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/context/AppContext/AppContextProvider-0\",\"value\":{\"noCommunity\":\"Cannot find\r\ncommunity\",\"noUser\":\"Cannot find current user\",\"noNode\":\"Cannot find node with id {nodeId}\",\"noMessage\":\"Cannot\r\nfind message with id {messageId}\",\"userBanned\":\"We're sorry, but you have been banned from using this\r\nsite.\",\"userBannedReason\":\"You have been banned for the following reason:\r\n{reason}\"},\"localOverride\":false},\"CachedAsset:text:en_US-shared/client/components/common/Loading/LoadingDot-0\":\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 4 of 65\n\n{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-shared/client/components/common/Loading/LoadingDot-0\",\"value\":\r\n{\"title\":\"Loading...\"},\"localOverride\":false},\"AssociatedImage:\r\n{\\\"url\\\":\\\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/cmstNC05WEo0blc\\\"}\":\r\n{\"__typename\":\"AssociatedImage\",\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/cmstNC05WEo0blc\",\"height\":512,\"width\":512,\"\r\n{\"__typename\":\"Rank\",\"id\":\"rank:4\",\"position\":2,\"name\":\"Microsoft\",\"color\":\"333333\",\"icon\":{\"__ref\":\"AssociatedImage:\r\n{\\\"url\\\":\\\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/cmstNC05WEo0blc\\\"}\"},\"rankStyle\":\"OUTLINE\"},\"User:user:252752\":\r\n{\"__typename\":\"User\",\"id\":\"user:252752\",\"uid\":252752,\"login\":\"shainw\",\"deleted\":false,\"avatar\":\r\n{\"__typename\":\"UserAvatar\",\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/dS0yNTI3NTItMTU0NzA4aTBCQjIxNjFDMzc2MDE\r\n{\"__ref\":\"Rank:rank:4\"},\"email\":\"\",\"messagesCount\":8,\"biography\":null,\"topicsCount\":4,\"kudosReceivedCount\":26,\"kudosGivenCount\":1,\"kudosWeigh\r\n{\"__typename\":\"RegistrationData\",\"status\":null,\"registrationTime\":\"2018-12-11T12:55:55.825-\r\n08:00\",\"confirmEmailStatus\":null},\"followersCount\":null,\"solutionsCount\":0},\"Category:category:microsoft-sentinel\":\r\n{\"__typename\":\"Category\",\"id\":\"category:microsoft-sentinel\",\"entityType\":\"CATEGORY\",\"displayId\":\"microsoft-sentinel\",\"nodeType\":\"category\",\"depth\":4,\"title\":\"Microsoft Sentinel\",\"shortTitle\":\"Microsoft Sentinel\",\"parent\":\r\n{\"__ref\":\"Category:category:microsoft-security\"}},\"Category:category:top\":\r\n{\"__typename\":\"Category\",\"id\":\"category:top\",\"entityType\":\"CATEGORY\",\"displayId\":\"top\",\"nodeType\":\"category\",\"depth\":0,\"title\":\"Top\",\"shortTitle\"\r\n{\"__typename\":\"Category\",\"id\":\"category:communities\",\"entityType\":\"CATEGORY\",\"displayId\":\"communities\",\"nodeType\":\"category\",\"depth\":1,\"paren\r\n{\"__ref\":\"Category:category:top\"},\"title\":\"Communities\",\"shortTitle\":\"Communities\"},\"Category:category:products-services\":{\"__typename\":\"Category\",\"id\":\"category:products-services\",\"entityType\":\"CATEGORY\",\"displayId\":\"products-services\",\"nodeType\":\"category\",\"depth\":2,\"parent\":\r\n{\"__ref\":\"Category:category:communities\"},\"title\":\"Products\",\"shortTitle\":\"Products\"},\"Category:category:microsoft-security\":{\"__typename\":\"Category\",\"id\":\"category:microsoft-security\",\"entityType\":\"CATEGORY\",\"displayId\":\"microsoft-security\",\"nodeType\":\"category\",\"depth\":3,\"parent\":\r\n{\"__ref\":\"Category:category:products-services\"},\"title\":\"Microsoft Security\",\"shortTitle\":\"Microsoft\r\nSecurity\",\"categoryPolicies\":{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Blog:board:MicrosoftSentinelBlog\":\r\n{\"__typename\":\"Blog\",\"id\":\"board:MicrosoftSentinelBlog\",\"entityType\":\"BLOG\",\"displayId\":\"MicrosoftSentinelBlog\",\"nodeType\":\"board\",\"depth\":5,\"c\r\n{\"__typename\":\"RepliesProperties\",\"sortOrder\":\"REVERSE_PUBLISH_TIME\",\"repliesFormat\":\"threaded\"},\"tagProperties\":\r\n{\"__typename\":\"TagNodeProperties\",\"tagsEnabled\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}},\"requireTags\":false,\"tagType\":\"PRESET_ONLY\",\"description\":\"\r\nMicrosoft Sentinel is an industry-leading SIEM \u0026 AI-first platform powering agentic defense across the entire security\r\necosystem.\r\n\",\"title\":\"Microsoft Sentinel Blog\",\"shortTitle\":\"Microsoft Sentinel Blog\",\"parent\":{\"__ref\":\"Category:category:microsoft-sentinel\"},\"ancestors\":{\"__typename\":\"CoreNodeConnection\",\"edges\":[{\"__typename\":\"CoreNodeEdge\",\"node\":\r\n{\"__ref\":\"Community:community:gxcuf89792\"}},{\"__typename\":\"CoreNodeEdge\",\"node\":\r\n{\"__ref\":\"Category:category:communities\"}},{\"__typename\":\"CoreNodeEdge\",\"node\":\r\n{\"__ref\":\"Category:category:products-services\"}},{\"__typename\":\"CoreNodeEdge\",\"node\":\r\n{\"__ref\":\"Category:category:microsoft-security\"}},{\"__typename\":\"CoreNodeEdge\",\"node\":\r\n{\"__ref\":\"Category:category:microsoft-sentinel\"}}]},\"userContext\":\r\n{\"__typename\":\"NodeUserContext\",\"canAddAttachments\":false,\"canUpdateNode\":false,\"canPostMessages\":false,\"isSubscribed\":false},\"theme\":\r\n{\"__ref\":\"Theme:customTheme1\"},\"boardPolicies\":{\"__typename\":\"BoardPolicies\",\"canViewSpamDashBoard\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":\r\n{\"__typename\":\"FailureReason\",\"message\":\"error.lithium.policies.feature.moderation_spam.action.access_spam_quarantine.allowed.accessDenied\",\"key\"\r\n[]}},\"canArchiveMessage\":{\"__typename\":\"PolicyResult\",\"failureReason\":\r\n{\"__typename\":\"FailureReason\",\"message\":\"error.lithium.policies.content_archivals.enable_content_archival_settings.accessDenied\",\"key\":\"error.lithium\r\n[]}},\"canPublishArticleOnCreate\":{\"__typename\":\"PolicyResult\",\"failureReason\":\r\n{\"__typename\":\"FailureReason\",\"message\":\"error.lithium.policies.forums.policy_can_publish_on_create_workflow_action.accessDenied\",\"key\":\"error.lit\r\n[]}}},\"linkProperties\":\r\n{\"__typename\":\"LinkProperties\",\"isExternalLinkWarningEnabled\":false}},\"BlogTopicMessage:message:1995095\":\r\n{\"__typename\":\"BlogTopicMessage\",\"uid\":1995095,\"subject\":\"SolarWinds Post-Compromise Hunting with Azure\r\nSentinel\",\"id\":\"message:1995095\",\"entityType\":\"BLOG_ARTICLE\",\"eventPath\":\"category:microsoft-sentinel/category:microsoft-security/category:products-services/category:communities/community:gxcuf89792board:MicrosoftSentinelBlog/message:1995095\",\"revisionNum\":57,\"repliesCount\":5,\"author\":\r\n{\"__ref\":\"User:user:252752\"},\"depth\":0,\"hasGivenKudo\":false,\"board\":\r\n{\"__ref\":\"Blog:board:MicrosoftSentinelBlog\"},\"conversation\":\r\n{\"__ref\":\"Conversation:conversation:1995095\"},\"messagePolicies\":\r\n{\"__typename\":\"MessagePolicies\",\"canPublishArticleOnEdit\":{\"__typename\":\"PolicyResult\",\"failureReason\":\r\n{\"__typename\":\"FailureReason\",\"message\":\"error.lithium.policies.forums.policy_can_publish_on_edit_workflow_action.accessDenied\",\"key\":\"error.lithi\r\n[]}},\"canModerateSpamMessage\":{\"__typename\":\"PolicyResult\",\"failureReason\":\r\n{\"__typename\":\"FailureReason\",\"message\":\"error.lithium.policies.feature.moderation_spam.action.moderate_entity.allowed.accessDenied\",\"key\":\"error.li\r\n[]}},\"canReply\":{\"__typename\":\"PolicyResult\",\"failureReason\":\r\n{\"__typename\":\"FailureReason\",\"message\":\"error.lithium.policies.forums.action.message.reply_to_entity.allow.accessDenied\",\"key\":\"error.lithium.polici\r\n[]}},\"canAcceptSolution\":{\"__typename\":\"PolicyResult\",\"failureReason\":\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 5 of 65\n\n{\"__typename\":\"FailureReason\",\"message\":\"error.lithium.policies.accepted_solutions.action_allow.message.mark_as_accepted_solution.accessDenied\",\"k\r\n[]}},\"canRejectSolution\":{\"__typename\":\"PolicyResult\",\"failureReason\":\r\n{\"__typename\":\"FailureReason\",\"message\":\"error.lithium.policies.accepted_solutions.action_allow.message.unmark_as_accepted_solution.accessDenied\"\r\n[]}},\"canTag\":{\"__typename\":\"PolicyResult\",\"failureReason\":\r\n{\"__typename\":\"FailureReason\",\"message\":\"error.lithium.policies.labels.action.labelableentity.set_labels.allow.accessDenied\",\"key\":\"error.lithium.policie\r\n[]}},\"canEdit\":{\"__typename\":\"PolicyResult\",\"failureReason\":\r\n{\"__typename\":\"FailureReason\",\"message\":\"error.lithium.policies.forums.action_allow.edit_message.accessDenied\",\"key\":\"error.lithium.policies.forums.\r\n[]}},\"canKudo\":{\"__typename\":\"PolicyResult\",\"failureReason\":\r\n{\"__typename\":\"FailureReason\",\"message\":\"error.lithium.policies.kudos.action.entity.give_kudos.allow.accessDenied\",\"key\":\"error.lithium.policies.kudo\r\n[]}}},\"contentWorkflow\":\r\n{\"__typename\":\"ContentWorkflow\",\"state\":\"PUBLISH\",\"scheduledPublishTime\":null,\"scheduledTimezone\":null,\"userContext\":\r\n{\"__typename\":\"MessageWorkflowContext\",\"canSubmitForReview\":null,\"canEdit\":false,\"canRecall\":null,\"canSubmitForPublication\":null,\"canReturnTo\r\n{\"__ref\":\"ModerationData:moderation_data:1995095\"},\"teaser\":\"\\n\r\nMicrosoft recently blogged about the Recent Nation-State Cyber Attacks that has impacted high value targets both across the\r\ngovernment and private sector. This attack is also known as Solorigate or Sunburst.\r\n\",\"body\":\"\r\nMSTIC has released a number of new hunting and detection queries for Azure Sentinel based on additional observations as\r\nwell as research released by partners and the wider community. In addition, the SolarWinds post compromise hunting\r\nworkbook has been updated to include a number of new sections.  \r\n\\n\r\nBlog sections have been marked with Updated and include the date they were last updated.\r\n\\n\\n\r\nMicrosoft recently blogged about the Recent Nation-State Cyber Attacks that has impacted high value targets both across the\r\ngovernment and private sector. This attack is also known as Solorigate or Sunburst. This threat actor is believed to be highly\r\nsophisticated and motivated. Relevant security data required for hunting and investigating such a complex attack is produced\r\nin multiple locations - cloud, on-premises and across multiple security tools and product logs.  Being able to analyze all the\r\ndata from a single point makes it easier to spot trends and attacks. Azure Sentinel has made it easy to collect data from\r\nmultiple data sources across different environments both on-prem and cloud with the goal of connecting that data together\r\nmore easily. This blog post contains guidance and generic approaches to hunt for attacker activity (TTPs) in data that is\r\navailable by default in Azure Sentinel or can be onboarded to Azure Sentinel. \r\n\\n\\n\r\nAssociated content details:\r\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\r\nThe goal of this article is post-compromise investigation strategies and is focused on TTPs and not focused on specific\r\nIOCs.  Azure Sentinel customers are encouraged to review advisories and IOC’s shared by Microsoft MSRC and security\r\npartners to search on specific IOC’s in their environment using Azure Sentinel.  Links to these IOC’s are listed in the\r\nreference section at the end.\r\n\\n\\n\r\nTo make it easier for security teams to visualize and monitor their environments for this attack the MSTIC team has shared a\r\nSolarWinds Post Compromise hunting workbook via Azure Sentinel and Azure Sentinel GitHub. There are many things in\r\nthis workbook that threat hunters would find useful and the workbook is complimentary to the hunting methods shared\r\nbelow. Importantly, if you have recently rotated ADFS key material this workbook can be useful in identifying attacker\r\nlogon activity if they logon with old key material. Security teams should leverage this hunting workbook as part of their\r\nworkflow in investigating this attack.\r\n\\n\\n\r\nThanks to the MSTIC and M365 teams for collaborating to deliver this content in a timely manner. Special thanks\r\nto aprakash13, Ashwin_Patil, Pete Bryan, ItsReallyNick, Chris Glyer, Cyb3rWard0g, Tim Burrell (MSTIC), Rob\r\nMead, TomMcElroy, Elia Florio, Corina Feuerstein, Ramin Nafisi, Michael Matonis. \r\n\\n\\n\r\nPlease note that since Azure Sentinel and the M365 Advanced Hunting portal share the same query language and share\r\nsimilar data types, all of the referenced queries can be used directly or slightly modified to work in both.\r\n\\n\\n\\n\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 6 of 65\n\nAs shared in Microsoft’s technical blog – Customer Guidance on Recent Nation-state Cyber Attacks - attackers might have\r\ncompromised the internal build systems or the update distribution systems of SolarWinds Orion software then modified a\r\nDLL component in the legitimate software and embedded backdoor code that would allow these attackers to remotely\r\nperform commands or deliver additional payloads. Below is a representation of various attack stages which you can also see\r\nin Microsoft Threat Protection (MTP) portal.  Note that if you do not have Microsoft Threat Protection this link will not\r\nwork for you.\r\n\\n\\n\\n\\n\r\nTo hunt for similar TTPs used in this attack, a good place to start is to build an inventory of the machines that have\r\nSolarWinds Orion components. Organizations might already have a software inventory management system to indicate hosts\r\nwhere the SolarWinds application is installed. Alternatively, Azure Sentinel could be leveraged to run a simple query to\r\ngather similar details. Azure Sentinel collects data from multiple different logs that could be used to gather this information.\r\nFor example, through the recently released Microsoft 365 Defender connector, security teams can now easily ingest\r\nMicrosoft 365 raw data into Azure Sentinel. Using the ingested data, a simple query like below can be written that will pull\r\nthe hosts with SolarWinds process running in last 30 days based on Process execution either via host on boarded to Sentinel\r\nor on boarded via Microsoft Defender for Endpoints (MDE). The query also leverages the Sysmon logs that a lot of\r\ncustomers are collecting from their environment to surface the machines that have SolarWinds running on them. Similar\r\nqueries that leverage M365 raw data could also be run from the M365's Advanced hunting portal.\r\n\\n\\n\r\nSolarWinds Inventory check query\r\n\\n\r\nSpoiler\r\n\\n\r\n\\n\r\nlet timeframe = 30d; \r\n\\n\r\n(union isfuzzy=true \r\n\\n\r\n( \r\n\\n\r\nSecurityEvent \r\n\\n\r\n| where TimeGenerated \u003e= ago(timeframe) \r\n\\n\r\n| where EventID == '4688' \r\n\\n\r\n| where tolower(NewProcessName) has 'solarwinds' \r\n\\n\r\n| extend MachineName = Computer , Process = NewProcessName\r\n\\n\r\n|\r\n summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), MachineCount = dcount(MachineName), AccountCount = dcount(Accou\r\n\\n\r\n), \r\n\\n\r\n( \r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 7 of 65\n\n\\n\r\nDeviceProcessEvents \r\n\\n\r\n| where TimeGenerated \u003e= ago(timeframe) \r\n\\n\r\n| where tolower(InitiatingProcessFolderPath) has 'solarwinds' \r\n\\n\r\n| extend MachineName = DeviceName , Process = InitiatingProcessFolderPath, Account = AccountName\r\n\\n\r\n|\r\n summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), MachineCount = dcount(MachineName), AccountCount = dcount(Accou\r\n\\n\r\n), \r\n\\n\r\n( \r\n\\n\r\nEvent \r\n\\n\r\n| where TimeGenerated \u003e= ago(timeframe) \r\n\\n\r\n| where Source == \\\"Microsoft-Windows-Sysmon\\\" \r\n\\n\r\n| where EventID == 1 \r\n\\n\r\n| extend Image = EventDetail.[4].[\\\"#text\\\"] \r\n\\n\r\n| where tolower(Image) has 'solarwinds' \r\n\\n\r\n| extend MachineName = Computer , Process = Image, Account = UserName\r\n\\n\r\n|\r\n summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), MachineCount = dcount(MachineName), AccountCount = dcount(Accou\r\n\\n\r\n) \r\n\\n\r\n) \r\n\\n\r\n\\n\r\n\\n\\n\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 8 of 65\n\nOn systems where the malicious SolarWinds DLL (SolarWinds.Orion.Core.BusinessLayer.dll) is running, it is known that\r\nthe attacker used a hardcoded named pipe '583da945-62af-10e8-4902-a8f205c72b2e' to conduct various checks as well as to\r\nensure only one instance of the backdoor was running. The use of named pipes by malware is not uncommon as it provides a\r\nmechanism for communication between processes. This activity by the malware can be detected if you are collecting\r\nSysmon (Event Id 17/18) or Security Event Id 5145 in your Azure Sentinel workspace. The Solorigate Named Pipe detection\r\nshould not be considered reliable on its own as the creation of just the hardcoded named pipe does not indicate that the\r\nmalicious code was completely triggered, and the machine beaconed out or received additional commands. However,\r\npresence of this is definitely suspicious and should warrant further in-depth investigation.\r\n\\n\r\nSpoiler\r\nlet timeframe = 1d;\r\n(union isfuzzy=true\r\n(Event\r\n| where TimeGenerated \u003e= ago(timeframe)\r\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\r\n| where EventID in (17,18)\r\n| extend EvData = parse_xml(EventData)\r\n| extend EventDetail = EvData.DataItem.EventData.Data\r\n| extend NamedPipe = EventDetail.[5].[\\\"#text\\\"]\r\n| extend ProcessDetail = EventDetail.[6].[\\\"#text\\\"]\r\n| where NamedPipe contains '583da945-62af-10e8-4902-a8f205c72b2e'\r\n| extend Account = UserName\r\n| project-away EventDetail, EvData\r\n),\r\n(\r\nSecurityEvent\r\n| where TimeGenerated \u003e= ago(timeframe)\r\n| where EventID == '5145'\r\n| where AccessList has '%%4418' // presence of CreatePipeInstance value\r\n| where RelativeTargetName contains '583da945-62af-10e8-4902-a8f205c72b2e'\r\n)\r\n)\r\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\r\n\\n\\n\r\nOnce the adversary acquires an initial foothold on a system thru the SolarWinds process they will have System account level\r\naccess, the attacker will then attempt to elevate to domain admin level access to the environment. The Microsoft Threat\r\nIntelligence Center (MSTIC) team has already delivered multiple queries into Azure Sentinel that identify similar TTPs and\r\nmany are also available in M365. These methodologies are not specific to just this threat actor or this attack but have been\r\nseen in various attack campaigns.\r\n\\n\r\nIdentifying abnormal logon activities or additions to privileged groups is one way to identify privilege escalation.\r\n\\n\\n\r\n\\n\r\nChecking for hosts with new logons to identify potential lateral movement by the attacker.\r\n\\n\r\nLook for any new account being created and added to built-in administrators group.\r\n\\n\r\nLook for any user account added to privileged built in domain local or global groups, including adding accounts to a\r\ndomain privileged group such as Enterprise Admins, Cert Publishers or DnsAdmins.\r\n\\n\r\nMonitor for rare activity by a high-value account carried out on a system or service.\r\n\\n\r\n\\n\r\nRelated to this attack, in some environments service account credentials had been granted administrative privileges. The\r\nabove queries can be modified to remove the condition of focusing “User” accounts by commenting the query to include\r\nservice accounts in the scope where applicable:\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 9 of 65\n\n\\n\\n\r\n//| where AccountType == \\\"User\\\"\r\n\\n\\n\r\nPlease see the Azure Sentinel Github for additional queries and hunting ideas related to Accounts under the Detections and\r\nHunting Queries sections for AuditLogs, and SecurityEvents\r\n\\n\r\nMicrosoft 365 Defender team has also shared quite a few sample queries for use in their advanced hunting portal that could\r\nbe leveraged to detect this part of the attack. Additionally, the logic for many of the Azure Sentinel queries can also be\r\ntransformed to equivalent queries for Microsoft 365 Defender, that could be run in their Advanced Hunting Portal.\r\n\\n\r\nMicrosoft 365 Defender has an upcoming complimentary blog that will be updated here once available.\r\n\\n\\n\\n\r\nThe next step in the attack was stealing the certificate that signs SAML tokens from the federation server (ADFS) called a\r\nToken Signing Cert (TSC). SAML Tokens are basically XML representations of claims.  You can read more about ADFS in\r\nWhat is federation with Azure AD? | Microsoft Docs and SAML at Azure Single Sign On SAML Protocol - Microsoft\r\nidentity platform | Microsoft Docs. The process is as follows:\r\n\\n\r\n\\n\r\n1. A client requests a SAML token from an ADFS Server by authenticating to that server using Windows credentials.\r\n\\n\r\n2. The ADFS server issues a SAML token to the client.\r\n\\n\r\n3. The SAML token is signed with a certificate associated with the server.\r\n\\n\r\n4. The client then presents the SAML token to the application that it needs access to.\r\n\\n\r\n5. The signature over the SAML token tells the application that the security token service issued the token and grants\r\naccess to the client.\r\n\\n\r\n\\n\\n\\n\r\nUpdated 01/15/2021\r\n\\n\r\nThe implication of stealing the Token Signing Cert (TSC) is that once the certificate has been acquired, the actor can forge\r\nSAML (Security Assertions Markup Language) tokens with whatever claims and lifetime they choose, then sign it with the\r\ncertificate that has been acquired.  Microsoft continues to strongly recommend securing your AD FS (Active Directory\r\nFederation Service) TSC because if these TSC’s are acquired by a bad actor, this then enables the actor to forge SAML\r\ntokens that impersonate highly privileged accounts.  There are publicly available pen-testing tools like ADFSDump and\r\nADFSpoof that help with extracting required information from the AD FS configuration database to generate the forged\r\nsecurity tokens.  While we have not confirmed these specific tools were used in this attack, they are useful for simulating the\r\nattack behavior or executing a similar attack and therefore, Microsoft has created a high-fidelity detection related to this for\r\nM365 Defender:\r\n\\n\r\n\\n\r\nADFS private key extraction which detects ADFS private key extraction patterns from tools such as ADFSDump.\r\n\\n\r\n\\n\r\nNote: Any M365 Defender alert can be seen in Azure Sentinel Security Alerts or in the M365 security portal.\r\n\\n\r\nUpdated 01/15/2021\r\n\\n\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 10 of 65\n\nThe TTP (tactics, techniques, and procedures) observed in the Solorigate attack is the creation of a legitimate SAML token\r\nused to authenticate as any user. One way an attacker could achieve this is by compromising AD FS key\r\nmaterial. Microsoft has a new detection for this as stated above and for Azure Sentinel has also created a Windows Event\r\nLog based detection that indicates an ADFS DKM Master Key Export. As part of the update for this query to the Azure\r\nSentinel GitHub, there is a detailed write up for why this is interesting along with a subsequent addition providing clarity on\r\nhow to get 4662 events to fire.  This detection should not be considered reliable on its own but can identify suspicious\r\nactivity that warrants further investigation.\r\n\\n\r\nUpdated 01/15/2021\r\n\\n\r\nSpoiler\r\n\\n\r\n (union isfuzzy=true (SecurityEvent\r\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created.\r\n| where ObjectServer == 'DS'\r\n| where OperationType == 'Object Access'\r\n//| where ObjectName contains '\u003cGUID of ADFS Policy Store DKM Group object' This is unique to the domain. Check\r\ndescription for more details.\r\n| where ObjectType contains '5cb41ed0-0e4c-11d0-a286-00aa003049e2' // Contact Class\r\n| where Properties contains '8d3bca50-1d7e-11d0-a081-00aa006c33ed' // Picture Attribute - Ldap-Display-Name:\r\nthumbnailPhoto\r\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = SubjectAccount),\r\n(DeviceEvents\r\n| where ActionType =~ \\\"LdapSearch\\\"\r\n| where AdditionalFields.AttributeList contains \\\"thumbnailPhoto\\\"\r\n| where AdditionalFields.DistinguishedName contains \\\"CN=ADFS,CN=Microsoft,CN=Program Data\\\" // Filter results to\r\nshow only hits related to the ADFS AD container\r\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity =\r\nInitiatingProcessAccountName)\r\n)\r\n\\n\r\n\\n\r\nUpdated 12/19/2020\r\n\\n\r\nMSTIC has developed another detection for ADFS server key export events. This detection leverages the visibility provided\r\nby Sysmon and provides a more reliable detection method than that covered in the Windows Event Log detection. For this\r\ndetection to be effective you must be collecting Sysmon Event IDs 17 and 18 into your Azure Sentinel workspace.\r\n\\n\r\nSpoiler\r\n// Adjust this to use a longer timeframe to identify ADFS servers\r\nlet lookback = 6d;\r\n// Adjust this to adjust the key export detection timeframe\r\nlet timeframe = 1d;\r\n// Start be identifying ADFS servers to reduce FP chance\r\nlet ADFS_Servers = (\r\nEvent\r\n| where TimeGenerated \u003e ago(timeframe+lookback)\r\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\r\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-expand bagexpansion=array EventData\r\n| evaluate bag_unpack(EventData)\r\n| extend Key=tostring(['@Name']), Value=['#text']\r\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID,\r\nUserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\r\n| extend process = split(Image, '\\\\\\\\', -1)[-1]\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 11 of 65\n\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\r\n| summarize by Computer);\r\n// Look for ADFS servers where Named Pipes event are present\r\nEvent\r\n| where TimeGenerated \u003e ago(timeframe)\r\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\r\n| where Computer in~ (ADFS_Servers)\r\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\r\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-expand bagexpansion=array EventData\r\n| evaluate bag_unpack(EventData)\r\n| extend Key=tostring(['@Name']), Value=['#text']\r\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID,\r\nUserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\r\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"), TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"),\r\nTechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\")\r\n| parse RuleName with * 'technique_id=' TechniqueId ',' * 'technique_name=' TechniqueName\r\n| where EventID in (17,18)\r\n// Look for Pipe related to querying the WID\r\n| where PipeName == \\\"\\\\\\\\MICROSOFT##WID\\\\\\\\tsql\\\\\\\\query\\\"\r\n| extend process = split(Image, '\\\\\\\\', -1)[-1]\r\n// Exclude expected processes\r\n| where process !in (\\\"Microsoft.IdentityServer.ServiceHost.exe\\\", \\\"Microsoft.Identity.Health.Adfs.PshSurrogate.exe\\\",\r\n\\\"AzureADConnect.exe\\\", \\\"Microsoft.Tri.Sensor.exe\\\", \\\"wsmprovhost.exe\\\",\\\"mmc.exe\\\", \\\"sqlservr.exe\\\")\r\n| extend Operation = RenderedDescription\r\n| project-reorder TimeGenerated, EventType, Operation, process, Image, Computer, UserName\r\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName\r\n\\n\r\nOutside of directly looking for tools, this adversary may have used custom tooling so looking for anomalous process\r\nexecutions or anomalous accounts logging on to our ADFS server can give us some clue when such attacks happen. Azure\r\nSentinel provides queries that can help to:\r\n\\n\r\n\\n\r\nFind rare anomalous process in your environment.\r\n\\n\r\nAlso look for rare processes run by service accounts\r\n\\n\r\nOr uncommon processes that are in the bottom 5% of all the process.\r\n\\n\r\nIn some instances, there is a rare command line syntax related to DLL loading, you can adjust these queries to also\r\nlook at rarity on the command line.\r\n\\n\r\n\\n\r\nEvery environment is different and some of these queries being generic could be noisy. So, in the first step a good approach\r\nwould be to limit this kind of hunting to our ADFS server.\r\n\\n\\n\\n\r\nHaving gained a significant foothold in the on prem environment, the actor also targeted the Azure AD of some of the\r\ncompromised organizations and made modifications to Azure AD settings to facilitate long term access. Microsoft has\r\nshared many relevant queries through the Azure Sentinel GitHub to identify these actions.\r\n\\n\r\nUpdated 01/15/2021\r\n\\n\r\nOne such activity is related to modifying domain federation trust settings. A federation trust signifies the\r\nestablishment of authentication and authorization trust between two organizations so that users located in partner\r\norganizations can send authentication and authorization requests successfully.\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 12 of 65\n\n\\n\r\n\\n\r\nWhile not specifically seen in this attack, tracking federation trust modifications is important. The Azure Sentinel\r\nquery for domain federation trust settings modification will alert when a user or application modifies the federation\r\nsettings on the domain particularly when a new Active Directory Federated Service (ADFS) Trusted Realm object,\r\nsuch as a signing certificate, is added to the domain or there is an update to domain authentication from managed\r\nto federated. Modification to domain federation settings should be rare and this should be treated as a high-fidelity\r\nalert that Azure AD and Azure Sentinel users should follow up on.\r\n\\n\r\n\\n\r\nUpdated 01/15/2021\r\n\\n\r\nThe original purpose of the STSRefreshTokenModification low severity, hunting-only query was to demonstrate an event\r\nthat has token validity time periods in it and demonstrate how one could monitor for anomalous/edited tokens. We have\r\ndetermined this event will only fire on the manual expiration of the StsRefreshToken by an admin (or the user). These types\r\nof events are most often generated when legitimate administrators troubleshoot frequent AAD (Azure AD) user sign-ins. To\r\navoid any confusion with Solorigate investigation and hunting, we have removed this section from the blog.\r\n\\n\\n\r\nAnother such activity is adding access to the Service Principal or Application.  If a threat actor obtains access to an\r\nApplication Administrator account, they may configure alternate authentication mechanisms for direct access to any of the\r\nscopes and services available to the Service Principal. With these privileges, the actor can add alternative authentication\r\nmaterial for direct access to resources using this credential.\r\n\\n\r\n\\n\r\nIdentify where the verify KeyCredential has been updated with New access credential added to Application or\r\nService Principal.\r\n\\n\r\n\\n\r\nUpdated 12/20/2020\r\n\\n\r\n\\n\r\nIdentify where the verify KeyCredential was not present and has now has had its First access credential added to\r\nApplication or Service Principal where no credential was present.\r\n\\n\r\n\\n\\n\r\nSpoiler\r\n\\n\r\nNew access credential added to Application or Service Principal\r\nlet auditLookback = 1h;\r\nAuditLogs\r\n| where TimeGenerated \u003e ago(auditLookback)\r\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add\r\nservice principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application – Certificates and secrets management\\\"\r\nevents\r\n| where Result =~ \\\"success\\\"\r\n| mv-expand target = TargetResources\r\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\r\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\r\n| extend targetId = tostring(TargetResources[0].id)\r\n| extend targetType = tostring(TargetResources[0].type)\r\n| extend keyEvents = TargetResources[0].modifiedProperties\r\n| mv-expand keyEvents\r\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 13 of 65\n\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\r\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\r\n| where old_value_set != \\\"[]\\\"\r\n| extend diff = set_difference(new_value_set, old_value_set)\r\n| where isnotempty(diff)\r\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string\r\n\\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\r\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\r\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\r\n| extend InitiatingUserOrApp =\r\niff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName),\r\ntostring(InitiatedBy.app.displayName))\r\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress),\r\ntostring(InitiatedBy.app.ipAddress))\r\n// The below line is currently commented out but Azure Sentinel users can modify this query to show only Application or\r\nonly Service Principal events in their environment\r\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\r\n| project-away diff, new_value_set, old_value_set\r\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent,\r\ntargetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\r\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\r\n\\n\r\nFirst access credential added to Application or Service Principal where no credential was present\r\nlet auditLookback = 1h;\r\nAuditLogs\r\n| where TimeGenerated \u003e ago(auditLookback)\r\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add\r\nservice principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application – Certificates and secrets management\\\"\r\nevents\r\n| where Result =~ \\\"success\\\"\r\n| mv-expand target = TargetResources\r\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\r\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\r\n| extend targetId = tostring(TargetResources[0].id)\r\n| extend targetType = tostring(TargetResources[0].type)\r\n| extend keyEvents = TargetResources[0].modifiedProperties\r\n| mv-expand keyEvents\r\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\r\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\r\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\r\n| where old_value_set == \\\"[]\\\"\r\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\"\r\nkeyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\r\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\r\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\r\n| extend InitiatingUserOrApp =\r\niff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName),\r\ntostring(InitiatedBy.app.displayName))\r\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress),\r\ntostring(InitiatedBy.app.ipAddress))\r\n// The below line is currently commented out but Azure Sentinel users can modify this query to show only Application or\r\nonly Service Principal events in their environment\r\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\r\n| project-away new_value_set, old_value_set\r\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent,\r\ntargetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\r\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\r\n\\n\r\n\\n\\n\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 14 of 65\n\nThis threat actor has been observed using applications to read users mailboxes within a target environment. To help identify\r\nthis activity MSTIC has created a hunting query that looks for applications that have been granted mailbox read permissions\r\nfollowed by consent to this application. Whilst this may uncover legitimate applications hunters should validate applications\r\ngranted mail read permissions genuinely require them.\r\n\\n\r\nSpoiler\r\nAuditLogs\r\n| where Category =~ \\\"ApplicationManagement\\\"\r\n| where ActivityDisplayName =~ \\\"Add delegated permission grant\\\"\r\n| where Result =~ \\\"success\\\"\r\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\r\n| extend props = parse_json(tostring(TargetResources[0].modifiedProperties))\r\n| mv-expand props\r\n| extend UserAgent = tostring(AdditionalDetails[0].value)\r\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\r\n| extend UserIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\r\n| extend DisplayName = tostring(props.displayName)\r\n| extend Permissions = tostring(parse_json(tostring(props.newValue)))\r\n| where Permissions has_any (\\\"Mail.Read\\\", \\\"Mail.ReadWrite\\\")\r\n| extend PermissionsAddedTo = tostring(TargetResources[0].displayName)\r\n| extend Type = tostring(TargetResources[0].type)\r\n| project-away props\r\n| join kind=leftouter(\r\nAuditLogs\r\n| where ActivityDisplayName has \\\"Consent to application\\\"\r\n| extend AppName = tostring(TargetResources[0].displayName)\r\n| extend AppId = tostring(TargetResources[0].id)\r\n| project AppName, AppId, CorrelationId) on CorrelationId\r\n| project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo,\r\nPermissions, AppName, AppId, CorrelationId\r\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUser, IPCustomEntity = UserIPAddress\r\n\\n\r\nIt’s also advised to hunt for application consents for unexpected applications, particularly where they provide offline access\r\nto data or other high value access;\r\n\\n\r\n\\n\r\nSuspicious application consent similar to O365 Attack Toolkit\r\n\\n\r\nSuspicious application consent for offline access\r\n\\n\r\n\\n\\n\r\nIn addition to Azure AD pre-compromise logon hunting it is also possible to monitor for logons attempting to use invalid\r\nkey material. This can help identify attempted logons using stolen key material made after key material has been rotated.\r\nThis can be done by querying SigninLogs in Azure Sentinel where the ResultType is 5000811. Please note that if you roll\r\nyour token signing certificate, there will be expected activity when searching on the above.\r\n\\n\\n\\n\r\nUpdated 12/27/2020\r\n\\n\r\nThe adversary will often attempt to access on-prem systems to gain further insight and mapping of the environment.  As\r\ndescribed in the Resulting hands-on-keyboard attack section of the Analyzing Solorigate blog by Microsoft, attackers\r\nrenamed windows administrative tools like adfind.exe which were then used for domain enumeration. An example of the\r\nprocess execution command like can look like this:\r\n\\n\\n\\n\\n\\n\\n\\n\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 15 of 65\n\nC:\\\\Windows\\\\system32\\\\cmd.exe /C csrss.exe -h breached.contoso.com -f (name=”Domain Admins”) member -list |\r\ncsrss.exe -h breached.contoso.com -f objectcategory=* \u003e .\\\\Mod\\\\mod1.log\r\n\\n\r\nWe have provided a query in the Azure Sentinel Github which will help in detecting the command line patterns related to\r\nADFind usage. You can customize this query to look at your specific DC/ADFS servers.\r\n\\n\r\nSpoiler\r\nlet startdate = 1d;\r\nlet lookupwindow = 2m;\r\nlet threshold = 3; //number of commandlines in the set below\r\nlet DCADFSServersList = dynamic ([\\\"DCServer01\\\", \\\"DCServer02\\\", \\\"ADFSServer01\\\"]); // Enter a reference list of\r\nhostnames for your DC/ADFS servers\r\nlet tokens =\r\ndynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain\r\nAdmins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\"]);\r\nSecurityEvent\r\n//| where Computer in (DCADFSServersList) // Uncomment to limit it to your DC/ADFS servers list if specified above or\r\nany pattern in hostnames (startswith, matches regex, etc).\r\n| where TimeGenerated between (ago(startdate) .. now())\r\n| where EventID == 4688\r\n| where CommandLine has_any (tokens)\r\n| where CommandLine matches regex \\\"(.*)\u003e(.*)\\\"\r\n| summarize Commandlines = make_set(CommandLine), LastObserved=max(TimeGenerated) by bin(TimeGenerated,\r\nlookupwindow), Account, Computer, ParentProcessName, NewProcessName\r\n| extend Count = array_length(Commandlines)\r\n| where Count \u003e threshold\r\n\\n\r\nOn the remote execution side, there is a pattern that can be identified related to using alternate credentials than the currently\r\nlogged on user, such as when using the RUN AS feature on a Windows system and passing in explicit credentials.  We have\r\nreleased a query that will identify when execution is occurring via multiple explicit credentials against remote targets.  This\r\nrequires that Windows Event 4648 is being collected as part of Azure Sentinel.\r\n\\n\\n\r\nSpoiler\r\nlet WellKnownLocalSIDs = \\\"S-1-5-[0-9][0-9]$\\\";\r\nlet protocols = dynamic(['cifs', 'ldap', 'RPCSS', 'host' , 'HTTP', 'RestrictedKrbHost', 'TERMSRV', 'msomsdksvc', 'mssqlsvc']);\r\nSecurityEvent\r\n| where TimeGenerated \u003e= ago(1d)\r\n| where EventID == 4648\r\n| where SubjectUserSid != 'S-1-0-0' // this is the Nobody SID which really means No security principal was included.\r\n| where not(SubjectUserSid matches regex WellKnownLocalSIDs) //excluding system account/service account as this is\r\ngenerally normal\r\n| where TargetInfo has '/' //looking for only items that indicate an interesting protocol is included\r\n| where Computer !has tostring(split(TargetServerName,'$')[0])\r\n| where TargetAccount !~ tostring(split(SubjectAccount,'$')[0])\r\n| extend TargetInfoProtocol = tolower(split(TargetInfo, '/')[0]), TargetInfoMachine = toupper(split(TargetInfo, '/')[1])\r\n| extend TargetAccount = tolower(TargetAccount), SubjectAccount = tolower(SubjectAccount)\r\n| extend UncommonProtocol = case(not(TargetInfoProtocol has_any (protocols)), TargetInfoProtocol, 'NotApplicable')\r\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), AccountsUsedCount =\r\ndcount(TargetAccount), AccountsUsed = make_set(TargetAccount), TargetMachineCount = dcount(TargetInfoMachine),\r\nTargetMachines = make_set(TargetInfoMachine), TargetProtocols = dcount(TargetInfoProtocol), Protocols =\r\nmake_set(TargetInfoProtocol), Processes = make_set(Process) by Computer, SubjectAccount, UncommonProtocol\r\n| where TargetMachineCount \u003e 1 or UncommonProtocol != 'NotApplicable'\r\n| extend ProtocolCount = array_length(Protocols)\r\n| extend ProtocolScore = case(\r\nProtocols has 'rpcss' and Protocols has 'host' and Protocols has 'cifs', 10, //observed in Solorigate and depending on which\r\nare used together the higher the score\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 16 of 65\n\nProtocols has 'rpcss' and Protocols has 'host', 5,\r\nProtocols has 'rpcss' and Protocols has 'cifs', 5,\r\nProtocols has 'host' and Protocols has 'cifs', 5,\r\nProtocols has 'ldap' or Protocols has 'rpcss' or Protocols has 'host' or Protocols has 'cifs', 1, //ldap is more commonly seen in\r\ngeneral, this was also seen with Solorigate but not usually to the same machines as the others above\r\nUncommonProtocol != 'NotApplicable', 3,\r\n0 //other protocols may be of interest, but in relation to observations for enumeration/execution in Solorigate they receive 0\r\n)\r\n| extend Score = ProtocolScore + ProtocolCount + AccountsUsedCount\r\n| where Score \u003e= 9 or (UncommonProtocol != 'NotApplicable' and Score \u003e= 4) // Score must be 9 or better as this will\r\ninclude 5 points for atleast 2 of the interesting protocols + the count of protocols (min 2) + the number of accounts used for\r\nexecution (min 2) = min of 9 OR score must be 4 or greater for an uncommon protocol\r\n| extend TimePeriod = EndTime - StartTime //This identifies the time between start and finish for the use of the explicit\r\ncredentials, shorter time period may indicate scripted executions\r\n| project-away UncommonProtocol\r\n| extend timestamp = StartTime, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer\r\n| order by Score desc\r\n\\n\\n\\n\r\nAccessing confidential data is one of the primary motives of this attack. Data access for the attacker here relied on\r\nleveraging minted SAML tokens to access user files/email stored in the cloud via compromised AppIds. One way to detect\r\nthis is when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory\r\nresources.\r\n\\n\\n\r\nMicrosoft Graph is one way that the attacker may be seen accessing resources and can help find what the attacker may have\r\naccessed using the Service principal Azure Active Directory sign-in logs. If you have data in your Log analytics you could\r\neasily plot a chart to see what anomalous activity is happening in your environment that is leveraging the graph. \r\n\\n\r\nUpdated 12/17/2020\r\n\\n\r\nNote that this data type in Azure Sentinel below is only available when additional Diagnostic Logging is enabled on the\r\nworkspace.  Please see the instructions in the expandable section below.\r\n\\n\r\nSpoiler\r\nThe AADServicePrincipalSigninLogs datatype will not be available in Azure Sentinel unless it is configured under\r\nDiagnostic Settings.  Please see screenshots below the query.\r\nAADServicePrincipalSignInLogs\r\n| where TimeGenerated \u003e ago(90d)\r\n| where ResourceDisplayName == \\\"Microsoft Graph\\\"\r\n| where ServicePrincipalId == \\\"524c43c4-c484-4f7a-bd44-89d4a0d8aeab\\\"\r\n| summarize count() by bin(TimeGenerated, 1h)\r\n| render timechart\r\nTo enable Service Principal Signin Logging, do the following:\r\n\\n\r\n\\n\\n\r\n\\n\\n\r\n\\n\r\n\\n\r\nUpdated 12/21/2020\r\n\\n\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 17 of 65\n\nAdditionally, below is a sample query that brings out some of the logons to Azure AD where multi factor authentication was\r\nsatisfied by token based logons versus MFA via phone auth or the like. It is possible this could produce many results, so\r\nadditional tuning is suggested for your environment.\r\n\\n\r\nSpoiler\r\nSigninLogs\r\n| where TimeGenerated \u003e ago(30d)\r\n| where ResultType == 0\r\n| extend additionalDetails = tostring(Status.additionalDetails)\r\n| summarize make_set(additionalDetails), min(TimeGenerated), max(TimeGenerated) by IPAddress, UserPrincipalName\r\n| where array_length(set_additionalDetails) == 2\r\n| where (set_additionalDetails[1] == \\\"MFA requirement satisfied by claim in the token\\\" and set_additionalDetails[0] ==\r\n\\\"MFA requirement satisfied by claim provided by external provider\\\") or (set_additionalDetails[0] == \\\"MFA requirement\r\nsatisfied by claim in the token\\\" and set_additionalDetails[1] == \\\"MFA requirement satisfied by claim provided by external\r\nprovider\\\")\r\n//| project IPAddress, UserPrincipalName, min_TimeGenerated, max_TimeGenerated\r\n\\n\r\nUPDATED 12/17/2020\r\n\\n\r\nThis attack also used Virtual Private Servers (VPS) hosts to access victim networks and can be used in conjunction with the\r\nquery above. Both MSTIC and FireEye have reported attacker logon events coming from network ranges associated with\r\nVPS providers. In order to highlight these logons, MSTIC has created a new hunting query - Signins From VPS Providers -\r\n that looks for successful signins from network ranges associated with VPS providers. This is joined with the above query,\r\nthe new query looks for IPs that only display sign-ins based on tokens and not other MFA options, although this could be\r\nremoved if wanted. The list of VPS ranges in the query is not comprehensive and there is significant potential for false\r\npositives so results should be investigated before responding, however it can provide very effective signal. Combining the\r\nquery below with data that list VPS server ranges will make this a high-confidence hunting query. \r\n\\n\\n\r\nIn relation to the VPS servers section above, the previously mentioned workbook has a section that shows successful user\r\nsignins from VPS (Virtual Private Server) providers where only tokens were used to authenticate. This uses the new KQL\r\noperator ipv4_lookup to evaluate if a login came from a known VPS provider network range. This operator can alternatively\r\nbe used to look for all logons not coming from known ranges should your environment have a common logon source.\r\n\\n\\n\\n\r\nUpdated 12/20/2020\r\n\\n\r\nEmail data has been observed as a target for the Solorigate attackers, one way to monitor for potential suspicious access is to\r\nlook for anomalous MailItemsAccessed volumes. MSTIC has created a specific hunting query to identify Anomolous User\r\nAccessing Other Users Mailbox which can help to identify malicious activity related to this attack. Additionally, MSTIC\r\npreviously created a more generic detection - Exchange workflow MailItemsAccessed operation anomaly - which looks for\r\ntime series based anomalies in MailItemsAccessed events in the OfficeActivity log. \r\n\\n\r\nSpoiler\r\nAnomalous access to other user's mailboxes\r\nlet timeframe = 14d;\r\nlet user_threshold = 1;\r\nlet folder_threshold = 5;\r\nOfficeActivity\r\n| where TimeGenerated \u003e ago(timeframe)\r\n| where Operation =~ \\\"MailItemsAccessed\\\"\r\n| where ResultStatus =~ \\\"Succeeded\\\"\r\n| mv-expand parse_json(Folders)\r\n| extend folders = tostring(Folders.Path)\r\n| where tolower(MailboxOwnerUPN) != tolower(UserId)\r\n| extend ClientIP = iif(Client_IPAddress startswith \\\"[\\\", extract(\\\"\\\\\\\\[([^\\\\\\\\]]*)\\\", 1, Client_IPAddress), Client_IPAddress)\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 18 of 65\n\n| summarize make_set(folders), make_set(ClientInfoString), make_set(ClientIP), make_set(MailboxGuid),\r\nmake_set(MailboxOwnerUPN) by UserId\r\n| extend folder_count = array_length(set_folders)\r\n| extend user_count = array_length(set_MailboxGuid)\r\n| where user_count \u003e user_threshold or folder_count \u003e folder_threshold\r\n| sort by user_count desc\r\n| project-reorder UserId, user_count, folder_count, set_MailboxOwnerUPN, set_ClientIP, set_ClientInfoString, set_folder\r\nExchange workflow MailItemsAccessed operation anomaly\r\nlet starttime = 14d;\r\nlet endtime = 1d;\r\nlet timeframe = 1h;\r\nlet scorethreshold = 1.5;\r\nlet percentthreshold = 50;\r\n// Preparing the time series data aggregated hourly count of MailItemsAccessd Operation in the form of multi-value array to\r\nuse with time series anomaly function.\r\nlet TimeSeriesData =\r\nOfficeActivity\r\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\r\n| where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\r\n| project TimeGenerated, Operation, MailboxOwnerUPN\r\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe;\r\nlet TimeSeriesAlerts = TimeSeriesData\r\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, 'linefit')\r\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to\r\ntypeof(double), baseline to typeof(long)\r\n| where anomalies \u003e 0\r\n| project TimeGenerated, Total, baseline, anomalies, score;\r\n// Joining the flagged outlier from the previous step with the original dataset to present contextual information\r\n// during the anomalyhour to analysts to conduct investigation or informed decisions.\r\nTimeSeriesAlerts | where TimeGenerated \u003e ago(2d)\r\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\r\n| join (\r\nOfficeActivity\r\n| where TimeGenerated \u003e ago(2d)\r\n| where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\r\n) on TimeGenerated\r\n\\n\r\nUpdated 12/19/2020\r\n\\n\r\nTargeting of email data has also been observed by other industry members including Volexity who reported attackers using\r\nPowerShell commands to export on premise Exchange mailboxes and then hosting those files on OWA servers in order to\r\nexfiltrate them.\r\n\\n\r\nMSTIC has created detections to identify this activity at both the OWA server and attacking host level through IIS logs, and\r\nPowerShell command line logging.\r\n\\n\\n\r\nOWA exfiltration:\r\n\\n\r\nSpoiler\r\nlet excludeIps = dynamic([\\\"127.0.0.1\\\", \\\"::1\\\"]);\r\nlet scriptingExt = dynamic([\\\"aspx\\\", \\\"ashx\\\", \\\"asp\\\"]);\r\nW3CIISLog\r\n| where csUriStem contains \\\"/owa/\\\"\r\n//The actor pulls a file back but won't send it any URI params\r\n| where isempty(csUriQuery)\r\n| extend file_ext = tostring(split(csUriStem, \\\".\\\")[-1])\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 19 of 65\n\n//Giving your file a known scripting extension will throw an error\r\n//rather than just serving the file as it will try to interpret the script\r\n| where file_ext !in~ (scriptingExt)\r\n//The actor was seen using image files, but we go wider in case they change this behaviour\r\n//| where file_ext in~ (\\\"jpg\\\", \\\"jpeg\\\", \\\"png\\\", \\\"bmp\\\")\r\n| extend file_name = tostring(split(csUriStem, \\\"/\\\")[-1])\r\n| where file_name != \\\"\\\"\r\n| where cIP !in~ (excludeIps)\r\n| project file_ext, csUriStem, file_name, Computer, cIP, sIP, TenantId, TimeGenerated\r\n| summarize dcount(cIP), AccessingIPs=make_set(cIP), AccessTimes=make_set(TimeGenerated), Access=count() by\r\nTenantId, file_name, Computer, csUriStem\r\n//Collection of the exfiltration will occur only once, lets check for 2 accesses in case they mess up\r\n//Tailor this for hunting\r\n| where Access \u003c= 2 and dcount_cIP == 1\r\n\\n\r\nHost creating then removing mailbox export requests using PowerShell cmdlets:\r\n\\n\r\nSpoiler\r\n\\n\r\n  // Adjust the timeframe to change the window events need to occur within to alert\r\n\\n\r\n  let timeframe = 1h;\r\n\\n\r\n  SecurityEvent\r\n\\n\r\n  | where Process in (\\\"powershell.exe\\\", \\\"cmd.exe\\\")\r\n\\n\r\n  | where CommandLine contains 'New-MailboxExportRequest'\r\n\\n\r\n  | summarize by Computer, timekey = bin(TimeGenerated, timeframe), CommandLine, SubjectUserName\r\n\\n\r\n  | join kind=inner (SecurityEvent\r\n\\n\r\n  | where Process in (\\\"powershell.exe\\\", \\\"cmd.exe\\\")\r\n\\n\r\n  | where CommandLine contains 'Remove-MailboxExportRequest'\r\n\\n\r\n  | summarize by Computer, timekey = bin(TimeGenerated, timeframe), CommandLine, SubjectUserName) on Computer,\r\ntimekey, SubjectUserName\r\n\\n\r\n  | extend commands = pack_array(CommandLine1, CommandLine)\r\n\\n\r\n  | summarize by timekey, Computer, tostring(commands), SubjectUserName\r\n\\n\r\n  | project-reorder timekey, Computer, SubjectUserName, ['commands']\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 20 of 65\n\n\\n\r\n  | extend HostCustomEntity = Computer, AccountCustomEntity = SubjectUserName\r\n\\n\r\n\\n\r\nUpdated 12/28/2020\r\n\\n\r\nEmail Delegation and later delegate access is another tactic that has been observed to gain access to user's mailboxes.  We\r\nhave a previously created a method to discover Non-owner mailbox login activity that can be applied here to help identify\r\nwhen delegates are inappropriately access email.\r\n\\n\\n\r\nSpoiler\r\nlet timeframe = 1d;\r\nOfficeActivity\r\n| where TimeGenerated \u003e= ago(timeframe)\r\n| where Operation == \\\"MailboxLogin\\\" and Logon_Type != \\\"Owner\\\"\r\n| summarize count(), min(TimeGenerated), max(TimeGenerated) by Operation, OrganizationName, UserType, UserId,\r\nMailboxOwnerUPN, Logon_Type\r\n| extend timestamp = min_TimeGenerated, AccountCustomEntity = UserId\r\n\\n\\n\\n\r\nUpdated 12/17/2020\r\n\\n\\n\r\nMSTIC has collated network based IoCs from MSTIC, FireEye and Volexity to create a network based IoC detection -\r\n Solorigate Network Beacon - that leverage multiple network focused data sources within Azure Sentinel.  \r\n\\n\r\nSpoiler\r\nlet domains =\r\ndynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonli\r\nlet timeframe = 6h;\r\n(union isfuzzy=true\r\n(CommonSecurityLog\r\n| where TimeGenerated \u003e= ago(timeframe)\r\n| parse Message with * '(' DNSName ')' *\r\n| where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\r\n| extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\r\n),\r\n(DnsEvents\r\n| where TimeGenerated \u003e= ago(timeframe)\r\n| extend DNSName = Name\r\n| where isnotempty(DNSName)\r\n| where DNSName in~ (domains)\r\n| extend IPCustomEntity = ClientIP\r\n),\r\n(VMConnection\r\n| where TimeGenerated \u003e= ago(timeframe)\r\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\r\n| where isnotempty(DNSName)\r\n| where DNSName in~ (domains)\r\n| extend IPCustomEntity = RemoteIp\r\n),\r\n(DeviceNetworkEvents\r\n| where TimeGenerated \u003e= ago(timeframe)\r\n| where isnotempty(RemoteUrl)\r\n| where RemoteUrl has_any (domains)\r\n| extend DNSName = RemoteUrl\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 21 of 65\n\n| extend IPCustomEntity = RemoteIP\r\n| extend HostCustomEntity = DeviceName\r\n)\r\n)\r\n\\n\\n\r\nThe avsvmcloud[.]com has been observed by several organizations as making DGA like subdomain queries as part of C2\r\nactivities. MSTIC have generated a hunting query - Solorigate DNS Pattern - to look for similar patterns of activity from\r\nother domains that might help identify other potential C2 sources.\r\n\\n\r\nSpoiler\r\nlet cloudApiTerms = dynamic([\\\"api\\\", \\\"east\\\", \\\"west\\\"]);\r\nDnsEvents\r\n| where IPAddresses != \\\"\\\" and IPAddresses != \\\"127.0.0.1\\\"\r\n| where Name endswith \\\".com\\\" or Name endswith \\\".org\\\" or Name endswith \\\".net\\\"\r\n| extend domain_split = split(Name, \\\".\\\")\r\n| where tostring(domain_split[-5]) != \\\"\\\" and tostring(domain_split[-6]) == \\\"\\\"\r\n| extend sub_domain = tostring(domain_split[0])\r\n| where sub_domain !contains \\\"-\\\"\r\n| extend sub_directories = strcat(domain_split[-3], \\\" \\\", domain_split[-4])\r\n| where sub_directories has_any(cloudApiTerms)\r\n//Based on sample communications the subdomain is always between 20 and 30 bytes\r\n| where strlen(domain_split) \u003c 32 or strlen(domain_split) \u003e 20\r\n| extend domain = strcat(tostring(domain_split[-2]), \\\".\\\", tostring(domain_split[-1]))\r\n| extend subdomain_no = countof(sub_domain, @\\\"(\\\\d)\\\", \\\"regex\\\")\r\n| extend subdomain_ch = countof(sub_domain, @\\\"([a-z])\\\", \\\"regex\\\")\r\n| where subdomain_no \u003e 1\r\n| extend percentage_numerical = toreal(subdomain_no) / toreal(strlen(sub_domain)) * 100\r\n| where percentage_numerical \u003c 50 and percentage_numerical \u003e 5\r\n| summarize count(), make_set(Name), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Name\r\n| order by count_ asc\r\n\\n\\n\r\nIn addition we have another query - Solorigate Encoded Domain in URL- that takes the encoding pattern the DGA uses,\r\nencodes the domains seen in signin logs and then looks for those patterns in DNS logs. This can help identify other C2\r\ndomains using the same encoding scheme. \r\n\\n\r\nSpoiler\r\nlet dictionary =\r\ndynamic([\\\"r\\\",\\\"q\\\",\\\"3\\\",\\\"g\\\",\\\"s\\\",\\\"a\\\",\\\"l\\\",\\\"t\\\",\\\"6\\\",\\\"u\\\",\\\"1\\\",\\\"i\\\",\\\"y\\\",\\\"f\\\",\\\"z\\\",\\\"o\\\",\\\"p\\\",\\\"5\\\",\\\"7\\\",\\\"2\\\",\\\"d\\\",\\\"4\\\",\\\"9\\\",\\\"b\\\",\\\"n\\\",\\\"x\\\",\\\"8\\\",\\\"c\\\r\nlet regex_bad_domains = SigninLogs\r\n//Collect domains from tenant from signin logs\r\n| where TimeGenerated \u003e ago(1d)\r\n| extend domain = tostring(split(UserPrincipalName, \\\"@\\\", 1)[0])\r\n| where domain != \\\"\\\"\r\n| summarize by domain\r\n| extend split_domain = split(domain, \\\".\\\")\r\n//This cuts back on domains such as na.contoso.com by electing not to match on the \\\"na\\\" portion\r\n| extend target_string = iff(strlen(split_domain[0]) \u003c= 2, split_domain[1], split_domain[0])\r\n| extend target_string = split(target_string, \\\"-\\\")\r\n| mv-expand target_string\r\n//Rip all of the alphanumeric out of the domain name\r\n| extend string_chars = extract_all(@\\\"([a-z0-9])\\\", tostring(target_string))\r\n//Guid for tracking our data\r\n| extend guid = new_guid()\r\n//Expand to get all of the individual chars from the domain\r\n| mv-expand string_chars\r\n| extend chars = tostring(string_chars)\r\n//Conduct computation to encode the domain as per actor spec\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 22 of 65\n\n| extend computed_char = array_index_of(dictionary, chars)\r\n| extend computed_char = dictionary[(computed_char + 4) % array_length(dictionary)]\r\n| summarize make_list(computed_char) by guid, domain\r\n| extend target_encoded = tostring(strcat_array(list_computed_char, \\\"\\\"))\r\n//These are probably too small, but can be edited (expect FP's when going too small)\r\n| where strlen(target_encoded) \u003e 5\r\n| distinct target_encoded\r\n| summarize make_set(target_encoded)\r\n//Key to join to DNS\r\n| extend key = 1;\r\nDnsEvents\r\n| where TimeGenerated \u003e ago(1d)\r\n| summarize by Name\r\n| extend key = 1\r\n//For each DNS query join the malicious domain list\r\n| join kind=inner (\r\nregex_bad_domains\r\n) on key\r\n| project-away key\r\n//Expand each malicious key for each DNS query observed\r\n| mv-expand set_target_encoded\r\n//IndexOf allows us to fuzzy match on the substring\r\n| extend match = indexof(Name, set_target_encoded)\r\n| where match \u003e -1\r\n\\n\\n\r\nUpdated 01/19/2021\r\n\\n\r\nThere has been additional indication that security services are being tampered with to hinder detection and investigation.\r\nWhile this is a common tactic, we felt that we should include this reference. The query is currently written specifically for\r\nPotential Microsoft security services tampering, but can easily be adapted to identify other security services.\r\n\\n\r\nSpoiler\r\nlet includeProc = dynamic([\\\"sc.exe\\\",\\\"net1.exe\\\",\\\"net.exe\\\", \\\"taskkill.exe\\\", \\\"cmd.exe\\\", \\\"powershell.exe\\\"]);\r\nlet action = dynamic([\\\"stop\\\",\\\"disable\\\", \\\"delete\\\"]);\r\nlet service1 = dynamic(['sense', 'windefend', 'mssecflt']);\r\nlet service2 = dynamic(['sense', 'windefend', 'mssecflt', 'healthservice']);\r\nlet params1 = dynamic([\\\"-DisableRealtimeMonitoring\\\", \\\"-DisableBehaviorMonitoring\\\" ,\\\"-DisableIOAVProtection\\\"]);\r\nlet params2 = dynamic([\\\"sgrmbroker.exe\\\", \\\"mssense.exe\\\"]);\r\nlet regparams1 = dynamic(['reg add \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\"', 'reg add\r\n\\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Advanced Threat Protection\\\"']);\r\nlet regparams2 = dynamic(['ForceDefenderPassiveMode', 'DisableAntiSpyware']);\r\nlet regparams3 = dynamic(['sense', 'windefend']);\r\nlet regparams4 = dynamic(['demand', 'disabled']);\r\nlet regparams5 = dynamic(['reg add \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\services\\\\\\\\HealthService\\\"', 'reg add\r\n\\\"HKLM\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\Sense\\\"', 'reg add\r\n\\\"HKLM\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\WinDefend\\\"', 'reg add\r\n\\\"HKLM\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\MsSecFlt\\\"', 'reg add\r\n\\\"HKLM\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\DiagTrack\\\"', 'reg add\r\n\\\"HKLM\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\SgrmBroker\\\"', 'reg add\r\n\\\"HKLMSYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\SgrmAgent\\\"', 'reg add\r\n\\\"HKLM\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\AATPSensorUpdater\\\"' , 'reg add\r\n\\\"HKLM\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\AATPSensor\\\"', 'reg add\r\n\\\"HKLM\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\mpssvc\\\"']);\r\nlet regparams6 = dynamic(['/d 4','/d \\\"4\\\"','/d 0x00000004']);\r\nlet regparams7 = dynamic(['/d 1','/d \\\"1\\\"','/d 0x00000001']);\r\nlet timeframe = 1d;\r\n(union isfuzzy=true\r\n(\r\nSecurityEvent\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 23 of 65\n\n| where TimeGenerated \u003e= ago(timeframe)\r\n| where EventID == 4688\r\n| extend ProcessName = tostring(split(NewProcessName, '\\\\\\\\')[-1])\r\n| where ProcessName in~ (includeProc)\r\n| where (CommandLine has_any (action) and CommandLine has_any (service1))\r\nor (CommandLine has_any (params1) and CommandLine has 'Set-MpPreference' and CommandLine has '$true')\r\nor (CommandLine has_any (params2) and CommandLine has \\\"/IM\\\")\r\nor (CommandLine has_any (regparams5) and CommandLine has 'Start' and CommandLine has_any (regparams6))\r\nor (CommandLine has_any (regparams1) and CommandLine has_any (regparams2) and CommandLine has_any\r\n(regparams7))\r\nor (CommandLine has \\\"start\\\" and CommandLine has \\\"config\\\" and CommandLine has_any (regparams3) and\r\nCommandLine has_any (regparams4))\r\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName,\r\nEventID, Activity, CommandLine, EventSourceName, Type\r\n),\r\n(\r\nEvent\r\n| where TimeGenerated \u003e= ago(timeframe)\r\n| where Source =~ \\\"Microsoft-Windows-SENSE\\\"\r\n| where EventID == 87 and ParameterXml in (\\\"\u003cParam\u003esgrmbroker\u003c/Param\u003e\\\", \\\"\u003cParam\u003eWinDefend\u003c/Param\u003e\\\")\r\n| project TimeGenerated, Computer, Account = UserName, EventID, Activity = RenderedDescription, EventSourceName =\r\nSource, Type\r\n),\r\n(\r\nDeviceProcessEvents\r\n| where TimeGenerated \u003e= ago(timeframe)\r\n| where InitiatingProcessFileName in~ (includeProc)\r\n| where (InitiatingProcessCommandLine has_any(action) and InitiatingProcessCommandLine has_any (service2) and\r\nInitiatingProcessParentFileName != 'cscript.exe')\r\nor (InitiatingProcessCommandLine has_any (params1) and InitiatingProcessCommandLine has 'Set-MpPreference' and\r\nInitiatingProcessCommandLine has '$true')\r\nor (InitiatingProcessCommandLine has_any (params2) and InitiatingProcessCommandLine has \\\"/IM\\\")\r\nor ( InitiatingProcessCommandLine has_any (regparams5) and InitiatingProcessCommandLine has 'Start' and\r\nInitiatingProcessCommandLine has_any (regparams6))\r\nor (InitiatingProcessCommandLine has_any (regparams1) and InitiatingProcessCommandLine has_any (regparams2) and\r\nInitiatingProcessCommandLine has_any (regparams7))\r\nor (InitiatingProcessCommandLine has_any(\\\"start\\\") and InitiatingProcessCommandLine has \\\"config\\\" and\r\nInitiatingProcessCommandLine has_any (regparams3) and InitiatingProcessCommandLine has_any (regparams4))\r\n| extend Account = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn,\r\nInitiatingProcessAccountName), Computer = DeviceName\r\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName = InitiatingProcessFileName,\r\nProcessNameFullPath = FolderPath, Activity = ActionType, CommandLine = InitiatingProcessCommandLine, Type,\r\nInitiatingProcessParentFileName\r\n)\r\n)\r\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\r\n\\n\\n\r\nIn addition we have created a query in Azure Sentinel - Solorigate Defender Detections - to collate the range of Defender\r\ndetections that are now deployed. This query can be used to get an overview of such alerts and the hosts they relate to. \r\n\\n\r\nSpoiler\r\nDeviceInfo\r\n| extend DeviceName = tolower(DeviceName)\r\n| join (SecurityAlert\r\n| where ProviderName =~ \\\"MDATP\\\"\r\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\r\n| where ThreatName has \\\"Solarigate\\\"\r\n| extend HostCustomEntity = tolower(CompromisedEntity)\r\n| take 10) on $left.DeviceName == $right.HostCustomEntity\r\n| project TimeGenerated, DisplayName, ThreatName, CompromisedEntity, PublicIP, MachineGroup, AlertSeverity,\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 24 of 65\n\nDescription, LoggedOnUsers, DeviceId, TenantId\r\n| extend timestamp = TimeGenerated, IPCustomEntity = PublicIP\r\n\\n\\n\\n\r\nAdditionally, as a cloud native SIEM Azure Sentinel can not only collect raw data from various disparate logs but it also gets\r\nalerts from various security products. For example, M365 Defender has a range of alerts for various attack components like\r\nSolarWinds malicious binaries, network traffic to the compromised domains, DNS queries for known patterns associated\r\nwith SolarWinds compromise that can flow into Sentinel. Combining these alerts with other raw logs and additional data\r\nsources provides the security team with additional insights as well as a complete picture of nature and the scope of attack.\r\n\\n\\n\\n\r\nMany of these queries have been incorporated into the related hunting workbook.\r\n\\n\r\nList of all Azure Sentinel Queries from each section\r\n\\n\r\nUpdated 01/15/2021\r\n\\n\\n\\n\r\nRecent Nation-State Cyber Attacks \r\n\\n\r\nBehavior:Win32/Solorigate.C!dha threat description - Microsoft Security Intelligence\r\n\\n\r\nCustomer guidance on recent nation-state cyberattacks \r\n\\n\r\nFireEye Advisory: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims\r\nWith SUNBURST Backdoor\r\n\\n\r\nFireEye GitHub page: Sunburst Countermeasures \r\n\\n\r\nDHS Directive\r\n\\n\r\nSolarWinds Security Advisory\r\n\\n\r\nFalconFriday – Fireeye Red Team Tool Countermeasures KQL Queries  \r\n\\n\r\nMicrosoft-365-Defender-Hunting-Queries: Sample queries for Advanced hunting in Microsoft 365 Defender (github.com)\r\n\\n\r\nAzure Sentinel SolarWinds Post Compromise Hunting Workbook\r\n\\n\r\nAzure Sentinel SolarWinds Post Compromise Notebook \r\n\\n\r\nUpdated 12/18/2020\r\n\\n\r\nNew Threat analytics report shares the latest intelligence on recent nation-state cyber attacks - Microsoft Tech Community\r\n\\n\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 25 of 65\n\nAnalyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps\r\nprotect customers - Microsoft Security \r\n\\n\r\nUpdated 12/28/2020\r\n\\n\r\nUsing Microsoft 365 Defender to protect against Solorigate - Microsoft Security\r\n\\n\\n\\n\\n\\n\\n\",\"body@stringLength\":\"159837\",\"rawBody\":\"\r\nMSTIC has released a number of new hunting and detection queries for Azure Sentinel based on additional observations as\r\nwell as research released by partners and the wider community. In addition, the SolarWinds post compromise hunting\r\nworkbook has been updated to include a number of new sections.  \r\n\\n\r\nBlog sections have been marked with Updated and include the date they were last updated.\r\n\\n\\n\r\nMicrosoft recently blogged about the Recent Nation-State Cyber Attacks that has impacted high value targets both across the\r\ngovernment and private sector. This attack is also known as Solorigate or Sunburst. This threat actor is believed to be highly\r\nsophisticated and motivated. Relevant security data required for hunting and investigating such a complex attack is produced\r\nin multiple locations - cloud, on-premises and across multiple security tools and product logs.  Being able to analyze all the\r\ndata from a single point makes it easier to spot trends and attacks. Azure Sentinel has made it easy to collect data from\r\nmultiple data sources across different environments both on-prem and cloud with the goal of connecting that data together\r\nmore easily. This blog post contains guidance and generic approaches to hunt for attacker activity (TTPs) in data that is\r\navailable by default in Azure Sentinel or can be onboarded to Azure Sentinel. \r\n\\n\\n\r\nAssociated content details:\r\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\r\nThe goal of this article is post-compromise investigation strategies and is focused on TTPs and not focused on specific\r\nIOCs.  Azure Sentinel customers are encouraged to review advisories and IOC’s shared by Microsoft MSRC and security\r\npartners to search on specific IOC’s in their environment using Azure Sentinel.  Links to these IOC’s are listed in the\r\nreference section at the end.\r\n\\n\\n\r\nTo make it easier for security teams to visualize and monitor their environments for this attack the MSTIC team has shared a\r\nSolarWinds Post Compromise hunting workbook via Azure Sentinel and Azure Sentinel GitHub. There are many things in\r\nthis workbook that threat hunters would find useful and the workbook is complimentary to the hunting methods shared\r\nbelow. Importantly, if you have recently rotated ADFS key material this workbook can be useful in identifying attacker\r\nlogon activity if they logon with old key material. Security teams should leverage this hunting workbook as part of their\r\nworkflow in investigating this attack.\r\n\\n\\n\r\nThanks to the MSTIC and M365 teams for collaborating to deliver this content in a timely manner. Special thanks\r\nto , , , , Chris Glyer, , , Rob Mead, , , , Ramin Nafisi, Michael Matonis. \r\n\\n\\n\r\nPlease note that since Azure Sentinel and the M365 Advanced Hunting portal share the same query language and share\r\nsimilar data types, all of the referenced queries can be used directly or slightly modified to work in both.\r\n\\n\\n\r\nGaining a foothold\r\n\\n\r\nAs shared in Microsoft’s technical blog – Customer Guidance on Recent Nation-state Cyber Attacks - attackers might have\r\ncompromised the internal build systems or the update distribution systems of SolarWinds Orion software then modified a\r\nDLL component in the legitimate software and embedded backdoor code that would allow these attackers to remotely\r\nperform commands or deliver additional payloads. Below is a representation of various attack stages which you can also see\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 26 of 65\n\nin Microsoft Threat Protection (MTP) portal.  Note that if you do not have Microsoft Threat Protection this link will not\r\nwork for you.\r\n\\n\\n\\n\\n\r\nTo hunt for similar TTPs used in this attack, a good place to start is to build an inventory of the machines that have\r\nSolarWinds Orion components. Organizations might already have a software inventory management system to indicate hosts\r\nwhere the SolarWinds application is installed. Alternatively, Azure Sentinel could be leveraged to run a simple query to\r\ngather similar details. Azure Sentinel collects data from multiple different logs that could be used to gather this information.\r\nFor example, through the recently released Microsoft 365 Defender connector, security teams can now easily ingest\r\nMicrosoft 365 raw data into Azure Sentinel. Using the ingested data, a simple query like below can be written that will pull\r\nthe hosts with SolarWinds process running in last 30 days based on Process execution either via host on boarded to Sentinel\r\nor on boarded via Microsoft Defender for Endpoints (MDE). The query also leverages the Sysmon logs that a lot of\r\ncustomers are collecting from their environment to surface the machines that have SolarWinds running on them. Similar\r\nqueries that leverage M365 raw data could also be run from the M365's Advanced hunting portal.\r\n\\n\\n\r\nSolarWinds Inventory check query\r\n\\n\\n\r\n\\n\r\nlet timeframe = 30d; \r\n\\n\r\n(union isfuzzy=true \r\n\\n\r\n( \r\n\\n\r\nSecurityEvent \r\n\\n\r\n| where TimeGenerated \u003e= ago(timeframe) \r\n\\n\r\n| where EventID == '4688' \r\n\\n\r\n| where tolower(NewProcessName) has 'solarwinds' \r\n\\n\r\n| extend MachineName = Computer , Process = NewProcessName\r\n\\n\r\n|\r\n summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), MachineCount = dcount(MachineName), AccountCount = dcount(Accou\r\n\\n\r\n), \r\n\\n\r\n( \r\n\\n\r\nDeviceProcessEvents \r\n\\n\r\n| where TimeGenerated \u003e= ago(timeframe) \r\n\\n\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 27 of 65\n\n| where tolower(InitiatingProcessFolderPath) has 'solarwinds' \r\n\\n\r\n| extend MachineName = DeviceName , Process = InitiatingProcessFolderPath, Account = AccountName\r\n\\n\r\n|\r\n summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), MachineCount = dcount(MachineName), AccountCount = dcount(Accou\r\n\\n\r\n), \r\n\\n\r\n( \r\n\\n\r\nEvent \r\n\\n\r\n| where TimeGenerated \u003e= ago(timeframe) \r\n\\n\r\n| where Source == \\\"Microsoft-Windows-Sysmon\\\" \r\n\\n\r\n| where EventID == 1 \r\n\\n\r\n| extend Image = EventDetail.[4].[\\\"#text\\\"] \r\n\\n\r\n| where tolower(Image) has 'solarwinds' \r\n\\n\r\n| extend MachineName = Computer , Process = Image, Account = UserName\r\n\\n\r\n|\r\n summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), MachineCount = dcount(MachineName), AccountCount = dcount(Accou\r\n\\n\r\n) \r\n\\n\r\n) \r\n\\n\r\n\\n\\n\r\nUpdated 12/30/2020\r\n\\n\r\nOn systems where the malicious SolarWinds DLL (SolarWinds.Orion.Core.BusinessLayer.dll) is running, it is known that\r\nthe attacker used a hardcoded named pipe '583da945-62af-10e8-4902-a8f205c72b2e' to conduct various checks as well as to\r\nensure only one instance of the backdoor was running. The use of named pipes by malware is not uncommon as it provides a\r\nmechanism for communication between processes. This activity by the malware can be detected if you are collecting\r\nSysmon (Event Id 17/18) or Security Event Id 5145 in your Azure Sentinel workspace. The Solorigate Named Pipe detection\r\nshould not be considered reliable on its own as the creation of just the hardcoded named pipe does not indicate that the\r\nmalicious code was completely triggered, and the machine beaconed out or received additional commands. However,\r\npresence of this is definitely suspicious and should warrant further in-depth investigation.\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 28 of 65\n\n\\nlet timeframe = 1d;\r\n(union isfuzzy=true\r\n(Event\r\n| where TimeGenerated \u003e= ago(timeframe)\r\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\r\n| where EventID in (17,18)\r\n| extend EvData = parse_xml(EventData)\r\n| extend EventDetail = EvData.DataItem.EventData.Data\r\n| extend NamedPipe = EventDetail.[5].[\\\"#text\\\"]\r\n| extend ProcessDetail = EventDetail.[6].[\\\"#text\\\"]\r\n| where NamedPipe contains '583da945-62af-10e8-4902-a8f205c72b2e'\r\n| extend Account = UserName\r\n| project-away EventDetail, EvData\r\n),\r\n(\r\nSecurityEvent\r\n| where TimeGenerated \u003e= ago(timeframe)\r\n| where EventID == '5145'\r\n| where AccessList has '%%4418' // presence of CreatePipeInstance value\r\n| where RelativeTargetName contains '583da945-62af-10e8-4902-a8f205c72b2e'\r\n)\r\n)\r\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n\r\nPrivilege Escalation\r\n\\n\r\nOnce the adversary acquires an initial foothold on a system thru the SolarWinds process they will have System account level\r\naccess, the attacker will then attempt to elevate to domain admin level access to the environment. The Microsoft Threat\r\nIntelligence Center (MSTIC) team has already delivered multiple queries into Azure Sentinel that identify similar TTPs and\r\nmany are also available in M365. These methodologies are not specific to just this threat actor or this attack but have been\r\nseen in various attack campaigns.\r\n\\n\r\nIdentifying abnormal logon activities or additions to privileged groups is one way to identify privilege escalation.\r\n\\n\r\nUpdated 12/17/2020\r\n\\n\r\n\\n\r\nChecking for hosts with new logons to identify potential lateral movement by the attacker.\r\n\\n\r\nLook for any new account being created and added to built-in administrators group.\r\n\\n\r\nLook for any user account added to privileged built in domain local or global groups, including adding accounts to a\r\ndomain privileged group such as Enterprise Admins, Cert Publishers or DnsAdmins.\r\n\\n\r\nMonitor for rare activity by a high-value account carried out on a system or service.\r\n\\n\r\n\\n\r\nRelated to this attack, in some environments service account credentials had been granted administrative privileges. The\r\nabove queries can be modified to remove the condition of focusing “User” accounts by commenting the query to include\r\nservice accounts in the scope where applicable:\r\n\\n\\n\r\n//| where AccountType == \\\"User\\\"\r\n\\n\\n\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 29 of 65\n\nPlease see the Azure Sentinel Github for additional queries and hunting ideas related to Accounts under the Detections and\r\nHunting Queries sections for AuditLogs, and SecurityEvents\r\n\\n\r\nMicrosoft 365 Defender team has also shared quite a few sample queries for use in their advanced hunting portal that could\r\nbe leveraged to detect this part of the attack. Additionally, the logic for many of the Azure Sentinel queries can also be\r\ntransformed to equivalent queries for Microsoft 365 Defender, that could be run in their Advanced Hunting Portal.\r\n\\n\r\nMicrosoft 365 Defender has an upcoming complimentary blog that will be updated here once available.\r\n\\n\\n\r\nCertificate Export\r\n\\n\r\nThe next step in the attack was stealing the certificate that signs SAML tokens from the federation server (ADFS) called a\r\nToken Signing Cert (TSC). SAML Tokens are basically XML representations of claims.  You can read more about ADFS in\r\nWhat is federation with Azure AD? | Microsoft Docs and SAML at Azure Single Sign On SAML Protocol - Microsoft\r\nidentity platform | Microsoft Docs. The process is as follows:\r\n\\n\r\n\\n\r\n1. A client requests a SAML token from an ADFS Server by authenticating to that server using Windows credentials.\r\n\\n\r\n2. The ADFS server issues a SAML token to the client.\r\n\\n\r\n3. The SAML token is signed with a certificate associated with the server.\r\n\\n\r\n4. The client then presents the SAML token to the application that it needs access to.\r\n\\n\r\n5. The signature over the SAML token tells the application that the security token service issued the token and grants\r\naccess to the client.\r\n\\n\r\n\\n\\n\r\nADFS Key Extraction\r\n\\n\r\nUpdated 01/15/2021\r\n\\n\r\nThe implication of stealing the Token Signing Cert (TSC) is that once the certificate has been acquired, the actor can forge\r\nSAML (Security Assertions Markup Language) tokens with whatever claims and lifetime they choose, then sign it with the\r\ncertificate that has been acquired.  Microsoft continues to strongly recommend securing your AD FS (Active Directory\r\nFederation Service) TSC because if these TSC’s are acquired by a bad actor, this then enables the actor to forge SAML\r\ntokens that impersonate highly privileged accounts.  There are publicly available pen-testing tools like ADFSDump and\r\nADFSpoof that help with extracting required information from the AD FS configuration database to generate the forged\r\nsecurity tokens.  While we have not confirmed these specific tools were used in this attack, they are useful for simulating the\r\nattack behavior or executing a similar attack and therefore, Microsoft has created a high-fidelity detection related to this for\r\nM365 Defender:\r\n\\n\r\n\\n\r\nADFS private key extraction which detects ADFS private key extraction patterns from tools such as ADFSDump.\r\n\\n\r\n\\n\r\nNote: Any M365 Defender alert can be seen in Azure Sentinel Security Alerts or in the M365 security portal.\r\n\\n\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 30 of 65\n\nUpdated 01/15/2021\r\n\\n\r\nThe TTP (tactics, techniques, and procedures) observed in the Solorigate attack is the creation of a legitimate SAML token\r\nused to authenticate as any user. One way an attacker could achieve this is by compromising AD FS key\r\nmaterial. Microsoft has a new detection for this as stated above and for Azure Sentinel has also created a Windows Event\r\nLog based detection that indicates an ADFS DKM Master Key Export. As part of the update for this query to the Azure\r\nSentinel GitHub, there is a detailed write up for why this is interesting along with a subsequent addition providing clarity on\r\nhow to get 4662 events to fire.  This detection should not be considered reliable on its own but can identify suspicious\r\nactivity that warrants further investigation.\r\n\\n\r\nUpdated 01/15/2021\r\n\\n\\n\r\n (union isfuzzy=true (SecurityEvent\r\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created.\r\n| where ObjectServer == 'DS'\r\n| where OperationType == 'Object Access'\r\n//| where ObjectName contains '\u003cGUID of ADFS Policy Store DKM Group object' This is unique to the domain. Check\r\ndescription for more details.\r\n| where ObjectType contains '5cb41ed0-0e4c-11d0-a286-00aa003049e2' // Contact Class\r\n| where Properties contains '8d3bca50-1d7e-11d0-a081-00aa006c33ed' // Picture Attribute - Ldap-Display-Name:\r\nthumbnailPhoto\r\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = SubjectAccount),\r\n(DeviceEvents\r\n| where ActionType =~ \\\"LdapSearch\\\"\r\n| where AdditionalFields.AttributeList contains \\\"thumbnailPhoto\\\"\r\n| where AdditionalFields.DistinguishedName contains \\\"CN=ADFS,CN=Microsoft,CN=Program Data\\\" // Filter results to\r\nshow only hits related to the ADFS AD container\r\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity =\r\nInitiatingProcessAccountName)\r\n)\r\n\\n\\n\r\nUpdated 12/19/2020\r\n\\n\r\nMSTIC has developed another detection for ADFS server key export events. This detection leverages the visibility provided\r\nby Sysmon and provides a more reliable detection method than that covered in the Windows Event Log detection. For this\r\ndetection to be effective you must be collecting Sysmon Event IDs 17 and 18 into your Azure Sentinel workspace.\r\n\\n// Adjust this to use a longer timeframe to identify ADFS servers\r\nlet lookback = 6d;\r\n// Adjust this to adjust the key export detection timeframe\r\nlet timeframe = 1d;\r\n// Start be identifying ADFS servers to reduce FP chance\r\nlet ADFS_Servers = (\r\nEvent\r\n| where TimeGenerated \u003e ago(timeframe+lookback)\r\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\r\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-expand bagexpansion=array EventData\r\n| evaluate bag_unpack(EventData)\r\n| extend Key=tostring(['@Name']), Value=['#text']\r\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID,\r\nUserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\r\n| extend process = split(Image, '\\\\\\\\', -1)[-1]\r\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\r\n| summarize by Computer);\r\n// Look for ADFS servers where Named Pipes event are present\r\nEvent\r\n| where TimeGenerated \u003e ago(timeframe)\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 31 of 65\n\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\r\n| where Computer in~ (ADFS_Servers)\r\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\r\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-expand bagexpansion=array EventData\r\n| evaluate bag_unpack(EventData)\r\n| extend Key=tostring(['@Name']), Value=['#text']\r\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID,\r\nUserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\r\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"), TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"),\r\nTechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\")\r\n| parse RuleName with * 'technique_id=' TechniqueId ',' * 'technique_name=' TechniqueName\r\n| where EventID in (17,18)\r\n// Look for Pipe related to querying the WID\r\n| where PipeName == \\\"\\\\\\\\MICROSOFT##WID\\\\\\\\tsql\\\\\\\\query\\\"\r\n| extend process = split(Image, '\\\\\\\\', -1)[-1]\r\n// Exclude expected processes\r\n| where process !in (\\\"Microsoft.IdentityServer.ServiceHost.exe\\\", \\\"Microsoft.Identity.Health.Adfs.PshSurrogate.exe\\\",\r\n\\\"AzureADConnect.exe\\\", \\\"Microsoft.Tri.Sensor.exe\\\", \\\"wsmprovhost.exe\\\",\\\"mmc.exe\\\", \\\"sqlservr.exe\\\")\r\n| extend Operation = RenderedDescription\r\n| project-reorder TimeGenerated, EventType, Operation, process, Image, Computer, UserName\r\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName\\n\r\nOutside of directly looking for tools, this adversary may have used custom tooling so looking for anomalous process\r\nexecutions or anomalous accounts logging on to our ADFS server can give us some clue when such attacks happen. Azure\r\nSentinel provides queries that can help to:\r\n\\n\r\n\\n\r\nFind rare anomalous process in your environment.\r\n\\n\r\nAlso look for rare processes run by service accounts\r\n\\n\r\nOr uncommon processes that are in the bottom 5% of all the process.\r\n\\n\r\nIn some instances, there is a rare command line syntax related to DLL loading, you can adjust these queries to also\r\nlook at rarity on the command line.\r\n\\n\r\n\\n\r\nEvery environment is different and some of these queries being generic could be noisy. So, in the first step a good approach\r\nwould be to limit this kind of hunting to our ADFS server.\r\n\\n\\n\r\nAzure Active Directory Hunting\r\n\\n\r\nHaving gained a significant foothold in the on prem environment, the actor also targeted the Azure AD of some of the\r\ncompromised organizations and made modifications to Azure AD settings to facilitate long term access. Microsoft has\r\nshared many relevant queries through the Azure Sentinel GitHub to identify these actions.\r\n\\n\r\nUpdated 01/15/2021\r\n\\n\r\nOne such activity is related to modifying domain federation trust settings. A federation trust signifies the\r\nestablishment of authentication and authorization trust between two organizations so that users located in partner\r\norganizations can send authentication and authorization requests successfully.\r\n\\n\r\n\\n\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 32 of 65\n\nWhile not specifically seen in this attack, tracking federation trust modifications is important. The Azure Sentinel\r\nquery for domain federation trust settings modification will alert when a user or application modifies the federation\r\nsettings on the domain particularly when a new Active Directory Federated Service (ADFS) Trusted Realm object,\r\nsuch as a signing certificate, is added to the domain or there is an update to domain authentication from managed\r\nto federated. Modification to domain federation settings should be rare and this should be treated as a high-fidelity\r\nalert that Azure AD and Azure Sentinel users should follow up on.\r\n\\n\r\n\\n\r\nUpdated 01/15/2021\r\n\\n\r\nThe original purpose of the STSRefreshTokenModification low severity, hunting-only query was to demonstrate an event\r\nthat has token validity time periods in it and demonstrate how one could monitor for anomalous/edited tokens. We have\r\ndetermined this event will only fire on the manual expiration of the StsRefreshToken by an admin (or the user). These types\r\nof events are most often generated when legitimate administrators troubleshoot frequent AAD (Azure AD) user sign-ins. To\r\navoid any confusion with Solorigate investigation and hunting, we have removed this section from the blog.\r\n\\n\\n\r\nAnother such activity is adding access to the Service Principal or Application.  If a threat actor obtains access to an\r\nApplication Administrator account, they may configure alternate authentication mechanisms for direct access to any of the\r\nscopes and services available to the Service Principal. With these privileges, the actor can add alternative authentication\r\nmaterial for direct access to resources using this credential.\r\n\\n\r\n\\n\r\nIdentify where the verify KeyCredential has been updated with New access credential added to Application or\r\nService Principal.\r\n\\n\r\n\\n\r\nUpdated 12/20/2020\r\n\\n\r\n\\n\r\nIdentify where the verify KeyCredential was not present and has now has had its First access credential added to\r\nApplication or Service Principal where no credential was present.\r\n\\n\r\n\\n\\n\\n\r\nNew access credential added to Application or Service Principal\r\nlet auditLookback = 1h;\r\nAuditLogs\r\n| where TimeGenerated \u003e ago(auditLookback)\r\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add\r\nservice principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application – Certificates and secrets management\\\"\r\nevents\r\n| where Result =~ \\\"success\\\"\r\n| mv-expand target = TargetResources\r\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\r\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\r\n| extend targetId = tostring(TargetResources[0].id)\r\n| extend targetType = tostring(TargetResources[0].type)\r\n| extend keyEvents = TargetResources[0].modifiedProperties\r\n| mv-expand keyEvents\r\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\r\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\r\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\r\n| where old_value_set != \\\"[]\\\"\r\n| extend diff = set_difference(new_value_set, old_value_set)\r\n| where isnotempty(diff)\r\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 33 of 65\n\n\\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\r\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\r\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\r\n| extend InitiatingUserOrApp =\r\niff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName),\r\ntostring(InitiatedBy.app.displayName))\r\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress),\r\ntostring(InitiatedBy.app.ipAddress))\r\n// The below line is currently commented out but Azure Sentinel users can modify this query to show only Application or\r\nonly Service Principal events in their environment\r\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\r\n| project-away diff, new_value_set, old_value_set\r\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent,\r\ntargetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\r\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\r\n\\n\r\nFirst access credential added to Application or Service Principal where no credential was present\r\nlet auditLookback = 1h;\r\nAuditLogs\r\n| where TimeGenerated \u003e ago(auditLookback)\r\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add\r\nservice principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application – Certificates and secrets management\\\"\r\nevents\r\n| where Result =~ \\\"success\\\"\r\n| mv-expand target = TargetResources\r\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\r\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\r\n| extend targetId = tostring(TargetResources[0].id)\r\n| extend targetType = tostring(TargetResources[0].type)\r\n| extend keyEvents = TargetResources[0].modifiedProperties\r\n| mv-expand keyEvents\r\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\r\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\r\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\r\n| where old_value_set == \\\"[]\\\"\r\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\"\r\nkeyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\r\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\r\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\r\n| extend InitiatingUserOrApp =\r\niff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName),\r\ntostring(InitiatedBy.app.displayName))\r\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress),\r\ntostring(InitiatedBy.app.ipAddress))\r\n// The below line is currently commented out but Azure Sentinel users can modify this query to show only Application or\r\nonly Service Principal events in their environment\r\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\r\n| project-away new_value_set, old_value_set\r\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent,\r\ntargetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\r\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\r\n\\n\\n\r\nUpdated 12/19/2020\r\n\\n\r\nThis threat actor has been observed using applications to read users mailboxes within a target environment. To help identify\r\nthis activity MSTIC has created a hunting query that looks for applications that have been granted mailbox read permissions\r\nfollowed by consent to this application. Whilst this may uncover legitimate applications hunters should validate applications\r\ngranted mail read permissions genuinely require them.\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 34 of 65\n\n\\nAuditLogs\r\n| where Category =~ \\\"ApplicationManagement\\\"\r\n| where ActivityDisplayName =~ \\\"Add delegated permission grant\\\"\r\n| where Result =~ \\\"success\\\"\r\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\r\n| extend props = parse_json(tostring(TargetResources[0].modifiedProperties))\r\n| mv-expand props\r\n| extend UserAgent = tostring(AdditionalDetails[0].value)\r\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\r\n| extend UserIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\r\n| extend DisplayName = tostring(props.displayName)\r\n| extend Permissions = tostring(parse_json(tostring(props.newValue)))\r\n| where Permissions has_any (\\\"Mail.Read\\\", \\\"Mail.ReadWrite\\\")\r\n| extend PermissionsAddedTo = tostring(TargetResources[0].displayName)\r\n| extend Type = tostring(TargetResources[0].type)\r\n| project-away props\r\n| join kind=leftouter(\r\nAuditLogs\r\n| where ActivityDisplayName has \\\"Consent to application\\\"\r\n| extend AppName = tostring(TargetResources[0].displayName)\r\n| extend AppId = tostring(TargetResources[0].id)\r\n| project AppName, AppId, CorrelationId) on CorrelationId\r\n| project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo,\r\nPermissions, AppName, AppId, CorrelationId\r\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUser, IPCustomEntity = UserIPAddress\\n\r\nIt’s also advised to hunt for application consents for unexpected applications, particularly where they provide offline access\r\nto data or other high value access;\r\n\\n\r\n\\n\r\nSuspicious application consent similar to O365 Attack Toolkit\r\n\\n\r\nSuspicious application consent for offline access\r\n\\n\r\n\\n\r\nUpdated 12/17/2020 (moved location)\r\n\\n\r\nIn addition to Azure AD pre-compromise logon hunting it is also possible to monitor for logons attempting to use invalid\r\nkey material. This can help identify attempted logons using stolen key material made after key material has been rotated.\r\nThis can be done by querying SigninLogs in Azure Sentinel where the ResultType is 5000811. Please note that if you roll\r\nyour token signing certificate, there will be expected activity when searching on the above.\r\n\\n\\n\r\nRecon and Remote Execution\r\n\\n\r\nUpdated 12/27/2020\r\n\\n\r\nThe adversary will often attempt to access on-prem systems to gain further insight and mapping of the environment.  As\r\ndescribed in the Resulting hands-on-keyboard attack section of the Analyzing Solorigate blog by Microsoft, attackers\r\nrenamed windows administrative tools like adfind.exe which were then used for domain enumeration. An example of the\r\nprocess execution command like can look like this:\r\n\\n\\n\\n\\n\\n\\n\\n\r\nC:\\\\Windows\\\\system32\\\\cmd.exe /C csrss.exe -h breached.contoso.com -f (name=”Domain Admins”) member -list |\r\ncsrss.exe -h breached.contoso.com -f objectcategory=* \u003e .\\\\Mod\\\\mod1.log\r\n\\n\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 35 of 65\n\nWe have provided a query in the Azure Sentinel Github which will help in detecting the command line patterns related to\r\nADFind usage. You can customize this query to look at your specific DC/ADFS servers.\r\n\\nlet startdate = 1d;\r\nlet lookupwindow = 2m;\r\nlet threshold = 3; //number of commandlines in the set below\r\nlet DCADFSServersList = dynamic ([\\\"DCServer01\\\", \\\"DCServer02\\\", \\\"ADFSServer01\\\"]); // Enter a reference list of\r\nhostnames for your DC/ADFS servers\r\nlet tokens =\r\ndynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain\r\nAdmins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\"]);\r\nSecurityEvent\r\n//| where Computer in (DCADFSServersList) // Uncomment to limit it to your DC/ADFS servers list if specified above or\r\nany pattern in hostnames (startswith, matches regex, etc).\r\n| where TimeGenerated between (ago(startdate) .. now())\r\n| where EventID == 4688\r\n| where CommandLine has_any (tokens)\r\n| where CommandLine matches regex \\\"(.*)\u003e(.*)\\\"\r\n| summarize Commandlines = make_set(CommandLine), LastObserved=max(TimeGenerated) by bin(TimeGenerated,\r\nlookupwindow), Account, Computer, ParentProcessName, NewProcessName\r\n| extend Count = array_length(Commandlines)\r\n| where Count \u003e threshold\\n\r\nOn the remote execution side, there is a pattern that can be identified related to using alternate credentials than the currently\r\nlogged on user, such as when using the RUN AS feature on a Windows system and passing in explicit credentials.  We have\r\nreleased a query that will identify when execution is occurring via multiple explicit credentials against remote targets.  This\r\nrequires that Windows Event 4648 is being collected as part of Azure Sentinel.\r\n\\n\\nlet WellKnownLocalSIDs = \\\"S-1-5-[0-9][0-9]$\\\";\r\nlet protocols = dynamic(['cifs', 'ldap', 'RPCSS', 'host' , 'HTTP', 'RestrictedKrbHost', 'TERMSRV', 'msomsdksvc', 'mssqlsvc']);\r\nSecurityEvent\r\n| where TimeGenerated \u003e= ago(1d)\r\n| where EventID == 4648\r\n| where SubjectUserSid != 'S-1-0-0' // this is the Nobody SID which really means No security principal was included.\r\n| where not(SubjectUserSid matches regex WellKnownLocalSIDs) //excluding system account/service account as this is\r\ngenerally normal\r\n| where TargetInfo has '/' //looking for only items that indicate an interesting protocol is included\r\n| where Computer !has tostring(split(TargetServerName,'$')[0])\r\n| where TargetAccount !~ tostring(split(SubjectAccount,'$')[0])\r\n| extend TargetInfoProtocol = tolower(split(TargetInfo, '/')[0]), TargetInfoMachine = toupper(split(TargetInfo, '/')[1])\r\n| extend TargetAccount = tolower(TargetAccount), SubjectAccount = tolower(SubjectAccount)\r\n| extend UncommonProtocol = case(not(TargetInfoProtocol has_any (protocols)), TargetInfoProtocol, 'NotApplicable')\r\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), AccountsUsedCount =\r\ndcount(TargetAccount), AccountsUsed = make_set(TargetAccount), TargetMachineCount = dcount(TargetInfoMachine),\r\nTargetMachines = make_set(TargetInfoMachine), TargetProtocols = dcount(TargetInfoProtocol), Protocols =\r\nmake_set(TargetInfoProtocol), Processes = make_set(Process) by Computer, SubjectAccount, UncommonProtocol\r\n| where TargetMachineCount \u003e 1 or UncommonProtocol != 'NotApplicable'\r\n| extend ProtocolCount = array_length(Protocols)\r\n| extend ProtocolScore = case(\r\nProtocols has 'rpcss' and Protocols has 'host' and Protocols has 'cifs', 10, //observed in Solorigate and depending on which\r\nare used together the higher the score\r\nProtocols has 'rpcss' and Protocols has 'host', 5,\r\nProtocols has 'rpcss' and Protocols has 'cifs', 5,\r\nProtocols has 'host' and Protocols has 'cifs', 5,\r\nProtocols has 'ldap' or Protocols has 'rpcss' or Protocols has 'host' or Protocols has 'cifs', 1, //ldap is more commonly seen in\r\ngeneral, this was also seen with Solorigate but not usually to the same machines as the others above\r\nUncommonProtocol != 'NotApplicable', 3,\r\n0 //other protocols may be of interest, but in relation to observations for enumeration/execution in Solorigate they receive 0\r\n)\r\n| extend Score = ProtocolScore + ProtocolCount + AccountsUsedCount\r\n| where Score \u003e= 9 or (UncommonProtocol != 'NotApplicable' and Score \u003e= 4) // Score must be 9 or better as this will\r\ninclude 5 points for atleast 2 of the interesting protocols + the count of protocols (min 2) + the number of accounts used for\r\nexecution (min 2) = min of 9 OR score must be 4 or greater for an uncommon protocol\r\n| extend TimePeriod = EndTime - StartTime //This identifies the time between start and finish for the use of the explicit\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 36 of 65\n\ncredentials, shorter time period may indicate scripted executions\r\n| project-away UncommonProtocol\r\n| extend timestamp = StartTime, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer\r\n| order by Score desc\\n\\n\r\nData Access\r\n\\n\r\nAccessing confidential data is one of the primary motives of this attack. Data access for the attacker here relied on\r\nleveraging minted SAML tokens to access user files/email stored in the cloud via compromised AppIds. One way to detect\r\nthis is when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory\r\nresources.\r\n\\n\\n\r\nMicrosoft Graph is one way that the attacker may be seen accessing resources and can help find what the attacker may have\r\naccessed using the Service principal Azure Active Directory sign-in logs. If you have data in your Log analytics you could\r\neasily plot a chart to see what anomalous activity is happening in your environment that is leveraging the graph. \r\n\\n\r\nUpdated 12/17/2020\r\n\\n\r\nNote that this data type in Azure Sentinel below is only available when additional Diagnostic Logging is enabled on the\r\nworkspace.  Please see the instructions in the expandable section below.\r\n\\nThe AADServicePrincipalSigninLogs datatype will not be available in Azure Sentinel unless it is configured under\r\nDiagnostic Settings.  Please see screenshots below the query.\r\nAADServicePrincipalSignInLogs\r\n| where TimeGenerated \u003e ago(90d)\r\n| where ResourceDisplayName == \\\"Microsoft Graph\\\"\r\n| where ServicePrincipalId == \\\"524c43c4-c484-4f7a-bd44-89d4a0d8aeab\\\"\r\n| summarize count() by bin(TimeGenerated, 1h)\r\n| render timechart\r\nTo enable Service Principal Signin Logging, do the following:\r\n\\n\\n\\n\\n\\n\\n\\n\r\nUpdated 12/21/2020\r\n\\n\r\nAdditionally, below is a sample query that brings out some of the logons to Azure AD where multi factor authentication was\r\nsatisfied by token based logons versus MFA via phone auth or the like. It is possible this could produce many results, so\r\nadditional tuning is suggested for your environment.\r\n\\nSigninLogs\r\n| where TimeGenerated \u003e ago(30d)\r\n| where ResultType == 0\r\n| extend additionalDetails = tostring(Status.additionalDetails)\r\n| summarize make_set(additionalDetails), min(TimeGenerated), max(TimeGenerated) by IPAddress, UserPrincipalName\r\n| where array_length(set_additionalDetails) == 2\r\n| where (set_additionalDetails[1] == \\\"MFA requirement satisfied by claim in the token\\\" and set_additionalDetails[0] ==\r\n\\\"MFA requirement satisfied by claim provided by external provider\\\") or (set_additionalDetails[0] == \\\"MFA requirement\r\nsatisfied by claim in the token\\\" and set_additionalDetails[1] == \\\"MFA requirement satisfied by claim provided by external\r\nprovider\\\")\r\n//| project IPAddress, UserPrincipalName, min_TimeGenerated, max_TimeGenerated\\n\r\nUPDATED 12/17/2020\r\n\\n\r\nThis attack also used Virtual Private Servers (VPS) hosts to access victim networks and can be used in conjunction with the\r\nquery above. Both MSTIC and FireEye have reported attacker logon events coming from network ranges associated with\r\nVPS providers. In order to highlight these logons, MSTIC has created a new hunting query - Signins From VPS Providers -\r\n that looks for successful signins from network ranges associated with VPS providers. This is joined with the above query,\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 37 of 65\n\nthe new query looks for IPs that only display sign-ins based on tokens and not other MFA options, although this could be\r\nremoved if wanted. The list of VPS ranges in the query is not comprehensive and there is significant potential for false\r\npositives so results should be investigated before responding, however it can provide very effective signal. Combining the\r\nquery below with data that list VPS server ranges will make this a high-confidence hunting query. \r\n\\n\\n\r\nIn relation to the VPS servers section above, the previously mentioned workbook has a section that shows successful user\r\nsignins from VPS (Virtual Private Server) providers where only tokens were used to authenticate. This uses the new KQL\r\noperator ipv4_lookup to evaluate if a login came from a known VPS provider network range. This operator can alternatively\r\nbe used to look for all logons not coming from known ranges should your environment have a common logon source.\r\n\\n\\n\r\nData Exfiltration \r\n\\n\r\nUpdated 12/20/2020\r\n\\n\r\nEmail data has been observed as a target for the Solorigate attackers, one way to monitor for potential suspicious access is to\r\nlook for anomalous MailItemsAccessed volumes. MSTIC has created a specific hunting query to identify Anomolous User\r\nAccessing Other Users Mailbox which can help to identify malicious activity related to this attack. Additionally, MSTIC\r\npreviously created a more generic detection - Exchange workflow MailItemsAccessed operation anomaly - which looks for\r\ntime series based anomalies in MailItemsAccessed events in the OfficeActivity log. \r\n\\nAnomalous access to other user's mailboxes\r\nlet timeframe = 14d;\r\nlet user_threshold = 1;\r\nlet folder_threshold = 5;\r\nOfficeActivity\r\n| where TimeGenerated \u003e ago(timeframe)\r\n| where Operation =~ \\\"MailItemsAccessed\\\"\r\n| where ResultStatus =~ \\\"Succeeded\\\"\r\n| mv-expand parse_json(Folders)\r\n| extend folders = tostring(Folders.Path)\r\n| where tolower(MailboxOwnerUPN) != tolower(UserId)\r\n| extend ClientIP = iif(Client_IPAddress startswith \\\"[\\\", extract(\\\"\\\\\\\\[([^\\\\\\\\]]*)\\\", 1, Client_IPAddress), Client_IPAddress)\r\n| summarize make_set(folders), make_set(ClientInfoString), make_set(ClientIP), make_set(MailboxGuid),\r\nmake_set(MailboxOwnerUPN) by UserId\r\n| extend folder_count = array_length(set_folders)\r\n| extend user_count = array_length(set_MailboxGuid)\r\n| where user_count \u003e user_threshold or folder_count \u003e folder_threshold\r\n| sort by user_count desc\r\n| project-reorder UserId, user_count, folder_count, set_MailboxOwnerUPN, set_ClientIP, set_ClientInfoString, set_folder\r\nExchange workflow MailItemsAccessed operation anomaly\r\nlet starttime = 14d;\r\nlet endtime = 1d;\r\nlet timeframe = 1h;\r\nlet scorethreshold = 1.5;\r\nlet percentthreshold = 50;\r\n// Preparing the time series data aggregated hourly count of MailItemsAccessd Operation in the form of multi-value array to\r\nuse with time series anomaly function.\r\nlet TimeSeriesData =\r\nOfficeActivity\r\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\r\n| where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\r\n| project TimeGenerated, Operation, MailboxOwnerUPN\r\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe;\r\nlet TimeSeriesAlerts = TimeSeriesData\r\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, 'linefit')\r\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to\r\ntypeof(double), baseline to typeof(long)\r\n| where anomalies \u003e 0\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 38 of 65\n\n| project TimeGenerated, Total, baseline, anomalies, score;\r\n// Joining the flagged outlier from the previous step with the original dataset to present contextual information\r\n// during the anomalyhour to analysts to conduct investigation or informed decisions.\r\nTimeSeriesAlerts | where TimeGenerated \u003e ago(2d)\r\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\r\n| join (\r\nOfficeActivity\r\n| where TimeGenerated \u003e ago(2d)\r\n| where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\r\n) on TimeGenerated\r\n\\n\r\nUpdated 12/19/2020\r\n\\n\r\nTargeting of email data has also been observed by other industry members including Volexity who reported attackers using\r\nPowerShell commands to export on premise Exchange mailboxes and then hosting those files on OWA servers in order to\r\nexfiltrate them.\r\n\\n\r\nMSTIC has created detections to identify this activity at both the OWA server and attacking host level through IIS logs, and\r\nPowerShell command line logging.\r\n\\n\\n\r\nOWA exfiltration:\r\n\\nlet excludeIps = dynamic([\\\"127.0.0.1\\\", \\\"::1\\\"]);\r\nlet scriptingExt = dynamic([\\\"aspx\\\", \\\"ashx\\\", \\\"asp\\\"]);\r\nW3CIISLog\r\n| where csUriStem contains \\\"/owa/\\\"\r\n//The actor pulls a file back but won't send it any URI params\r\n| where isempty(csUriQuery)\r\n| extend file_ext = tostring(split(csUriStem, \\\".\\\")[-1])\r\n//Giving your file a known scripting extension will throw an error\r\n//rather than just serving the file as it will try to interpret the script\r\n| where file_ext !in~ (scriptingExt)\r\n//The actor was seen using image files, but we go wider in case they change this behaviour\r\n//| where file_ext in~ (\\\"jpg\\\", \\\"jpeg\\\", \\\"png\\\", \\\"bmp\\\")\r\n| extend file_name = tostring(split(csUriStem, \\\"/\\\")[-1])\r\n| where file_name != \\\"\\\"\r\n| where cIP !in~ (excludeIps)\r\n| project file_ext, csUriStem, file_name, Computer, cIP, sIP, TenantId, TimeGenerated\r\n| summarize dcount(cIP), AccessingIPs=make_set(cIP), AccessTimes=make_set(TimeGenerated), Access=count() by\r\nTenantId, file_name, Computer, csUriStem\r\n//Collection of the exfiltration will occur only once, lets check for 2 accesses in case they mess up\r\n//Tailor this for hunting\r\n| where Access \u003c= 2 and dcount_cIP == 1\\n\r\nHost creating then removing mailbox export requests using PowerShell cmdlets:\r\n\\n\\n\r\n  // Adjust the timeframe to change the window events need to occur within to alert\r\n\\n\r\n  let timeframe = 1h;\r\n\\n\r\n  SecurityEvent\r\n\\n\r\n  | where Process in (\\\"powershell.exe\\\", \\\"cmd.exe\\\")\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 39 of 65\n\n\\n\r\n  | where CommandLine contains 'New-MailboxExportRequest'\r\n\\n\r\n  | summarize by Computer, timekey = bin(TimeGenerated, timeframe), CommandLine, SubjectUserName\r\n\\n\r\n  | join kind=inner (SecurityEvent\r\n\\n\r\n  | where Process in (\\\"powershell.exe\\\", \\\"cmd.exe\\\")\r\n\\n\r\n  | where CommandLine contains 'Remove-MailboxExportRequest'\r\n\\n\r\n  | summarize by Computer, timekey = bin(TimeGenerated, timeframe), CommandLine, SubjectUserName) on Computer,\r\ntimekey, SubjectUserName\r\n\\n\r\n  | extend commands = pack_array(CommandLine1, CommandLine)\r\n\\n\r\n  | summarize by timekey, Computer, tostring(commands), SubjectUserName\r\n\\n\r\n  | project-reorder timekey, Computer, SubjectUserName, ['commands']\r\n\\n\r\n  | extend HostCustomEntity = Computer, AccountCustomEntity = SubjectUserName\r\n\\n\\n\r\nUpdated 12/28/2020\r\n\\n\r\nEmail Delegation and later delegate access is another tactic that has been observed to gain access to user's mailboxes.  We\r\nhave a previously created a method to discover Non-owner mailbox login activity that can be applied here to help identify\r\nwhen delegates are inappropriately access email.\r\n\\n\\nlet timeframe = 1d;\r\nOfficeActivity\r\n| where TimeGenerated \u003e= ago(timeframe)\r\n| where Operation == \\\"MailboxLogin\\\" and Logon_Type != \\\"Owner\\\"\r\n| summarize count(), min(TimeGenerated), max(TimeGenerated) by Operation, OrganizationName, UserType, UserId,\r\nMailboxOwnerUPN, Logon_Type\r\n| extend timestamp = min_TimeGenerated, AccountCustomEntity = UserId\\n\\n\r\nDomain Hunting\r\n\\n\r\nUpdated 12/17/2020\r\n\\n\r\nDomain specific\r\n\\n\r\nMSTIC has collated network based IoCs from MSTIC, FireEye and Volexity to create a network based IoC detection -\r\n Solorigate Network Beacon - that leverage multiple network focused data sources within Azure Sentinel.  \r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 40 of 65\n\n\\nlet domains =\r\ndynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonli\r\nlet timeframe = 6h;\r\n(union isfuzzy=true\r\n(CommonSecurityLog\r\n| where TimeGenerated \u003e= ago(timeframe)\r\n| parse Message with * '(' DNSName ')' *\r\n| where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\r\n| extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\r\n),\r\n(DnsEvents\r\n| where TimeGenerated \u003e= ago(timeframe)\r\n| extend DNSName = Name\r\n| where isnotempty(DNSName)\r\n| where DNSName in~ (domains)\r\n| extend IPCustomEntity = ClientIP\r\n),\r\n(VMConnection\r\n| where TimeGenerated \u003e= ago(timeframe)\r\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\r\n| where isnotempty(DNSName)\r\n| where DNSName in~ (domains)\r\n| extend IPCustomEntity = RemoteIp\r\n),\r\n(DeviceNetworkEvents\r\n| where TimeGenerated \u003e= ago(timeframe)\r\n| where isnotempty(RemoteUrl)\r\n| where RemoteUrl has_any (domains)\r\n| extend DNSName = RemoteUrl\r\n| extend IPCustomEntity = RemoteIP\r\n| extend HostCustomEntity = DeviceName\r\n)\r\n)\\n\r\nDomain DGA\r\n\\n\r\nThe avsvmcloud[.]com has been observed by several organizations as making DGA like subdomain queries as part of C2\r\nactivities. MSTIC have generated a hunting query - Solorigate DNS Pattern - to look for similar patterns of activity from\r\nother domains that might help identify other potential C2 sources.\r\n\\nlet cloudApiTerms = dynamic([\\\"api\\\", \\\"east\\\", \\\"west\\\"]);\r\nDnsEvents\r\n| where IPAddresses != \\\"\\\" and IPAddresses != \\\"127.0.0.1\\\"\r\n| where Name endswith \\\".com\\\" or Name endswith \\\".org\\\" or Name endswith \\\".net\\\"\r\n| extend domain_split = split(Name, \\\".\\\")\r\n| where tostring(domain_split[-5]) != \\\"\\\" and tostring(domain_split[-6]) == \\\"\\\"\r\n| extend sub_domain = tostring(domain_split[0])\r\n| where sub_domain !contains \\\"-\\\"\r\n| extend sub_directories = strcat(domain_split[-3], \\\" \\\", domain_split[-4])\r\n| where sub_directories has_any(cloudApiTerms)\r\n//Based on sample communications the subdomain is always between 20 and 30 bytes\r\n| where strlen(domain_split) \u003c 32 or strlen(domain_split) \u003e 20\r\n| extend domain = strcat(tostring(domain_split[-2]), \\\".\\\", tostring(domain_split[-1]))\r\n| extend subdomain_no = countof(sub_domain, @\\\"(\\\\d)\\\", \\\"regex\\\")\r\n| extend subdomain_ch = countof(sub_domain, @\\\"([a-z])\\\", \\\"regex\\\")\r\n| where subdomain_no \u003e 1\r\n| extend percentage_numerical = toreal(subdomain_no) / toreal(strlen(sub_domain)) * 100\r\n| where percentage_numerical \u003c 50 and percentage_numerical \u003e 5\r\n| summarize count(), make_set(Name), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Name\r\n| order by count_ asc\\n\r\nEncoded Domain\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 41 of 65\n\n\\n\r\nIn addition we have another query - Solorigate Encoded Domain in URL- that takes the encoding pattern the DGA uses,\r\nencodes the domains seen in signin logs and then looks for those patterns in DNS logs. This can help identify other C2\r\ndomains using the same encoding scheme. \r\n\\nlet dictionary =\r\ndynamic([\\\"r\\\",\\\"q\\\",\\\"3\\\",\\\"g\\\",\\\"s\\\",\\\"a\\\",\\\"l\\\",\\\"t\\\",\\\"6\\\",\\\"u\\\",\\\"1\\\",\\\"i\\\",\\\"y\\\",\\\"f\\\",\\\"z\\\",\\\"o\\\",\\\"p\\\",\\\"5\\\",\\\"7\\\",\\\"2\\\",\\\"d\\\",\\\"4\\\",\\\"9\\\",\\\"b\\\",\\\"n\\\",\\\"x\\\",\\\"8\\\",\\\"c\\\r\nlet regex_bad_domains = SigninLogs\r\n//Collect domains from tenant from signin logs\r\n| where TimeGenerated \u003e ago(1d)\r\n| extend domain = tostring(split(UserPrincipalName, \\\"@\\\", 1)[0])\r\n| where domain != \\\"\\\"\r\n| summarize by domain\r\n| extend split_domain = split(domain, \\\".\\\")\r\n//This cuts back on domains such as na.contoso.com by electing not to match on the \\\"na\\\" portion\r\n| extend target_string = iff(strlen(split_domain[0]) \u003c= 2, split_domain[1], split_domain[0])\r\n| extend target_string = split(target_string, \\\"-\\\")\r\n| mv-expand target_string\r\n//Rip all of the alphanumeric out of the domain name\r\n| extend string_chars = extract_all(@\\\"([a-z0-9])\\\", tostring(target_string))\r\n//Guid for tracking our data\r\n| extend guid = new_guid()\r\n//Expand to get all of the individual chars from the domain\r\n| mv-expand string_chars\r\n| extend chars = tostring(string_chars)\r\n//Conduct computation to encode the domain as per actor spec\r\n| extend computed_char = array_index_of(dictionary, chars)\r\n| extend computed_char = dictionary[(computed_char + 4) % array_length(dictionary)]\r\n| summarize make_list(computed_char) by guid, domain\r\n| extend target_encoded = tostring(strcat_array(list_computed_char, \\\"\\\"))\r\n//These are probably too small, but can be edited (expect FP's when going too small)\r\n| where strlen(target_encoded) \u003e 5\r\n| distinct target_encoded\r\n| summarize make_set(target_encoded)\r\n//Key to join to DNS\r\n| extend key = 1;\r\nDnsEvents\r\n| where TimeGenerated \u003e ago(1d)\r\n| summarize by Name\r\n| extend key = 1\r\n//For each DNS query join the malicious domain list\r\n| join kind=inner (\r\nregex_bad_domains\r\n) on key\r\n| project-away key\r\n//Expand each malicious key for each DNS query observed\r\n| mv-expand set_target_encoded\r\n//IndexOf allows us to fuzzy match on the substring\r\n| extend match = indexof(Name, set_target_encoded)\r\n| where match \u003e -1\\n\r\nSecurity Service Tampering\r\n\\n\r\nUpdated 01/19/2021\r\n\\n\r\nThere has been additional indication that security services are being tampered with to hinder detection and investigation.\r\nWhile this is a common tactic, we felt that we should include this reference. The query is currently written specifically for\r\nPotential Microsoft security services tampering, but can easily be adapted to identify other security services.\r\n\\nlet includeProc = dynamic([\\\"sc.exe\\\",\\\"net1.exe\\\",\\\"net.exe\\\", \\\"taskkill.exe\\\", \\\"cmd.exe\\\", \\\"powershell.exe\\\"]);\r\nlet action = dynamic([\\\"stop\\\",\\\"disable\\\", \\\"delete\\\"]);\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 42 of 65\n\nlet service1 = dynamic(['sense', 'windefend', 'mssecflt']);\r\nlet service2 = dynamic(['sense', 'windefend', 'mssecflt', 'healthservice']);\r\nlet params1 = dynamic([\\\"-DisableRealtimeMonitoring\\\", \\\"-DisableBehaviorMonitoring\\\" ,\\\"-DisableIOAVProtection\\\"]);\r\nlet params2 = dynamic([\\\"sgrmbroker.exe\\\", \\\"mssense.exe\\\"]);\r\nlet regparams1 = dynamic(['reg add \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\"', 'reg add\r\n\\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Advanced Threat Protection\\\"']);\r\nlet regparams2 = dynamic(['ForceDefenderPassiveMode', 'DisableAntiSpyware']);\r\nlet regparams3 = dynamic(['sense', 'windefend']);\r\nlet regparams4 = dynamic(['demand', 'disabled']);\r\nlet regparams5 = dynamic(['reg add \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\services\\\\\\\\HealthService\\\"', 'reg add\r\n\\\"HKLM\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\Sense\\\"', 'reg add\r\n\\\"HKLM\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\WinDefend\\\"', 'reg add\r\n\\\"HKLM\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\MsSecFlt\\\"', 'reg add\r\n\\\"HKLM\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\DiagTrack\\\"', 'reg add\r\n\\\"HKLM\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\SgrmBroker\\\"', 'reg add\r\n\\\"HKLMSYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\SgrmAgent\\\"', 'reg add\r\n\\\"HKLM\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\AATPSensorUpdater\\\"' , 'reg add\r\n\\\"HKLM\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\AATPSensor\\\"', 'reg add\r\n\\\"HKLM\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\mpssvc\\\"']);\r\nlet regparams6 = dynamic(['/d 4','/d \\\"4\\\"','/d 0x00000004']);\r\nlet regparams7 = dynamic(['/d 1','/d \\\"1\\\"','/d 0x00000001']);\r\nlet timeframe = 1d;\r\n(union isfuzzy=true\r\n(\r\nSecurityEvent\r\n| where TimeGenerated \u003e= ago(timeframe)\r\n| where EventID == 4688\r\n| extend ProcessName = tostring(split(NewProcessName, '\\\\\\\\')[-1])\r\n| where ProcessName in~ (includeProc)\r\n| where (CommandLine has_any (action) and CommandLine has_any (service1))\r\nor (CommandLine has_any (params1) and CommandLine has 'Set-MpPreference' and CommandLine has '$true')\r\nor (CommandLine has_any (params2) and CommandLine has \\\"/IM\\\")\r\nor (CommandLine has_any (regparams5) and CommandLine has 'Start' and CommandLine has_any (regparams6))\r\nor (CommandLine has_any (regparams1) and CommandLine has_any (regparams2) and CommandLine has_any\r\n(regparams7))\r\nor (CommandLine has \\\"start\\\" and CommandLine has \\\"config\\\" and CommandLine has_any (regparams3) and\r\nCommandLine has_any (regparams4))\r\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName,\r\nEventID, Activity, CommandLine, EventSourceName, Type\r\n),\r\n(\r\nEvent\r\n| where TimeGenerated \u003e= ago(timeframe)\r\n| where Source =~ \\\"Microsoft-Windows-SENSE\\\"\r\n| where EventID == 87 and ParameterXml in (\\\"\u003cParam\u003esgrmbroker\u003c/Param\u003e\\\", \\\"\u003cParam\u003eWinDefend\u003c/Param\u003e\\\")\r\n| project TimeGenerated, Computer, Account = UserName, EventID, Activity = RenderedDescription, EventSourceName =\r\nSource, Type\r\n),\r\n(\r\nDeviceProcessEvents\r\n| where TimeGenerated \u003e= ago(timeframe)\r\n| where InitiatingProcessFileName in~ (includeProc)\r\n| where (InitiatingProcessCommandLine has_any(action) and InitiatingProcessCommandLine has_any (service2) and\r\nInitiatingProcessParentFileName != 'cscript.exe')\r\nor (InitiatingProcessCommandLine has_any (params1) and InitiatingProcessCommandLine has 'Set-MpPreference' and\r\nInitiatingProcessCommandLine has '$true')\r\nor (InitiatingProcessCommandLine has_any (params2) and InitiatingProcessCommandLine has \\\"/IM\\\")\r\nor ( InitiatingProcessCommandLine has_any (regparams5) and InitiatingProcessCommandLine has 'Start' and\r\nInitiatingProcessCommandLine has_any (regparams6))\r\nor (InitiatingProcessCommandLine has_any (regparams1) and InitiatingProcessCommandLine has_any (regparams2) and\r\nInitiatingProcessCommandLine has_any (regparams7))\r\nor (InitiatingProcessCommandLine has_any(\\\"start\\\") and InitiatingProcessCommandLine has \\\"config\\\" and\r\nInitiatingProcessCommandLine has_any (regparams3) and InitiatingProcessCommandLine has_any (regparams4))\r\n| extend Account = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn,\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 43 of 65\n\nInitiatingProcessAccountName), Computer = DeviceName\r\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName = InitiatingProcessFileName,\r\nProcessNameFullPath = FolderPath, Activity = ActionType, CommandLine = InitiatingProcessCommandLine, Type,\r\nInitiatingProcessParentFileName\r\n)\r\n)\r\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n\r\nMicrosoft M365 Defender + Azure Sentinel detection correlation\r\n\\n\r\nIn addition we have created a query in Azure Sentinel - Solorigate Defender Detections - to collate the range of Defender\r\ndetections that are now deployed. This query can be used to get an overview of such alerts and the hosts they relate to. \r\n\\nDeviceInfo\r\n| extend DeviceName = tolower(DeviceName)\r\n| join (SecurityAlert\r\n| where ProviderName =~ \\\"MDATP\\\"\r\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\r\n| where ThreatName has \\\"Solarigate\\\"\r\n| extend HostCustomEntity = tolower(CompromisedEntity)\r\n| take 10) on $left.DeviceName == $right.HostCustomEntity\r\n| project TimeGenerated, DisplayName, ThreatName, CompromisedEntity, PublicIP, MachineGroup, AlertSeverity,\r\nDescription, LoggedOnUsers, DeviceId, TenantId\r\n| extend timestamp = TimeGenerated, IPCustomEntity = PublicIP\\n\\n\r\nConclusion\r\n\\n\r\nAdditionally, as a cloud native SIEM Azure Sentinel can not only collect raw data from various disparate logs but it also gets\r\nalerts from various security products. For example, M365 Defender has a range of alerts for various attack components like\r\nSolarWinds malicious binaries, network traffic to the compromised domains, DNS queries for known patterns associated\r\nwith SolarWinds compromise that can flow into Sentinel. Combining these alerts with other raw logs and additional data\r\nsources provides the security team with additional insights as well as a complete picture of nature and the scope of attack.\r\n\\n\\n\r\nAppendix\r\n\\n\r\nMany of these queries have been incorporated into the related hunting workbook.\r\n\\n\r\nList of all Azure Sentinel Queries from each section\r\n\\n\r\nUpdated 01/15/2021\r\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\\r\nGaining a\r\nfoothold\r\n \r\nSolarWinds\r\nInventory check\r\nquery\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/SolarWindsInventory.yaml\r\nSolorigate Name\r\nPipe\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SolorigateNamedPipe.yaml \r\nPrivilege\r\nEscalation\r\n \r\nHosts with new\r\nlogons\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/HostsWithNewLogons.yaml\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 44 of 65\n\nNew user created\r\nand added to the\r\nbuilt-in\r\nadministrators\r\ngroup\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserCreatedAddedToBuiltinAdmins_1d.yaml\r\nUser account added\r\nto built in domain\r\nlocal or global\r\ngroup\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountAddedToPrivlegeGroup_1h.yaml\r\nTracking\r\nPrivileged Account\r\nRare Activity\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/TrackingPrivAccounts.yaml\r\nADFS Key\r\nExtraction\r\n \r\nADFS DKM\r\nMaster Key Export\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml\r\nADFS Key Export\r\n(Sysmon)\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml\r\nEntropy for\r\nProcesses for a\r\ngiven Host\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/ProcessEntropy.yaml\r\nRare processes run\r\nby Service\r\naccounts\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/RareProcbyServiceAccount.yaml\r\nUncommon\r\nprocesses - bottom\r\n5%\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/uncommon_processes.yaml\r\nAzure Active\r\nDirectory\r\n \r\nModified domain\r\nfederation trust\r\nsettings\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml\r\nNew access\r\ncredential added to\r\nApplication or\r\nService Principal\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NewAppOrServicePrincipalCredential.yaml\r\nFirst access\r\ncredential added to\r\nApplication or\r\nService Principal\r\nwhere no credential\r\nwas present\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/FirstAppOrServicePrincipalCredential.yaml\r\nMail.Read\r\nPermissions\r\nGranted to\r\nApplication\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MailPermissionsAddedToApplication.yaml\r\nSuspicious\r\napplication consent\r\nsimilar to O365\r\nAttack Toolkit\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MaliciousOAuthApp_O365AttackToolkit.yaml\r\nSuspicious\r\napplication consent\r\nfor offline access\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/SuspiciousOAuthApp_OfflineAccess.yaml\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 45 of 65\n\nRecon and\r\nRemote Execution\r\n \r\nSuspicious\r\nenumeration using\r\nAdfind tool\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml\r\nMultiple explicit\r\ncredential usage -\r\n4648 events\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/MultipleExplicitCredentialUsage4648Events.yaml\r\nData Access  \r\nAzure Active\r\nDirectory\r\nPowerShell\r\naccessing non-AAD resources\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AzureAADPowerShellAnomaly.yaml\r\nSignins From VPS\r\nProviders\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/Signins-From-VPS-Providers.yaml\r\nData Exfiltration  \r\nAnomalous access\r\nto other user's\r\nmailboxes\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/OfficeActivity/AnomolousUserAccessingOtherUsersMailbox.yaml\r\nExchange\r\nworkflow\r\nMailItemsAccessed\r\noperation anomaly\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/MailItemsAccessedTimeSeries.yaml\r\nSuspect Mailbox\r\nExport on\r\nIIS/OWA\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/SuspectedMailBoxExportHostonOWA.yaml\r\nHost Exporting\r\nMailbox and\r\nRemoving Export\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/HostExportingMailboxAndRemovingExport.yaml\r\nNon-owner\r\nmailbox login\r\nactivity\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/OfficeActivity/nonowner_MailboxLogin.yaml\r\nDomain Hunting  \r\nSolorigate Network\r\nBeacon\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml\r\nSolorigate DNS\r\nPattern\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/DnsEvents/Solorigate-DNS-Pattern.yaml\r\nSolorigate Encoded\r\nDomain in URL\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/DnsEvents/Solorigate-Encoded-Domain-URL.yaml\r\nSecurity Service\r\nTampering\r\n \r\nPotential Microsoft\r\nsecurity services\r\ntampering\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PotentialMicrosoftSecurityServicesTampering.yaml \r\nM365+Sentinel  \r\nSolorigate\r\nDefender\r\nDetections\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Solorigate-Defender-Detections.yaml\r\n\\n\\n\r\nReferences\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 46 of 65\n\n\\n\r\nRecent Nation-State Cyber Attacks \r\n\\n\r\nBehavior:Win32/Solorigate.C!dha threat description - Microsoft Security Intelligence\r\n\\n\r\nCustomer guidance on recent nation-state cyberattacks \r\n\\n\r\nFireEye Advisory: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims\r\nWith SUNBURST Backdoor\r\n\\n\r\nFireEye GitHub page: Sunburst Countermeasures \r\n\\n\r\nDHS Directive\r\n\\n\r\nSolarWinds Security Advisory\r\n\\n\r\nFalconFriday – Fireeye Red Team Tool Countermeasures KQL Queries  \r\n\\n\r\nMicrosoft-365-Defender-Hunting-Queries: Sample queries for Advanced hunting in Microsoft 365 Defender (github.com)\r\n\\n\r\nAzure Sentinel SolarWinds Post Compromise Hunting Workbook\r\n\\n\r\nAzure Sentinel SolarWinds Post Compromise Notebook \r\n\\n\r\nUpdated 12/18/2020\r\n\\n\r\nNew Threat analytics report shares the latest intelligence on recent nation-state cyber attacks - Microsoft Tech Community\r\n\\n\r\nAnalyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps\r\nprotect customers - Microsoft Security \r\n\\n\r\nUpdated 12/28/2020\r\n\\n\r\nUsing Microsoft 365 Defender to protect against Solorigate - Microsoft Security\r\n\\n\\n\\n\\n\\n\\n\",\"kudosSumWeight\":13,\"postTime\":\"2020-12-16T11:54:32.499-08:00\",\"images\":\r\n{\"__typename\":\"AssociatedImageConnection\",\"edges\":\r\n[{\"__typename\":\"AssociatedImageEdge\",\"cursor\":\"MjYuMXwyLjF8b3wyNXxfTlZffDE\",\"node\":\r\n{\"__ref\":\"AssociatedImage:\r\n{\\\"url\\\":\\\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0xOTk1MDk1LTI0MTE2OGlFQjcxOEM5Njc1QzQ5Q0Q3?\r\nrevision=57\\\"}\"}},{\"__typename\":\"AssociatedImageEdge\",\"cursor\":\"MjYuMXwyLjF8b3wyNXxfTlZffDI\",\"node\":\r\n{\"__ref\":\"AssociatedImage:\r\n{\\\"url\\\":\\\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0xOTk1MDk1LTI0MTE1MWkzRkU2NThDQUY5QzMzNTg1?\r\nrevision=57\\\"}\"}},{\"__typename\":\"AssociatedImageEdge\",\"cursor\":\"MjYuMXwyLjF8b3wyNXxfTlZffDM\",\"node\":\r\n{\"__ref\":\"AssociatedImage:\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 47 of 65\n\n{\\\"url\\\":\\\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0xOTk1MDk1LTI0MTUyNmk0QUEzQjFDRjM0MkI0OTU4?\r\nrevision=57\\\"}\"}},{\"__typename\":\"AssociatedImageEdge\",\"cursor\":\"MjYuMXwyLjF8b3wyNXxfTlZffDQ\",\"node\":\r\n{\"__ref\":\"AssociatedImage:\r\n{\\\"url\\\":\\\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0xOTk1MDk1LTI0MTUyN2lBRTZGNDQ4NjhDMUFCNDM5?\r\nrevision=57\\\"}\"}},{\"__typename\":\"AssociatedImageEdge\",\"cursor\":\"MjYuMXwyLjF8b3wyNXxfTlZffDU\",\"node\":\r\n{\"__ref\":\"AssociatedImage:\r\n{\\\"url\\\":\\\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0xOTk1MDk1LTI0MTUyOGlDQjYxQ0JGRTVCNjE3MUQ3?\r\nrevision=57\\\"}\"}}],\"totalCount\":5,\"pageInfo\":\r\n{\"__typename\":\"PageInfo\",\"hasNextPage\":false,\"endCursor\":null,\"hasPreviousPage\":false,\"startCursor\":null}},\"attachments\":\r\n{\"__typename\":\"AttachmentConnection\",\"pageInfo\":\r\n{\"__typename\":\"PageInfo\",\"hasNextPage\":false,\"endCursor\":null,\"hasPreviousPage\":false,\"startCursor\":null},\"edges\":\r\n[]},\"tags\":{\"__typename\":\"TagConnection\",\"pageInfo\":\r\n{\"__typename\":\"PageInfo\",\"hasNextPage\":false,\"endCursor\":null,\"hasPreviousPage\":false,\"startCursor\":null},\"edges\":\r\n[{\"__typename\":\"TagEdge\",\"cursor\":\"MjYuMXwyLjF8b3wxMHxfTlZffDE\",\"node\":\r\n{\"__typename\":\"Tag\",\"id\":\"tag:hunting\",\"text\":\"hunting\",\"time\":\"2019-04-11T09:00:00.012-\r\n07:00\",\"lastActivityTime\":null,\"messagesCount\":null,\"followersCount\":null}},\r\n{\"__typename\":\"TagEdge\",\"cursor\":\"MjYuMXwyLjF8b3wxMHxfTlZffDI\",\"node\":\r\n{\"__typename\":\"Tag\",\"id\":\"tag:microsoft sentinel\",\"text\":\"microsoft sentinel\",\"time\":\"2021-11-02T10:33:48.383-\r\n07:00\",\"lastActivityTime\":null,\"messagesCount\":null,\"followersCount\":null}}]},\"timeToRead\":33,\"rawTeaser\":\"\\n\r\nMicrosoft recently blogged about the Recent Nation-State Cyber Attacks that has impacted high value targets both across the\r\ngovernment and private sector. This attack is also known as Solorigate or Sunburst.\r\n\",\"introduction\":\"\",\"coverImage\":null,\"coverImageProperties\":\r\n{\"__typename\":\"CoverImageProperties\",\"style\":\"STANDARD\",\"titlePosition\":\"BOTTOM\",\"altText\":\"\"},\"currentRevision\":\r\n{\"__ref\":\"Revision:revision:1995095_57\"},\"latestVersion\":\r\n{\"__typename\":\"FriendlyVersion\",\"major\":\"55\",\"minor\":\"0\"},\"metrics\":\r\n{\"__typename\":\"MessageMetrics\",\"views\":103654},\"read\":false,\"visibilityScope\":\"PUBLIC\",\"canonicalUrl\":null,\"seoTitle\":null,\"seoDescription\":null,\"p\r\n{\"__typename\":\"UserConnection\",\"edges\":[]},\"nonCoAuthorContributors\":{\"__typename\":\"UserConnection\",\"edges\":\r\n[]},\"coAuthors\":{\"__typename\":\"UserConnection\",\"edges\":[]},\"blogMessagePolicies\":\r\n{\"__typename\":\"BlogMessagePolicies\",\"canDoAuthoringActionsOnBlog\":{\"__typename\":\"PolicyResult\",\"failureReason\":\r\n{\"__typename\":\"FailureReason\",\"message\":\"error.lithium.policies.blog.action_can_do_authoring_action.accessDenied\",\"key\":\"error.lithium.policies.blog\r\n[]}}},\"archivalData\":null,\"customFields\":[],\"revisions({\\\"constraints\\\":{\\\"isPublished\\\":{\\\"eq\\\":true}}})\":\r\n{\"__typename\":\"RevisionConnection\",\"totalCount\":57}},\"Conversation:conversation:1995095\":\r\n{\"__typename\":\"Conversation\",\"id\":\"conversation:1995095\",\"solved\":false,\"topic\":\r\n{\"__ref\":\"BlogTopicMessage:message:1995095\"},\"lastPostingActivityTime\":\"2021-11-02T18:30:13.281-\r\n07:00\",\"lastPostTime\":\"2020-12-27T00:51:08.223-\r\n08:00\",\"unreadReplyCount\":5,\"isSubscribed\":false},\"ModerationData:moderation_data:1995095\":\r\n{\"__typename\":\"ModerationData\",\"id\":\"moderation_data:1995095\",\"status\":\"APPROVED\",\"rejectReason\":null,\"isReportedAbuse\":false,\"rejectUser\":nu\r\n{\\\"url\\\":\\\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0xOTk1MDk1LTI0MTE2OGlFQjcxOEM5Njc1QzQ5Q0Q3?\r\nrevision=57\\\"}\":\r\n{\"__typename\":\"AssociatedImage\",\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0xOTk1MDk1LTI0MTE2OGlFQjcxOEM5Nj\r\nrevision=57\",\"title\":\"Image1.png\",\"associationType\":\"TEASER\",\"width\":799,\"height\":527,\"altText\":null},\"AssociatedImage:\r\n{\\\"url\\\":\\\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0xOTk1MDk1LTI0MTE1MWkzRkU2NThDQUY5QzMzNTg1?\r\nrevision=57\\\"}\":\r\n{\"__typename\":\"AssociatedImage\",\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0xOTk1MDk1LTI0MTE1MWkzRkU2NThDQ\r\nrevision=57\",\"title\":\"Image1.png\",\"associationType\":\"BODY\",\"width\":799,\"height\":527,\"altText\":null},\"AssociatedImage:\r\n{\\\"url\\\":\\\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0xOTk1MDk1LTI0MTUyNmk0QUEzQjFDRjM0MkI0OTU4?\r\nrevision=57\\\"}\":\r\n{\"__typename\":\"AssociatedImage\",\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0xOTk1MDk1LTI0MTUyNmk0QUEzQjFDR\r\nrevision=57\",\"title\":\"DiagnosticSettings1.png\",\"associationType\":\"BODY\",\"width\":3454,\"height\":1879,\"altText\":null},\"AssociatedImage:\r\n{\\\"url\\\":\\\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0xOTk1MDk1LTI0MTUyN2lBRTZGNDQ4NjhDMUFCNDM5?\r\nrevision=57\\\"}\":\r\n{\"__typename\":\"AssociatedImage\",\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0xOTk1MDk1LTI0MTUyN2lBRTZGNDQ4N\r\nrevision=57\",\"title\":\"DiagnosticSettings2.png\",\"associationType\":\"BODY\",\"width\":3679,\"height\":1006,\"altText\":null},\"AssociatedImage:\r\n{\\\"url\\\":\\\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0xOTk1MDk1LTI0MTUyOGlDQjYxQ0JGRTVCNjE3MUQ3?\r\nrevision=57\\\"}\":\r\n{\"__typename\":\"AssociatedImage\",\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0xOTk1MDk1LTI0MTUyOGlDQjYxQ0JGRT\r\nrevision=57\",\"title\":\"DiagnosticSettings3.png\",\"associationType\":\"BODY\",\"width\":2040,\"height\":1318,\"altText\":null},\"Revision:revision:1995095_57\":\r\n{\"__typename\":\"Revision\",\"id\":\"revision:1995095_57\",\"lastEditTime\":\"2021-11-02T18:30:13.281-\r\n07:00\"},\"CachedAsset:theme:customTheme1-1775107807370\":{\"__typename\":\"CachedAsset\",\"id\":\"theme:customTheme1-\r\n1775107807370\",\"value\":{\"id\":\"customTheme1\",\"animation\":\r\n{\"fast\":\"150ms\",\"normal\":\"250ms\",\"slow\":\"500ms\",\"slowest\":\"750ms\",\"function\":\"cubic-bezier(0.07, 0.91, 0.51,\r\n1)\",\"__typename\":\"AnimationThemeSettings\"},\"avatar\":{\"borderRadius\":\"50%\",\"collections\":\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 48 of 65\n\n[\"default\"],\"__typename\":\"AvatarThemeSettings\"},\"basics\":{\"browserIcon\":{\"imageAssetName\":\"favicon-1730836283320.png\",\"imageLastModified\":\"1730836286415\",\"__typename\":\"ThemeAsset\"},\"customerLogo\":\r\n{\"imageAssetName\":\"favicon-1730836271365.png\",\"imageLastModified\":\"1730836274203\",\"__typename\":\"ThemeAsset\"},\"maximumWidthOfPageContent\":\"1300px\",\"oneColumnN\r\n{\"borderRadiusSm\":\"3px\",\"borderRadius\":\"3px\",\"borderRadiusLg\":\"5px\",\"paddingY\":\"5px\",\"paddingYLg\":\"7px\",\"paddingYHero\":\"var(-\r\n-lia-bs-btn-padding-y-lg)\",\"paddingX\":\"12px\",\"paddingXLg\":\"16px\",\"paddingXHero\":\"60px\",\"fontStyle\":\"NORMAL\",\"fontWeight\":\"700\",\"textTransform\":\"NONE\",\"disabled\r\n-lia-bs-white)\",\"primaryTextHoverColor\":\"var(--lia-bs-white)\",\"primaryTextActiveColor\":\"var(--lia-bs-white)\",\"primaryBgColor\":\"var(--lia-bs-primary)\",\"primaryBgHoverColor\":\"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) * 0.85))\",\"primaryBgActiveColor\":\"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) * 0.7))\",\"primaryBorder\":\"1px solid transparent\",\"primaryBorderHover\":\"1px solid\r\ntransparent\",\"primaryBorderActive\":\"1px solid transparent\",\"primaryBorderFocus\":\"1px solid var(--lia-bs-white)\",\"primaryBoxShadowFocus\":\"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)\",\"secondaryTextColor\":\"var(--lia-bs-gray-900)\",\"secondaryTextHoverColor\":\"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) *\r\n0.95))\",\"secondaryTextActiveColor\":\"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) *\r\n0.9))\",\"secondaryBgColor\":\"var(--lia-bs-gray-200)\",\"secondaryBgHoverColor\":\"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.96))\",\"secondaryBgActiveColor\":\"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.92))\",\"secondaryBorder\":\"1px solid\r\ntransparent\",\"secondaryBorderHover\":\"1px solid transparent\",\"secondaryBorderActive\":\"1px solid\r\ntransparent\",\"secondaryBorderFocus\":\"1px solid transparent\",\"secondaryBoxShadowFocus\":\"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l),\r\n0.2)\",\"tertiaryTextColor\":\"var(--lia-bs-gray-900)\",\"tertiaryTextHoverColor\":\"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.95))\",\"tertiaryTextActiveColor\":\"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-\r\ns), calc(var(--lia-bs-gray-900-l) *\r\n0.9))\",\"tertiaryBgColor\":\"transparent\",\"tertiaryBgHoverColor\":\"transparent\",\"tertiaryBgActiveColor\":\"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.04)\",\"tertiaryBorder\":\"1px solid\r\ntransparent\",\"tertiaryBorderHover\":\"1px solid hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l),\r\n0.08)\",\"tertiaryBorderActive\":\"1px solid transparent\",\"tertiaryBorderFocus\":\"1px solid\r\ntransparent\",\"tertiaryBoxShadowFocus\":\"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)\",\"destructiveTextColor\":\"var(--lia-bs-danger)\",\"destructiveTextHoverColor\":\"hsl(var(--lia-bs-danger-h), var(--lia-bs-danger-s), calc(var(--lia-bs-danger-l) *\r\n0.95))\",\"destructiveTextActiveColor\":\"hsl(var(--lia-bs-danger-h), var(--lia-bs-danger-s), calc(var(--lia-bs-danger-l) *\r\n0.9))\",\"destructiveBgColor\":\"var(--lia-bs-gray-200)\",\"destructiveBgHoverColor\":\"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.96))\",\"destructiveBgActiveColor\":\"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.92))\",\"destructiveBorder\":\"1px solid\r\ntransparent\",\"destructiveBorderHover\":\"1px solid transparent\",\"destructiveBorderActive\":\"1px solid\r\ntransparent\",\"destructiveBorderFocus\":\"1px solid transparent\",\"destructiveBoxShadowFocus\":\"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l),\r\n0.2)\",\"__typename\":\"ButtonsThemeSettings\"},\"border\":{\"color\":\"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l),\r\n0.08)\",\"mainContent\":\"NONE\",\"sideContent\":\"LIGHT\",\"radiusSm\":\"3px\",\"radius\":\"5px\",\"radiusLg\":\"9px\",\"radius50\":\"100vw\",\"__typename\":\"BorderT\r\n{\"xs\":\"0 0 0 1px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.08), 0 3px 0 -1px\r\nhsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.16)\",\"sm\":\"0 2px 4px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.12)\",\"md\":\"0 5px 15px hsla(var(--lia-bs-gray-900-h), var(--\r\nlia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.3)\",\"lg\":\"0 10px 30px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s),\r\nvar(--lia-bs-gray-900-l), 0.3)\",\"__typename\":\"BoxShadowThemeSettings\"},\"cards\":{\"bgColor\":\"var(--lia-panel-bg-color)\",\"borderRadius\":\"var(--lia-panel-border-radius)\",\"boxShadow\":\"var(--lia-box-shadow-xs)\",\"__typename\":\"CardsThemeSettings\"},\"chip\":\r\n{\"maxWidth\":\"300px\",\"height\":\"30px\",\"__typename\":\"ChipThemeSettings\"},\"coreTypes\":\r\n{\"defaultMessageLinkColor\":\"var(--lia-bs-link-color)\",\"defaultMessageLinkDecoration\":\"none\",\"defaultMessageLinkFontStyle\":\"NORMAL\",\"defaultMessageLinkFontWeight\":\"400\",\"defaultMessageF\r\n-lia-bs-font-family-base)\",\"forumColor\":\"#4099E2\",\"forumFontFamily\":\"var(--lia-bs-font-family-base)\",\"forumFontWeight\":\"var(--lia-default-message-font-weight)\",\"forumLineHeight\":\"var(--lia-bs-line-height-base)\",\"forumFontStyle\":\"var(--lia-default-message-font-style)\",\"forumMessageLinkColor\":\"var(--lia-default-message-link-color)\",\"forumMessageLinkDecoration\":\"var(--lia-default-message-link-decoration)\",\"forumMessageLinkFontStyle\":\"var(--\r\nlia-default-message-link-font-style)\",\"forumMessageLinkFontWeight\":\"var(--lia-default-message-link-font-weight)\",\"forumSolvedColor\":\"#148563\",\"blogColor\":\"#1CBAA0\",\"blogFontFamily\":\"var(--lia-bs-font-family-base)\",\"blogFontWeight\":\"var(--lia-default-message-font-weight)\",\"blogLineHeight\":\"1.75\",\"blogFontStyle\":\"var(--lia-default-message-font-style)\",\"blogMessageLinkColor\":\"var(--lia-default-message-link-color)\",\"blogMessageLinkDecoration\":\"var(--lia-default-message-link-decoration)\",\"blogMessageLinkFontStyle\":\"var(--lia-default-message-link-font-style)\",\"blogMessageLinkFontWeight\":\"var(--lia-default-message-link-font-weight)\",\"tkbColor\":\"#4C6B90\",\"tkbFontFamily\":\"var(--lia-bs-font-family-base)\",\"tkbFontWeight\":\"var(--lia-default-message-font-weight)\",\"tkbLineHeight\":\"1.75\",\"tkbFontStyle\":\"var(--lia-default-message-font-https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 49 of 65\n\nstyle)\",\"tkbMessageLinkColor\":\"var(--lia-default-message-link-color)\",\"tkbMessageLinkDecoration\":\"var(--lia-default-message-link-decoration)\",\"tkbMessageLinkFontStyle\":\"var(--lia-default-message-link-font-style)\",\"tkbMessageLinkFontWeight\":\"var(--lia-default-message-link-font-weight)\",\"qandaColor\":\"#4099E2\",\"qandaFontFamily\":\"var(--lia-bs-font-family-base)\",\"qandaFontWeight\":\"var(--lia-default-message-font-weight)\",\"qandaLineHeight\":\"var(--lia-bs-line-height-base)\",\"qandaFontStyle\":\"var(--lia-default-message-link-font-style)\",\"qandaMessageLinkColor\":\"var(--lia-default-message-link-color)\",\"qandaMessageLinkDecoration\":\"var(--lia-default-message-link-decoration)\",\"qandaMessageLinkFontStyle\":\"var(--\r\nlia-default-message-link-font-style)\",\"qandaMessageLinkFontWeight\":\"var(--lia-default-message-link-font-weight)\",\"qandaSolvedColor\":\"#3FA023\",\"ideaColor\":\"#FF8000\",\"ideaFontFamily\":\"var(--lia-bs-font-family-base)\",\"ideaFontWeight\":\"var(--lia-default-message-font-weight)\",\"ideaLineHeight\":\"var(--lia-bs-line-height-base)\",\"ideaFontStyle\":\"var(--lia-default-message-font-style)\",\"ideaMessageLinkColor\":\"var(--lia-default-message-link-color)\",\"ideaMessageLinkDecoration\":\"var(--lia-default-message-link-decoration)\",\"ideaMessageLinkFontStyle\":\"var(--lia-default-message-link-font-style)\",\"ideaMessageLinkFontWeight\":\"var(--lia-default-message-link-font-weight)\",\"contestColor\":\"#FCC845\",\"contestFontFamily\":\"var(--lia-bs-font-family-base)\",\"contestFontWeight\":\"var(--lia-default-message-font-weight)\",\"contestLineHeight\":\"var(--lia-bs-line-height-base)\",\"contestFontStyle\":\"var(--lia-default-message-link-font-style)\",\"contestMessageLinkColor\":\"var(--lia-default-message-link-color)\",\"contestMessageLinkDecoration\":\"var(--lia-default-message-link-decoration)\",\"contestMessageLinkFontStyle\":\"ITALIC\",\"contestMessageLinkFontWeight\":\"var(--lia-default-message-link-font-weight)\",\"occasionColor\":\"#bc341b\",\"occasionFontFamily\":\"var(--lia-bs-font-family-base)\",\"occasionFontWeight\":\"var(--lia-default-message-font-weight)\",\"occasionLineHeight\":\"var(--lia-bs-line-height-base)\",\"occasionFontStyle\":\"var(--lia-default-message-font-style)\",\"occasionMessageLinkColor\":\"var(--lia-default-message-link-color)\",\"occasionMessageLinkDecoration\":\"var(--lia-default-message-link-decoration)\",\"occasionMessageLinkFontStyle\":\"var(--lia-default-message-link-font-style)\",\"occasionMessageLinkFontWeight\":\"var(--lia-default-message-link-font-weight)\",\"grouphubColor\":\"#333333\",\"categoryColor\":\"#949494\",\"communityColor\":\"#FFFFFF\",\"productColor\":\"#949494\",\"__typename\":\"CoreTypesT\r\n{\"black\":\"#000000\",\"white\":\"#FFFFFF\",\"gray100\":\"#F7F7F7\",\"gray200\":\"#F7F7F7\",\"gray300\":\"#E8E8E8\",\"gray400\":\"#D9D9D9\",\"gray500\":\"#CCCC\r\n-lia-bs-primary)\",\"custom\":[\"#D3F5A4\",\"#243A5E\"],\"__typename\":\"ColorsThemeSettings\"},\"divider\":\r\n{\"size\":\"3px\",\"marginLeft\":\"4px\",\"marginRight\":\"4px\",\"borderRadius\":\"50%\",\"bgColor\":\"var(--lia-bs-gray-600)\",\"bgColorActive\":\"var(--lia-bs-gray-600)\",\"__typename\":\"DividerThemeSettings\"},\"dropdown\":{\"fontSize\":\"var(--\r\nlia-bs-font-size-sm)\",\"borderColor\":\"var(--lia-bs-border-color)\",\"borderRadius\":\"var(--lia-bs-border-radius-sm)\",\"dividerBg\":\"var(--lia-bs-gray-300)\",\"itemPaddingY\":\"5px\",\"itemPaddingX\":\"20px\",\"headerColor\":\"var(--lia-bs-gray-700)\",\"__typename\":\"DropdownThemeSettings\"},\"email\":{\"link\":\r\n{\"color\":\"#0069D4\",\"hoverColor\":\"#0061c2\",\"decoration\":\"none\",\"hoverDecoration\":\"underline\",\"__typename\":\"EmailLinkSettings\"},\"border\":\r\n{\"color\":\"#e4e4e4\",\"__typename\":\"EmailBorderSettings\"},\"buttons\":\r\n{\"borderRadiusLg\":\"5px\",\"paddingXLg\":\"16px\",\"paddingYLg\":\"7px\",\"fontWeight\":\"700\",\"primaryTextColor\":\"#ffffff\",\"primaryTextHoverColor\":\"#fffff\r\nsolid transparent\",\"primaryBorderHover\":\"1px solid transparent\",\"__typename\":\"EmailButtonsSettings\"},\"panel\":\r\n{\"borderRadius\":\"5px\",\"borderColor\":\"#e4e4e4\",\"__typename\":\"EmailPanelSettings\"},\"__typename\":\"EmailThemeSettings\"},\"emoji\":\r\n{\"skinToneDefault\":\"#ffcd43\",\"skinToneLight\":\"#fae3c5\",\"skinToneMediumLight\":\"#e2cfa5\",\"skinToneMedium\":\"#daa478\",\"skinToneMediumDark\":\"#\r\n{\"color\":\"var(--lia-bs-body-color)\",\"fontFamily\":\"Segoe\r\nUI\",\"fontStyle\":\"NORMAL\",\"fontWeight\":\"400\",\"h1FontSize\":\"34px\",\"h2FontSize\":\"32px\",\"h3FontSize\":\"28px\",\"h4FontSize\":\"24px\",\"h5FontSize\":\"20\r\n-lia-bs-headings-font-weight)\",\"h2FontWeight\":\"var(--lia-bs-headings-font-weight)\",\"h3FontWeight\":\"var(--lia-bs-headings-font-weight)\",\"h4FontWeight\":\"var(--lia-bs-headings-font-weight)\",\"h5FontWeight\":\"var(--lia-bs-headings-font-weight)\",\"h6FontWeight\":\"var(--lia-bs-headings-font-weight)\",\"__typename\":\"HeadingThemeSettings\"},\"icons\":\r\n{\"size10\":\"10px\",\"size12\":\"12px\",\"size14\":\"14px\",\"size16\":\"16px\",\"size20\":\"20px\",\"size24\":\"24px\",\"size30\":\"30px\",\"size40\":\"40px\",\"size50\":\"50px\",\"s\r\n{\"bgColor\":\"var(--lia-bs-gray-900)\",\"titleColor\":\"var(--lia-bs-white)\",\"controlColor\":\"var(--lia-bs-white)\",\"controlBgColor\":\"var(--lia-bs-gray-800)\",\"__typename\":\"ImagePreviewThemeSettings\"},\"input\":\r\n{\"borderColor\":\"var(--lia-bs-gray-600)\",\"disabledColor\":\"var(--lia-bs-gray-600)\",\"focusBorderColor\":\"var(--lia-bs-primary)\",\"labelMarginBottom\":\"10px\",\"btnFontSize\":\"var(--lia-bs-font-size-sm)\",\"focusBoxShadow\":\"0 0 0 3px hsla(var(-\r\n-lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l),\r\n0.2)\",\"checkLabelMarginBottom\":\"2px\",\"checkboxBorderRadius\":\"3px\",\"borderRadiusSm\":\"var(--lia-bs-border-radius-sm)\",\"borderRadius\":\"var(--lia-bs-border-radius)\",\"borderRadiusLg\":\"var(--lia-bs-border-radius-lg)\",\"formTextMarginTop\":\"4px\",\"textAreaBorderRadius\":\"var(--lia-bs-border-radius)\",\"activeFillColor\":\"var(--lia-bs-primary)\",\"__typename\":\"InputThemeSettings\"},\"loading\":{\"dotDarkColor\":\"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.2)\",\"dotLightColor\":\"hsla(var(--lia-bs-white-h), var(--lia-bs-white-s), var(--lia-bs-white-l),\r\n0.5)\",\"barDarkColor\":\"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l),\r\n0.06)\",\"barLightColor\":\"hsla(var(--lia-bs-white-h), var(--lia-bs-white-s), var(--lia-bs-white-l),\r\n0.4)\",\"__typename\":\"LoadingThemeSettings\"},\"link\":{\"color\":\"var(--lia-bs-primary)\",\"hoverColor\":\"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) -\r\n10%))\",\"decoration\":\"none\",\"hoverDecoration\":\"underline\",\"__typename\":\"LinkThemeSettings\"},\"listGroup\":\r\n{\"itemPaddingY\":\"15px\",\"itemPaddingX\":\"15px\",\"borderColor\":\"var(--lia-bs-gray-300)\",\"__typename\":\"ListGroupThemeSettings\"},\"modal\":{\"contentTextColor\":\"var(--lia-bs-body-color)\",\"contentBg\":\"var(--lia-bs-white)\",\"backgroundBg\":\"var(--lia-bs-black)\",\"smSize\":\"440px\",\"mdSize\":\"760px\",\"lgSize\":\"1080px\",\"backdropOpacity\":0.3,\"contentBoxShadowXs\":\"var(--lia-bs-box-shadow-sm)\",\"contentBoxShadow\":\"var(--lia-bs-box-https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 50 of 65\n\nshadow)\",\"headerFontWeight\":\"700\",\"__typename\":\"ModalThemeSettings\"},\"navbar\":{\"position\":\"FIXED\",\"background\":\r\n{\"attachment\":null,\"clip\":null,\"color\":\"var(--lia-bs-white)\",\"imageAssetName\":\"\",\"imageLastModified\":\"0\",\"origin\":null,\"position\":\"CENTER_CENTER\",\"repeat\":\"NO_REPEAT\",\"size\":\"COVER\",\"__typ\r\nsolid var(--lia-bs-border-color)\",\"boxShadow\":\"var(--lia-bs-box-shadow-sm)\",\"brandMarginRight\":\"30px\",\"brandMarginRightSm\":\"10px\",\"brandLogoHeight\":\"30px\",\"linkGap\":\"10px\",\"linkJustifyContent\":\"flex-start\",\"linkPaddingY\":\"5px\",\"linkPaddingX\":\"10px\",\"linkDropdownPaddingY\":\"9px\",\"linkDropdownPaddingX\":\"var(--lia-nav-link-px)\",\"linkColor\":\"var(--lia-bs-body-color)\",\"linkHoverColor\":\"var(--lia-bs-primary)\",\"linkFontSize\":\"var(--lia-bs-font-size-sm)\",\"linkFontStyle\":\"NORMAL\",\"linkFontWeight\":\"400\",\"linkTextTransform\":\"NONE\",\"linkLetterSpacing\":\"normal\",\"linkBorderRadius\":\"var(-\r\n-lia-bs-border-radius-sm)\",\"linkBgColor\":\"transparent\",\"linkBgHoverColor\":\"transparent\",\"linkBorder\":\"none\",\"linkBorderHover\":\"none\",\"linkBoxShadow\":\"none\",\"linkBoxS\r\n-lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)\",\"controllerBgHoverColor\":\"hsla(var(--lia-bs-black-h),\r\nvar(--lia-bs-black-s), var(--lia-bs-black-l), 0.1)\",\"controllerIconColor\":\"var(--lia-bs-body-color)\",\"controllerIconHoverColor\":\"var(--lia-bs-body-color)\",\"controllerTextColor\":\"var(--lia-nav-controller-icon-color)\",\"controllerTextHoverColor\":\"var(--lia-nav-controller-icon-hover-color)\",\"controllerHighlightColor\":\"hsla(30, 100%,\r\n50%)\",\"controllerHighlightTextColor\":\"var(--lia-yiq-light)\",\"controllerBorderRadius\":\"var(--lia-border-radius-50)\",\"hamburgerColor\":\"var(--lia-nav-controller-icon-color)\",\"hamburgerHoverColor\":\"var(--lia-nav-controller-icon-color)\",\"hamburgerBgColor\":\"transparent\",\"hamburgerBgHoverColor\":\"transparent\",\"hamburgerBorder\":\"none\",\"hamburgerBorderHover\":\"none\",\"collap\r\n-lia-nav-link-color)\",\"collapseMenuDividerOpacity\":0.16,\"__typename\":\"NavbarThemeSettings\"},\"pager\":\r\n{\"textColor\":\"var(--lia-bs-link-color)\",\"textFontWeight\":\"var(--lia-font-weight-md)\",\"textFontSize\":\"var(--lia-bs-font-size-sm)\",\"__typename\":\"PagerThemeSettings\"},\"panel\":{\"bgColor\":\"var(--lia-bs-white)\",\"borderRadius\":\"var(--lia-bs-border-radius)\",\"borderColor\":\"var(--lia-bs-border-color)\",\"boxShadow\":\"none\",\"__typename\":\"PanelThemeSettings\"},\"popover\":\r\n{\"arrowHeight\":\"8px\",\"arrowWidth\":\"16px\",\"maxWidth\":\"300px\",\"minWidth\":\"100px\",\"headerBg\":\"var(--lia-bs-white)\",\"borderColor\":\"var(--lia-bs-border-color)\",\"borderRadius\":\"var(--lia-bs-border-radius)\",\"boxShadow\":\"0 0.5rem\r\n1rem hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l),\r\n0.15)\",\"__typename\":\"PopoverThemeSettings\"},\"prism\":{\"color\":\"#000000\",\"bgColor\":\"#f5f2f0\",\"fontFamily\":\"var(--font-family-monospace)\",\"fontSize\":\"var(--lia-bs-font-size-base)\",\"fontWeightBold\":\"var(--lia-bs-font-weight-bold)\",\"fontStyleItalic\":\"italic\",\"tabSize\":2,\"highlightColor\":\"#b3d4fc\",\"commentColor\":\"#62707e\",\"punctuationColor\":\"#6f6f6f\",\"namespaceOpacity\":\"\r\n0%, 100%,\r\n0.5)\",\"keywordColor\":\"#0076a9\",\"functionColor\":\"#d3284b\",\"variableColor\":\"#c14700\",\"__typename\":\"PrismThemeSettings\"},\"rte\":\r\n{\"bgColor\":\"var(--lia-bs-white)\",\"borderRadius\":\"var(--lia-panel-border-radius)\",\"boxShadow\":\" var(--lia-panel-box-shadow)\",\"customColor1\":\"#bfedd2\",\"customColor2\":\"#fbeeb8\",\"customColor3\":\"#f8cac6\",\"customColor4\":\"#eccafa\",\"customColor5\":\"#c2e0f4\",\"custo\r\n53%, 51%, 0.4)\",\"diffChangedColor\":\"hsla(43, 97%, 63%, 0.4)\",\"diffNoneColor\":\"hsla(0, 0%, 80%,\r\n0.4)\",\"diffRemovedColor\":\"hsla(9, 74%, 47%,\r\n0.4)\",\"specialMessageHeaderMarginTop\":\"40px\",\"specialMessageHeaderMarginBottom\":\"20px\",\"specialMessageItemMarginTop\":\"0\",\"specialMessageIt\r\n-lia-bs-gray-700)\",\"tableBorderStyle\":\"solid\",\"tableCellPaddingX\":\"5px\",\"tableCellPaddingY\":\"5px\",\"tableTextColor\":\"var(--lia-bs-body-color)\",\"tableVerticalAlign\":\"middle\",\"__typename\":\"RteThemeSettings\"},\"tags\":{\"bgColor\":\"var(--lia-bs-gray-200)\",\"bgHoverColor\":\"var(--lia-bs-gray-400)\",\"borderRadius\":\"var(--lia-bs-border-radius-sm)\",\"color\":\"var(--lia-bs-body-color)\",\"hoverColor\":\"var(--lia-bs-body-color)\",\"fontWeight\":\"var(--lia-font-weight-md)\",\"fontSize\":\"var(--lia-font-size-xxs)\",\"textTransform\":\"UPPERCASE\",\"letterSpacing\":\"0.5px\",\"__typename\":\"TagsThemeSettings\"},\"toasts\":\r\n{\"borderRadius\":\"var(--lia-bs-border-radius)\",\"paddingX\":\"12px\",\"__typename\":\"ToastsThemeSettings\"},\"typography\":\r\n{\"fontFamilyBase\":\"Segoe\r\nUI\",\"fontStyleBase\":\"NORMAL\",\"fontWeightBase\":\"400\",\"fontWeightLight\":\"300\",\"fontWeightNormal\":\"400\",\"fontWeightMd\":\"500\",\"fontWeightBold\r\n[{\"source\":\"SERVER\",\"name\":\"Segoe UI\",\"styles\":[{\"style\":\"NORMAL\",\"weight\":\"400\",\"__typename\":\"FontStyleData\"},\r\n{\"style\":\"NORMAL\",\"weight\":\"300\",\"__typename\":\"FontStyleData\"},\r\n{\"style\":\"NORMAL\",\"weight\":\"600\",\"__typename\":\"FontStyleData\"},\r\n{\"style\":\"NORMAL\",\"weight\":\"700\",\"__typename\":\"FontStyleData\"},\r\n{\"style\":\"ITALIC\",\"weight\":\"400\",\"__typename\":\"FontStyleData\"}],\"assetNames\":[\"SegoeUI-normal-400.woff2\",\"SegoeUI-normal-300.woff2\",\"SegoeUI-normal-600.woff2\",\"SegoeUI-normal-700.woff2\",\"SegoeUI-italic-400.woff2\"],\"__typename\":\"CustomFont\"},{\"source\":\"SERVER\",\"name\":\"MWF Fluent Icons\",\"styles\":\r\n[{\"style\":\"NORMAL\",\"weight\":\"400\",\"__typename\":\"FontStyleData\"}],\"assetNames\":[\"MWFFluentIcons-normal-400.woff2\"],\"__typename\":\"CustomFont\"}],\"__typename\":\"TypographyThemeSettings\"},\"unstyledListItem\":\r\n{\"marginBottomSm\":\"5px\",\"marginBottomMd\":\"10px\",\"marginBottomLg\":\"15px\",\"marginBottomXl\":\"20px\",\"marginBottomXxl\":\"25px\",\"__typename\"\r\n{\"light\":\"#ffffff\",\"dark\":\"#000000\",\"__typename\":\"YiqThemeSettings\"},\"colorLightness\":\r\n{\"primaryDark\":0.36,\"primaryLight\":0.74,\"primaryLighter\":0.89,\"primaryLightest\":0.95,\"infoDark\":0.39,\"infoLight\":0.72,\"infoLighter\":0.85,\"infoLighte\r\nshared/client/components/common/Loading/LoadingDot-1775111750899\":\r\n{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-shared/client/components/common/Loading/LoadingDot-1775111750899\",\"value\":\r\n{\"title\":\"Loading...\"},\"localOverride\":false},\"CachedAsset:quilt:o365.prod:pages/blogs/BlogMessagePage:board:MicrosoftSentinelBlog-1775111749122\":\r\n{\"__typename\":\"CachedAsset\",\"id\":\"quilt:o365.prod:pages/blogs/BlogMessagePage:board:MicrosoftSentinelBlog-1775111749122\",\"value\":{\"id\":\"BlogMessagePage\",\"container\":{\"id\":\"Common\",\"headerProps\":\r\n{\"backgroundImageProps\":null,\"backgroundColor\":null,\"addComponents\":null,\"removeComponents\":\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 51 of 65\n\n[\"community.widget.bannerWidget\"],\"componentOrder\":null,\"__typename\":\"QuiltContainerSectionProps\"},\"headerComponentProps\":\r\n{\"community.widget.breadcrumbWidget\":\r\n{\"disableLastCrumbForDesktop\":false}},\"footerProps\":null,\"footerComponentProps\":null,\"items\":[{\"id\":\"blog-article\",\"layout\":\"ONE_COLUMN\",\"bgColor\":null,\"showTitle\":null,\"showDescription\":null,\"textPosition\":null,\"textColor\":null,\"sectionEditLevel\":\"LOC\r\n{\"main\":[{\"id\":\"blogs.widget.blogArticleWidget\",\"className\":\"lia-blog-container\",\"props\":null,\"__typename\":\"QuiltComponent\"}],\"__typename\":\"OneSectionColumns\"}},{\"id\":\"section-1729184836777\",\"layout\":\"MAIN_SIDE\",\"bgColor\":\"transparent\",\"showTitle\":false,\"showDescription\":false,\"textPosition\":\"CENTER\",\"textColor\":\"var\r\n-lia-bs-body-color)\",\"sectionEditLevel\":null,\"bgImage\":null,\"disableSpacing\":null,\"edgeToEdgeDisplay\":null,\"fullHeight\":null,\"showBorder\":null,\"__typename\":\"Ma\r\n{\"main\":[],\"side\":[{\"id\":\"custom.widget.UnregisteredCTAWidget\",\"className\":null,\"props\":\r\n{\"widgetVisibility\":\"anonymousOnly\",\"useTitle\":true,\"useBackground\":false,\"title\":\"\",\"lazyLoad\":false,\"widgetChooser\":\"custom.widget.UnregisteredCT\r\ncomponents/common/EmailVerification-1775111750899\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/common/EmailVerification-1775111750899\",\"value\":{\"email.verification.title\":\"Email Verification\r\nRequired\",\"email.verification.message.update.email\":\"To participate in the community, you must first verify your email\r\naddress. The verification email was sent to {email}. To change your email, visit My\r\nSettings.\",\"email.verification.message.resend.email\":\"To participate in the community, you must first verify your email\r\naddress. The verification email was sent to {email}. Resend email.\"},\"localOverride\":false},\"CachedAsset:text:en_US-pages/blogs/BlogMessagePage-1775111750899\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-pages/blogs/BlogMessagePage-1775111750899\",\"value\":{\"title\":\"{contextMessageSubject} |\r\n{communityTitle}\",\"errorMissing\":\"This blog post cannot be found\",\"name\":\"Blog Message Page\",\"section.blog-article.title\":\"Blog Post\",\"archivedMessageTitle\":\"This Content Has Been Archived\",\"section.section-1729184836777.title\":\"\",\"section.section-1729184836777.description\":\"\",\"section.CncIde.title\":\"Blog\r\nPost\",\"section.tifEmD.description\":\"\",\"section.tifEmD.title\":\"\"},\"localOverride\":false},\"CachedAsset:quiltWrapper:o365.prod:Common:1775111735077\"\r\n{\"__typename\":\"CachedAsset\",\"id\":\"quiltWrapper:o365.prod:Common:1775111735077\",\"value\":\r\n{\"id\":\"Common\",\"header\":{\"backgroundImageProps\":\r\n{\"assetName\":null,\"backgroundSize\":\"COVER\",\"backgroundRepeat\":\"NO_REPEAT\",\"backgroundPosition\":\"CENTER_CENTER\",\"lastModified\":null,\"\r\n[{\"id\":\"community.widget.navbarWidget\",\"props\":\r\n{\"showUserName\":true,\"showRegisterLink\":true,\"useIconLanguagePicker\":true,\"useLabelLanguagePicker\":true,\"style\":\r\n{\"boxShadow\":\"var(--lia-bs-box-shadow-sm)\",\"linkFontWeight\":\"400\",\"controllerHighlightColor\":\"hsla(30, 100%,\r\n50%)\",\"dropdownDividerMarginBottom\":\"10px\",\"hamburgerBorderHover\":\"none\",\"linkFontSize\":\"14px\",\"linkBoxShadowHover\":\"none\",\"backgroundO\r\n-lia-border-radius-50)\",\"hamburgerBgColor\":\"transparent\",\"linkTextBorderBottom\":\"none\",\"hamburgerColor\":\"var(--lia-nav-controller-icon-color)\",\"brandLogoHeight\":\"30px\",\"linkLetterSpacing\":\"normal\",\"linkBgHoverColor\":\"transparent\",\"collapseMenuDividerOpacity\":0.16,\"paddingBottom\r\nsolid var(--lia-bs-border-color)\",\"hamburgerBorder\":\"none\",\"dropdownPaddingX\":\"10px\",\"brandMarginRightSm\":\"10px\",\"linkBoxShadow\":\"none\",\"linkJustifyContent\":\"flex-start\",\"linkColor\":\"var(--lia-bs-body-color)\",\"collapseMenuDividerBg\":\"var(--lia-nav-link-color)\",\"dropdownPaddingTop\":\"10px\",\"controllerTextColor\":\"var(--lia-nav-controller-icon-color)\",\"controllerHighlightTextColor\":\"var(--lia-yiq-dark)\",\"background\":{\"imageAssetName\":\"\",\"color\":\"var(--lia-bs-white)\",\"size\":\"COVER\",\"repeat\":\"NO_REPEAT\",\"position\":\"CENTER_CENTER\",\"imageLastModified\":\"\"},\"linkBorderRadius\":\"var(-\r\n-lia-bs-border-radius-sm)\",\"linkHoverColor\":\"var(--lia-bs-body-color)\",\"position\":\"FIXED\",\"linkBorder\":\"none\",\"linkTextBorderBottomHover\":\"2px solid var(--lia-bs-primary)\",\"brandMarginRight\":\"30px\",\"hamburgerHoverColor\":\"var(--lia-nav-controller-icon-color)\",\"linkBorderHover\":\"none\",\"collapseMenuMarginLeft\":\"20px\",\"linkFontStyle\":\"NORMAL\",\"linkPaddingX\":\"10px\",\"controllerTextHoverColor\":\r\n-lia-nav-controller-icon-hover-color)\",\"paddingTop\":\"15px\",\"linkPaddingY\":\"5px\",\"linkTextTransform\":\"NONE\",\"dropdownBorderColor\":\"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)\",\"controllerBgHoverColor\":\"hsla(var(--lia-bs-black-h), var(--\r\nlia-bs-black-s), var(--lia-bs-black-l), 0.1)\",\"linkDropdownPaddingX\":\"var(--lia-nav-link-px)\",\"linkBgColor\":\"transparent\",\"linkDropdownPaddingY\":\"9px\",\"controllerIconColor\":\"var(--lia-bs-body-color)\",\"dropdownDividerMarginTop\":\"10px\",\"linkGap\":\"10px\",\"controllerIconHoverColor\":\"var(--lia-bs-body-color)\"},\"links\":{\"sideLinks\":[],\"logoLinks\":[],\"mainLinks\":[{\"children\":\r\n[],\"linkType\":\"INTERNAL\",\"id\":\"gxcuf89792\",\"params\":{},\"routeName\":\"CommunityPage\"},{\"children\":\r\n[],\"linkType\":\"EXTERNAL\",\"id\":\"community-hub-link\",\"url\":\"/Directory\",\"target\":\"SELF\"},{\"children\":\r\n[{\"linkType\":\"INTERNAL\",\"id\":\"Common-microsoft365-link\",\"params\":\r\n{\"categoryId\":\"microsoft365\"},\"routeName\":\"CategoryPage\"},{\"linkType\":\"INTERNAL\",\"id\":\"Common-windows-link\",\"params\":{\"categoryId\":\"Windows\"},\"routeName\":\"CategoryPage\"},{\"linkType\":\"INTERNAL\",\"id\":\"Common-microsoft-security-link\",\"params\":{\"categoryId\":\"microsoft-security\"},\"routeName\":\"CategoryPage\"},\r\n{\"linkType\":\"INTERNAL\",\"id\":\"Common-microsoft-teams-link\",\"params\":\r\n{\"categoryId\":\"MicrosoftTeams\"},\"routeName\":\"CategoryPage\"},{\"linkType\":\"INTERNAL\",\"id\":\"Common-azure-link\",\"params\":{\"categoryId\":\"Azure\"},\"routeName\":\"CategoryPage\"},{\"linkType\":\"INTERNAL\",\"id\":\"Common-content_management-link\",\"params\":{\"categoryId\":\"Content_Management\"},\"routeName\":\"CategoryPage\"},\r\n{\"linkType\":\"INTERNAL\",\"id\":\"Common-microsoftintune-link\",\"params\":\r\n{\"categoryId\":\"microsoftintune\"},\"routeName\":\"CategoryPage\"},{\"linkType\":\"INTERNAL\",\"id\":\"Common-exchange-link\",\"params\":{\"categoryId\":\"Exchange\"},\"routeName\":\"CategoryPage\"},{\"linkType\":\"INTERNAL\",\"id\":\"Common-windows-server-link\",\"params\":{\"categoryId\":\"Windows-Server\"},\"routeName\":\"CategoryPage\"},\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 52 of 65\n\n{\"linkType\":\"INTERNAL\",\"id\":\"Common-outlook-link\",\"params\":\r\n{\"categoryId\":\"Outlook\"},\"routeName\":\"CategoryPage\"},{\"linkType\":\"INTERNAL\",\"id\":\"Common-microsoft365-copilot-link\",\"params\":{\"categoryId\":\"Microsoft365Copilot\"},\"routeName\":\"CategoryPage\"},\r\n{\"linkType\":\"EXTERNAL\",\"id\":\"Common_Enntvz-view-all-products-link\",\"url\":\"/Directory\",\"target\":\"SELF\"}],\"linkType\":\"EXTERNAL\",\"id\":\"products-link\",\"url\":\"/\",\"target\":\"SELF\"},\r\n{\"children\":[{\"linkType\":\"INTERNAL\",\"id\":\"Common-education-sector-link\",\"params\":\r\n{\"categoryId\":\"EducationSector\"},\"routeName\":\"CategoryPage\"},{\"linkType\":\"INTERNAL\",\"id\":\"Common-partner-community-link\",\"params\":{\"categoryId\":\"PartnerCommunity\"},\"routeName\":\"CategoryPage\"},\r\n{\"linkType\":\"INTERNAL\",\"id\":\"Common-healthcare-and-life-sciences-link\",\"params\":\r\n{\"categoryId\":\"HealthcareAndLifeSciences\"},\"routeName\":\"CategoryPage\"},{\"linkType\":\"INTERNAL\",\"id\":\"Common-i-t-ops-talk-link\",\"params\":{\"categoryId\":\"ITOpsTalk\"},\"routeName\":\"CategoryPage\"},\r\n{\"linkType\":\"INTERNAL\",\"id\":\"Common-public-sector-link\",\"params\":\r\n{\"categoryId\":\"PublicSector\"},\"routeName\":\"CategoryPage\"},{\"linkType\":\"INTERNAL\",\"id\":\"Common-microsoftfor-nonprofits-link\",\"params\":{\"categoryId\":\"MicrosoftforNonprofits\"},\"routeName\":\"CategoryPage\"},\r\n{\"linkType\":\"INTERNAL\",\"id\":\"Common-io-t-link\",\"params\":{\"categoryId\":\"IoT\"},\"routeName\":\"CategoryPage\"},\r\n{\"linkType\":\"INTERNAL\",\"id\":\"Common-mvp-link\",\"params\":{\"categoryId\":\"mvp\"},\"routeName\":\"CategoryPage\"},\r\n{\"linkType\":\"INTERNAL\",\"id\":\"Common-microsoft-mechanics-link\",\"params\":\r\n{\"categoryId\":\"MicrosoftMechanics\"},\"routeName\":\"CategoryPage\"},{\"linkType\":\"INTERNAL\",\"id\":\"Common-driving-adoption-link\",\"params\":{\"categoryId\":\"DrivingAdoption\"},\"routeName\":\"CategoryPage\"},\r\n{\"linkType\":\"INTERNAL\",\"id\":\"Common-microsoft-learn-for-educators-link\",\"params\":{\"categoryId\":\"microsoft-learn-for-educators\"},\"routeName\":\"CategoryPage\"}],\"linkType\":\"EXTERNAL\",\"id\":\"topics-link\",\"url\":\"/\",\"target\":\"SELF\"},\r\n{\"children\":[],\"linkType\":\"EXTERNAL\",\"id\":\"all-blogs-link\",\"url\":\"/Blogs\",\"target\":\"SELF\"},{\"children\":\r\n[],\"linkType\":\"EXTERNAL\",\"id\":\"all-events-link\",\"url\":\"/Events\",\"target\":\"SELF\"},{\"children\":\r\n[{\"linkType\":\"INTERNAL\",\"id\":\"Skills-Hub-link\",\"params\":{\"categoryId\":\"skills-hub\"},\"routeName\":\"CategoryPage\"},\r\n{\"linkType\":\"INTERNAL\",\"id\":\"Skills-Hub-Blog\",\"params\":{\"boardId\":\"skills-hub-blog\",\"categoryId\":\"skills-hub\"},\"routeName\":\"BlogBoardPage\"},{\"linkType\":\"EXTERNAL\",\"id\":\"ms-learn-ext-LD\",\"url\":\"/category/skills-hub?\r\ntab=grouphub\",\"target\":\"BLANK\"},{\"linkType\":\"EXTERNAL\",\"id\":\"ms-learn-ext-dynamics\",\"url\":\"https://docs.microsoft.com/learn/dynamics365/?WT.mc_id=techcom_header-webpage-m365\",\"target\":\"BLANK\"},{\"linkType\":\"EXTERNAL\",\"id\":\"ms-learn-ext-m365\",\"url\":\"https://docs.microsoft.com/learn/m365/?wt.mc_id=techcom_header-webpage-m365\",\"target\":\"BLANK\"},\r\n{\"linkType\":\"EXTERNAL\",\"id\":\"ms-learn-ext-security\",\"url\":\"https://docs.microsoft.com/learn/topics/sci/?\r\nwt.mc_id=techcom_header-webpage-m365\",\"target\":\"BLANK\"},{\"linkType\":\"EXTERNAL\",\"id\":\"ms-learn-ext-pp\",\"url\":\"https://docs.microsoft.com/learn/powerplatform/?wt.mc_id=techcom_header-webpage-powerplatform\",\"target\":\"BLANK\"},{\"linkType\":\"EXTERNAL\",\"id\":\"ms-learn-ext-github\",\"url\":\"https://docs.microsoft.com/learn/github/?wt.mc_id=techcom_header-webpage-github\",\"target\":\"BLANK\"},\r\n{\"linkType\":\"EXTERNAL\",\"id\":\"ms-learn-ext-teams\",\"url\":\"https://docs.microsoft.com/learn/teams/?\r\nwt.mc_id=techcom_header-webpage-teams\",\"target\":\"BLANK\"},{\"linkType\":\"EXTERNAL\",\"id\":\"ms-learn-ext-net\",\"url\":\"https://docs.microsoft.com/learn/dotnet/?wt.mc_id=techcom_header-webpage-dotnet\",\"target\":\"BLANK\"},\r\n{\"linkType\":\"EXTERNAL\",\"id\":\"ms-learn-ext-azure\",\"url\":\"https://docs.microsoft.com/learn/azure/?\r\nWT.mc_id=techcom_header-webpage-m365\",\"target\":\"BLANK\"}],\"linkType\":\"INTERNAL\",\"id\":\"Skills-Hub\",\"params\":\r\n{\"categoryId\":\"skills-hub\"},\"routeName\":\"CategoryPage\"},{\"children\":[{\"linkType\":\"INTERNAL\",\"id\":\"Common-community-info-center-link\",\"params\":{\"categoryId\":\"Community-Info-Center\"},\"routeName\":\"CategoryPage\"},\r\n{\"linkType\":\"INTERNAL\",\"id\":\"Common-usergroups-link\",\"params\":\r\n{\"categoryId\":\"usergroups\"},\"routeName\":\"CategoryPage\"},{\"linkType\":\"INTERNAL\",\"id\":\"Common-community-news-desk-link\",\"params\":{\"categoryId\":\"CommunityNewsDesk\"},\"routeName\":\"CategoryPage\"},\r\n{\"linkType\":\"INTERNAL\",\"id\":\"Common-microsoft-global-community-initiative-link\",\"params\":{\"categoryId\":\"microsoft-global-community-initiative\"},\"routeName\":\"CategoryPage\"}],\"linkType\":\"INTERNAL\",\"id\":\"Common-gxcuf89792-\r\ncommunity\",\"params\":\r\n{},\"routeName\":\"CommunityPage\"}]},\"showSearchIcon\":true,\"languagePickerStyle\":\"iconAndLabel\"},\"__typename\":\"QuiltComponent\"},\r\n{\"id\":\"community.widget.breadcrumbWidget\",\"props\":{\"backgroundColor\":\"transparent\",\"linkHighlightColor\":\"var(--lia-bs-primary)\",\"visualEffects\":{\"showBottomBorder\":true},\"linkTextColor\":\"var(--lia-bs-gray-700)\"},\"__typename\":\"QuiltComponent\"},{\"id\":\"custom.widget.CommunityBanner\",\"props\":\r\n{\"widgetVisibility\":\"signedInOrAnonymous\",\"useTitle\":true,\"usePageWidth\":false,\"useBackground\":false,\"title\":\"\",\"lazyLoad\":false},\"__typename\":\"Qu\r\n{\"id\":\"custom.widget.ChatbotWidget\",\"props\":\r\n{\"customComponentId\":\"custom.widget.ChatbotWidget\",\"cDisplay_form\":true,\"useBackground\":false},\"__typename\":\"QuiltComponent\"},\r\n{\"id\":\"custom.widget.HeroBanner\",\"props\":\r\n{\"widgetVisibility\":\"signedInOrAnonymous\",\"usePageWidth\":false,\"useTitle\":true,\"cMax_items\":3,\"useBackground\":false,\"title\":\"\",\"lazyLoad\":false,\"w\r\n{\"backgroundImageProps\":\r\n{\"assetName\":null,\"backgroundSize\":\"COVER\",\"backgroundRepeat\":\"NO_REPEAT\",\"backgroundPosition\":\"CENTER_CENTER\",\"lastModified\":null,\"\r\n[{\"id\":\"custom.widget.SocialSharing\",\"props\":\r\n{\"widgetVisibility\":\"signedInOrAnonymous\",\"useTitle\":true,\"useBackground\":false,\"title\":\"\",\"lazyLoad\":false},\"__typename\":\"QuiltComponent\"},\r\n{\"id\":\"custom.widget.MicrosoftFooter\",\"props\":\r\n{\"widgetVisibility\":\"signedInOrAnonymous\",\"useTitle\":true,\"useBackground\":false,\"title\":\"\",\"lazyLoad\":false},\"__typename\":\"QuiltComponent\"}],\"__ty\r\ncomponents/common/ActionFeedback-1775111750899\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 53 of 65\n\ncomponents/common/ActionFeedback-1775111750899\",\"value\":\r\n{\"joinedGroupHub.title\":\"Welcome\",\"joinedGroupHub.message\":\"You are now a member of this group and are subscribed\r\nto updates.\",\"groupHubInviteNotFound.title\":\"Invitation Not Found\",\"groupHubInviteNotFound.message\":\"Sorry, we could\r\nnot find your invitation to the group. The owner may have canceled the invite.\",\"groupHubNotFound.title\":\"Group Not\r\nFound\",\"groupHubNotFound.message\":\"The grouphub you tried to join does not exist. It may have been\r\ndeleted.\",\"existingGroupHubMember.title\":\"Already Joined\",\"existingGroupHubMember.message\":\"You are already a\r\nmember of this group.\",\"accountLocked.title\":\"Account Locked\",\"accountLocked.message\":\"Your account has been locked\r\ndue to multiple failed attempts. Try again in {lockoutTime} minutes.\",\"editedGroupHub.title\":\"Changes\r\nSaved\",\"editedGroupHub.message\":\"Your group has been\r\nupdated.\",\"leftGroupHub.title\":\"Goodbye\",\"leftGroupHub.message\":\"You are no longer a member of this group and will not\r\nreceive future updates.\",\"deletedGroupHub.title\":\"Deleted\",\"deletedGroupHub.message\":\"The group has been\r\ndeleted.\",\"groupHubCreated.title\":\"Group Created\",\"groupHubCreated.message\":\"{groupHubName} is ready to\r\nuse\",\"accountClosed.title\":\"Account Closed\",\"accountClosed.message\":\"The account has been closed and you will now be\r\nredirected to the homepage\",\"resetTokenExpired.title\":\"Reset Password Link has\r\nExpired\",\"resetTokenExpired.message\":\"Try resetting your password again\",\"invalidUrl.title\":\"Invalid\r\nURL\",\"invalidUrl.message\":\"The URL you're using is not recognized. Verify your URL and try\r\nagain.\",\"accountClosedForUser.title\":\"Account Closed\",\"accountClosedForUser.message\":\"{userName}'s account is\r\nclosed\",\"inviteTokenInvalid.title\":\"Invitation Invalid\",\"inviteTokenInvalid.message\":\"Your invitation to the community has\r\nbeen canceled or expired.\",\"inviteTokenError.title\":\"Invitation Verification Failed\",\"inviteTokenError.message\":\"The url you\r\nare utilizing is not recognized. Verify your URL and try again\",\"pageNotFound.title\":\"Access\r\nDenied\",\"pageNotFound.message\":\"You do not have access to this area of the community or it doesn't\r\nexist\",\"eventAttending.title\":\"Responded as Attending\",\"eventAttending.message\":\"You'll be notified when there's new\r\nactivity and reminded as the event approaches\",\"eventInterested.title\":\"Responded as\r\nInterested\",\"eventInterested.message\":\"You'll be notified when there's new activity and reminded as the event\r\napproaches\",\"eventNotFound.title\":\"Event Not Found\",\"eventNotFound.message\":\"The event you tried to respond to does\r\nnot exist.\",\"redirectToRelatedPage.title\":\"Showing Related Content\",\"redirectToRelatedPageForBaseUsers.title\":\"Showing\r\nRelated Content\",\"redirectToRelatedPageForBaseUsers.message\":\"The content you are trying to access is\r\narchived\",\"redirectToRelatedPage.message\":\"The content you are trying to access is\r\narchived\",\"relatedUrl.archivalLink.flyoutMessage\":\"The content you are trying to access is archived View Archived\r\nContent\"},\"localOverride\":false},\"CachedAsset:component:custom.widget.CommunityBanner-en-us-1775107888865\":\r\n{\"__typename\":\"CachedAsset\",\"id\":\"component:custom.widget.CommunityBanner-en-us-1775107888865\",\"value\":\r\n{\"component\":{\"id\":\"custom.widget.CommunityBanner\",\"template\":\r\n{\"id\":\"CommunityBanner\",\"markupLanguage\":\"REACT\",\"style\":null,\"texts\":null,\"defaults\":{\"config\":{\"applicablePages\":\r\n[],\"description\":null,\"fetchedContent\":null,\"__typename\":\"ComponentConfiguration\"},\"props\":\r\n[],\"__typename\":\"ComponentProperties\"},\"components\":\r\n[{\"id\":\"custom.widget.CommunityBanner\",\"form\":null,\"config\":null,\"props\":\r\n[],\"__typename\":\"Component\"}],\"grouping\":\"CUSTOM\",\"__typename\":\"ComponentTemplate\"},\"properties\":{\"config\":\r\n{\"applicablePages\":[],\"description\":null,\"fetchedContent\":null,\"__typename\":\"ComponentConfiguration\"},\"props\":\r\n[],\"__typename\":\"ComponentProperties\"},\"form\":null,\"__typename\":\"Component\",\"localOverride\":false},\"globalCss\":null,\"form\":null},\"localOverride\":\r\nen-us-1775107888865\":{\"__typename\":\"CachedAsset\",\"id\":\"component:custom.widget.ChatbotWidget-en-us-1775107888865\",\"value\":{\"component\":{\"id\":\"custom.widget.ChatbotWidget\",\"template\":\r\n{\"id\":\"ChatbotWidget\",\"markupLanguage\":\"REACT\",\"style\":null,\"texts\":{\"chatbot.references.title\":\"Related\r\nArticles\",\"chatbot.welcome.title\":\"Welcome!\",\"chatbot.welcome.description\":\"I'm here to help you explore and discover\r\ngreat content.\",\"chatbot.welcome.prompt\":\"Ask me a question or choose a suggestion below to get\r\nstarted:\",\"chatbot.welcome.cta\":\"Let's dive in—what would you like to discover today?\",\"chatbot.status.typing\":\"Assistant\r\nis typing…\",\"chatbot.status.error\":\"error\",\"chatbot.error.response\":\"Failed to get response. Please try\r\nagain.\",\"chatbot.error.processing\":\"There was an error processing your message.\",\"chatbot.error.configuration\":\"API URL\r\nnot configured\",\"chatbot.error.network\":\"Network error occurred. Please check your connection and try\r\nagain.\",\"chatbot.error.timeout\":\"Request timed out. Please try again.\",\"chatbot.error.emptyResponse\":\"I couldn't generate a\r\nresponse. Please try rephrasing your question.\",\"chatbot.buttons.send\":\"Send\",\"chatbot.buttons.close\":\"Close\r\nchat\",\"chatbot.buttons.newChat\":\"Start new chat\",\"chatbot.buttons.collapse\":\"Collapse chat\r\npanel\",\"chatbot.buttons.expand\":\"Expand chat panel\",\"chatbot.buttons.fullscreen\":\"Enter\r\nfullscreen\",\"chatbot.buttons.exitFullscreen\":\"Exit fullscreen\",\"chatbot.buttons.like\":\"Like this\r\nresponse\",\"chatbot.buttons.dislike\":\"Dislike this response\",\"chatbot.buttons.removeLike\":\"Remove\r\nlike\",\"chatbot.buttons.removeDislike\":\"Remove dislike\",\"chatbot.aria.chatInput\":\"Chat\r\ninput\",\"chatbot.aria.sendMessage\":\"Send message\",\"chatbot.aria.openChat\":\"Open chat\r\nassistant\",\"chatbot.aria.closeChat\":\"Close chat assistant\",\"chatbot.defaults.title\":\"Ask Tech\r\nCommunity\",\"chatbot.defaults.subtitle\":\"Ask questions – get answers\",\"chatbot.defaults.entryHeading\":\"Find\r\nanswers\",\"chatbot.defaults.entrySubtext\":\"Ask the agent\",\"chatbot.defaults.placeholder\":\"Type your\r\nmessage…\",\"chatbot.defaults.initialMessage\":\"Hi! I'm your assistant. Ask me something or pick a suggestion above to\r\nbegin.\",\"chatbot.suggestions.findBlogs\":\"Find insightful blogs\",\"chatbot.suggestions.exploreEvents\":\"Explore upcoming\r\nevents\",\"chatbot.suggestions.startJourney\":\"Start your journey with something new\",\"chatbot.dialog.endConversation\":\"End\r\nconversation\",\"chatbot.dialog.confirmEndConversation\":\"Do you want to end this conversation and start\r\nover?\",\"chatbot.dialog.endConversationButton\":\"End\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 54 of 65\n\nconversation\",\"chatbot.dialog.cancel\":\"Cancel\",\"chatbot.error.genericServiceUnavailable\":\"The service is currently\r\nunavailable. Please try again later.\",\"chatbot.error.noResults\":\"We could not find any information related to your query. Try\r\nrephrasing your query.\"},\"defaults\":{\"config\":{\"applicablePages\":\r\n[],\"description\":null,\"fetchedContent\":null,\"__typename\":\"ComponentConfiguration\"},\"props\":\r\n[],\"__typename\":\"ComponentProperties\"},\"components\":\r\n[{\"id\":\"custom.widget.ChatbotWidget\",\"form\":null,\"config\":null,\"props\":\r\n[],\"__typename\":\"Component\"}],\"grouping\":\"CUSTOM\",\"__typename\":\"ComponentTemplate\"},\"properties\":{\"config\":\r\n{\"applicablePages\":[],\"description\":null,\"fetchedContent\":null,\"__typename\":\"ComponentConfiguration\"},\"props\":\r\n[],\"__typename\":\"ComponentProperties\"},\"form\":null,\"__typename\":\"Component\",\"localOverride\":false},\"globalCss\":null,\"form\":null},\"localOverride\":\r\nen-us-1775107888865\":{\"__typename\":\"CachedAsset\",\"id\":\"component:custom.widget.HeroBanner-en-us-1775107888865\",\"value\":{\"component\":{\"id\":\"custom.widget.HeroBanner\",\"template\":\r\n{\"id\":\"HeroBanner\",\"markupLanguage\":\"REACT\",\"style\":null,\"texts\":{\"searchPlaceholderText\":\"Search this\r\ncommunity\",\"followActionText\":\"Follow\",\"unfollowActionText\":\"Following\",\"searchOnHoverText\":\"Please enter your\r\nsearch term(s) and then press return key to complete a search.\",\"blogs.sidebar.pagetitle\":\"Latest Blogs | Microsoft Tech\r\nCommunity\",\"followThisNode\":\"Follow this node\",\"unfollowThisNode\":\"Unfollow this\r\nnode\",\"customField.teamsLink.title\":\"Microsoft teams link\",\"customField.teamsLink.label\":\"Teams meeting\r\nurl\"},\"defaults\":{\"config\":{\"applicablePages\":\r\n[],\"description\":null,\"fetchedContent\":null,\"__typename\":\"ComponentConfiguration\"},\"props\":\r\n[{\"id\":\"max_items\",\"dataType\":\"NUMBER\",\"list\":false,\"defaultValue\":\"3\",\"label\":\"Max Items\",\"description\":\"The\r\nmaximum number of items to display in the\r\ncarousel\",\"possibleValues\":null,\"control\":\"INPUT\",\"__typename\":\"PropDefinition\"}],\"__typename\":\"ComponentProperties\"},\"components\":\r\n[{\"id\":\"custom.widget.HeroBanner\",\"form\":{\"fields\":\r\n[{\"id\":\"widgetChooser\",\"validation\":null,\"noValidation\":null,\"dataType\":\"STRING\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\r\n{\"id\":\"title\",\"validation\":null,\"noValidation\":null,\"dataType\":\"STRING\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\":null,\"possi\r\n{\"id\":\"useTitle\",\"validation\":null,\"noValidation\":null,\"dataType\":\"BOOLEAN\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\":nul\r\n{\"id\":\"useBackground\",\"validation\":null,\"noValidation\":null,\"dataType\":\"BOOLEAN\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"descripti\r\n{\"id\":\"widgetVisibility\",\"validation\":null,\"noValidation\":null,\"dataType\":\"STRING\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\r\n{\"id\":\"moreOptions\",\"validation\":null,\"noValidation\":null,\"dataType\":\"STRING\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\":n\r\n{\"id\":\"cMax_items\",\"validation\":null,\"noValidation\":null,\"dataType\":\"NUMBER\",\"list\":false,\"control\":\"INPUT\",\"defaultValue\":\"3\",\"label\":\"Max\r\nItems\",\"description\":\"The maximum number of items to display in the\r\ncarousel\",\"possibleValues\":null,\"__typename\":\"FormField\"}],\"layout\":{\"rows\":\r\n[{\"id\":\"widgetChooserGroup\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\n[{\"id\":\"widgetChooser\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\":\r\n{\"id\":\"titleGroup\",\"type\":\"fieldset\",\"as\":null,\"items\":[{\"id\":\"title\",\"className\":null,\"__typename\":\"FormFieldRef\"},\r\n{\"id\":\"useTitle\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\":null,\"to\r\n{\"id\":\"useBackground\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\n[{\"id\":\"useBackground\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\"\r\n{\"id\":\"widgetVisibility\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\n[{\"id\":\"widgetVisibility\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\"\r\n{\"id\":\"moreOptionsGroup\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\n[{\"id\":\"moreOptions\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\":nu\r\n{\"id\":\"componentPropsGroup\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\n[{\"id\":\"cMax_items\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\":nu\r\n[],\"__typename\":\"Component\"}],\"grouping\":\"CUSTOM\",\"__typename\":\"ComponentTemplate\"},\"properties\":{\"config\":\r\n{\"applicablePages\":[],\"description\":null,\"fetchedContent\":null,\"__typename\":\"ComponentConfiguration\"},\"props\":\r\n[{\"id\":\"max_items\",\"dataType\":\"NUMBER\",\"list\":false,\"defaultValue\":\"3\",\"label\":\"Max Items\",\"description\":\"The\r\nmaximum number of items to display in the\r\ncarousel\",\"possibleValues\":null,\"control\":\"INPUT\",\"__typename\":\"PropDefinition\"}],\"__typename\":\"ComponentProperties\"},\"form\":\r\n{\"fields\":\r\n[{\"id\":\"widgetChooser\",\"validation\":null,\"noValidation\":null,\"dataType\":\"STRING\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\r\n{\"id\":\"title\",\"validation\":null,\"noValidation\":null,\"dataType\":\"STRING\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\":null,\"possi\r\n{\"id\":\"useTitle\",\"validation\":null,\"noValidation\":null,\"dataType\":\"BOOLEAN\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\":nul\r\n{\"id\":\"useBackground\",\"validation\":null,\"noValidation\":null,\"dataType\":\"BOOLEAN\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"descripti\r\n{\"id\":\"widgetVisibility\",\"validation\":null,\"noValidation\":null,\"dataType\":\"STRING\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\r\n{\"id\":\"moreOptions\",\"validation\":null,\"noValidation\":null,\"dataType\":\"STRING\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\":n\r\n{\"id\":\"cMax_items\",\"validation\":null,\"noValidation\":null,\"dataType\":\"NUMBER\",\"list\":false,\"control\":\"INPUT\",\"defaultValue\":\"3\",\"label\":\"Max\r\nItems\",\"description\":\"The maximum number of items to display in the\r\ncarousel\",\"possibleValues\":null,\"__typename\":\"FormField\"}],\"layout\":{\"rows\":\r\n[{\"id\":\"widgetChooserGroup\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\n[{\"id\":\"widgetChooser\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\":\r\n{\"id\":\"titleGroup\",\"type\":\"fieldset\",\"as\":null,\"items\":[{\"id\":\"title\",\"className\":null,\"__typename\":\"FormFieldRef\"},\r\n{\"id\":\"useTitle\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\":null,\"to\r\n{\"id\":\"useBackground\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\n[{\"id\":\"useBackground\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\"\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 55 of 65\n\n{\"id\":\"widgetVisibility\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\n[{\"id\":\"widgetVisibility\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\"\r\n{\"id\":\"moreOptionsGroup\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\n[{\"id\":\"moreOptions\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\":nu\r\n{\"id\":\"componentPropsGroup\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\n[{\"id\":\"cMax_items\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\":nu\r\n{\"fields\":\r\n[{\"id\":\"widgetChooser\",\"validation\":null,\"noValidation\":null,\"dataType\":\"STRING\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\r\n{\"id\":\"title\",\"validation\":null,\"noValidation\":null,\"dataType\":\"STRING\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\":null,\"possi\r\n{\"id\":\"useTitle\",\"validation\":null,\"noValidation\":null,\"dataType\":\"BOOLEAN\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\":nul\r\n{\"id\":\"useBackground\",\"validation\":null,\"noValidation\":null,\"dataType\":\"BOOLEAN\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"descripti\r\n{\"id\":\"widgetVisibility\",\"validation\":null,\"noValidation\":null,\"dataType\":\"STRING\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\r\n{\"id\":\"moreOptions\",\"validation\":null,\"noValidation\":null,\"dataType\":\"STRING\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\":n\r\n{\"id\":\"cMax_items\",\"validation\":null,\"noValidation\":null,\"dataType\":\"NUMBER\",\"list\":false,\"control\":\"INPUT\",\"defaultValue\":\"3\",\"label\":\"Max\r\nItems\",\"description\":\"The maximum number of items to display in the\r\ncarousel\",\"possibleValues\":null,\"__typename\":\"FormField\"}],\"layout\":{\"rows\":\r\n[{\"id\":\"widgetChooserGroup\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\n[{\"id\":\"widgetChooser\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\":\r\n{\"id\":\"titleGroup\",\"type\":\"fieldset\",\"as\":null,\"items\":[{\"id\":\"title\",\"className\":null,\"__typename\":\"FormFieldRef\"},\r\n{\"id\":\"useTitle\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\":null,\"to\r\n{\"id\":\"useBackground\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\n[{\"id\":\"useBackground\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\"\r\n{\"id\":\"widgetVisibility\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\n[{\"id\":\"widgetVisibility\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\"\r\n{\"id\":\"moreOptionsGroup\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\n[{\"id\":\"moreOptions\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\":nu\r\n{\"id\":\"componentPropsGroup\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\n[{\"id\":\"cMax_items\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\":nu\r\nen-us-1775107888865\":{\"__typename\":\"CachedAsset\",\"id\":\"component:custom.widget.UnregisteredCTAWidget-en-us-1775107888865\",\"value\":{\"component\":{\"id\":\"custom.widget.UnregisteredCTAWidget\",\"template\":\r\n{\"id\":\"UnregisteredCTAWidget\",\"markupLanguage\":\"REACT\",\"style\":null,\"texts\":{\"register.communityHub\":\"Welcome to\r\nthe {name} Community Hub. Sign in to like, participate, or start a conversation.\",\"register.category\":\"Welcome to the\r\n{name} Community Hub. Sign in to like, participate, or start a conversation.\",\"register.discussionBoard\":\"Welcome to the\r\n{name} space. Sign in to like, reply, or start a discussion.\",\"register.blogSpace\":\"Welcome to the {name} space. Sign in to\r\nlike or comment on articles in this space.\",\"register.eventSpace\":\"Welcome to the {name} space. Sign in to RSVP, add\r\nevents to your calendar, and join the conversation.\",\"register.ideaSpace\":\"Welcome to the {name} space. Sign in to vote,\r\ncomment, or submit your own feedback.\",\"buttonRegister\":\"Sign in\",\"register.discussionBoardArticle\":\"Have a question or\r\ninsight to share? Sign in to join the discussion.\",\"register.blogSpaceArticle\":\"Enjoying the article? Sign in to share your\r\nthoughts.\",\"register.eventSpaceArticle\":\"Don’t just watch - take part. Sign in to RSVP, ask questions, and join the\r\ndiscussion.\",\"register.ideaSpaceArticle\":\"Sign in to submit ideas, upvote ideas, and join the conversation.\"},\"defaults\":\r\n{\"config\":{\"applicablePages\":\r\n[],\"description\":null,\"fetchedContent\":null,\"__typename\":\"ComponentConfiguration\"},\"props\":\r\n[],\"__typename\":\"ComponentProperties\"},\"components\":\r\n[{\"id\":\"custom.widget.UnregisteredCTAWidget\",\"form\":null,\"config\":null,\"props\":\r\n[],\"__typename\":\"Component\"}],\"grouping\":\"CUSTOM\",\"__typename\":\"ComponentTemplate\"},\"properties\":{\"config\":\r\n{\"applicablePages\":[],\"description\":null,\"fetchedContent\":null,\"__typename\":\"ComponentConfiguration\"},\"props\":\r\n[],\"__typename\":\"ComponentProperties\"},\"form\":null,\"__typename\":\"Component\",\"localOverride\":false},\"globalCss\":null,\"form\":null},\"localOverride\":\r\nen-us-1775107888865\":{\"__typename\":\"CachedAsset\",\"id\":\"component:custom.widget.SocialSharing-en-us-1775107888865\",\"value\":{\"component\":{\"id\":\"custom.widget.SocialSharing\",\"template\":\r\n{\"id\":\"SocialSharing\",\"markupLanguage\":\"HANDLEBARS\",\"style\":\".sharePage {\\n display: flex;\\n justify-content:\r\ncenter;\\n background: #d7d7d7;\\n padding: 0px;\\n height: 60px;\\n}\\n.singleSocialIcons {\\n display: flex;\\n gap: 12px;\\n list-style-type: none;\\n padding: 0px;\\n margin: 0;\\n}\\n.containers {\\n display: flex;\\n gap: 30px;\\n}\\n\\n.listIcon {\\n align-content: center;\\n}\\n.headingShare {\\n display: inline;\\n margin-right: 25px;\\n margin-bottom: 0px;\\n font-size: 20px;\\n\r\nfont-weight: 550;\\n align-content: center;\\n}\\n\\n@media (max-width: 990px) {\\n .sharePage {\\n display: flex;\\n justify-content: center;\\n }\\n\\n .containers {\\n display: inline-block;\\n justify-content: center;\\n align-content: center;\\n align-items:\r\ncenter;\\n }\\n .headingShare {\\n display: flex;\\n justify-content: center;\\n }\\n .singleSocialIcons {\\n\r\n}\\n}\\n\",\"texts\":null,\"defaults\":{\"config\":{\"applicablePages\":[],\"description\":\"Adds buttons to share to various social media\r\nwebsites\",\"fetchedContent\":null,\"__typename\":\"ComponentConfiguration\"},\"props\":\r\n[],\"__typename\":\"ComponentProperties\"},\"components\":\r\n[{\"id\":\"custom.widget.SocialSharing\",\"form\":null,\"config\":null,\"props\":\r\n[],\"__typename\":\"Component\"}],\"grouping\":\"CUSTOM\",\"__typename\":\"ComponentTemplate\"},\"properties\":{\"config\":\r\n{\"applicablePages\":[],\"description\":\"Adds buttons to share to various social media\r\nwebsites\",\"fetchedContent\":null,\"__typename\":\"ComponentConfiguration\"},\"props\":\r\n[],\"__typename\":\"ComponentProperties\"},\"form\":null,\"__typename\":\"Component\",\"localOverride\":false},\"globalCss\":\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 56 of 65\n\n{\"css\":\".custom_widget_SocialSharing_sharePage_6x3n8_1 {\\n display: flex;\\n justify-content: center;\\n background:\r\n#d7d7d7;\\n padding: 0;\\n height: 3.75rem;\\n}\\n.custom_widget_SocialSharing_singleSocialIcons_6x3n8_8 {\\n display:\r\nflex;\\n gap: 0.75rem;\\n list-style-type: none;\\n padding: 0;\\n margin:\r\n0;\\n}\\n.custom_widget_SocialSharing_containers_6x3n8_15 {\\n display: flex;\\n gap:\r\n1.875rem;\\n}\\n.custom_widget_SocialSharing_listIcon_6x3n8_20 {\\n align-content:\r\ncenter;\\n}\\n.custom_widget_SocialSharing_headingShare_6x3n8_23 {\\n display: inline;\\n margin-right: 1.5625rem;\\n\r\nmargin-bottom: 0;\\n font-size: 1.25rem;\\n font-weight: 550;\\n align-content: center;\\n}\\n@media (max-width: 990px) {\\n\r\n.custom_widget_SocialSharing_sharePage_6x3n8_1 {\\n display: flex;\\n justify-content: center;\\n }\\n\\n\r\n.custom_widget_SocialSharing_containers_6x3n8_15 {\\n display: inline-block;\\n justify-content: center;\\n align-content:\r\ncenter;\\n align-items: center;\\n }\\n .custom_widget_SocialSharing_headingShare_6x3n8_23 {\\n display: flex;\\n justify-content: center;\\n }\\n .custom_widget_SocialSharing_singleSocialIcons_6x3n8_8 {\\n }\\n}\\n\",\"tokens\":\r\n{\"sharePage\":\"custom_widget_SocialSharing_sharePage_6x3n8_1\",\"singleSocialIcons\":\"custom_widget_SocialSharing_singleSocialIcons_6x3n8_8\",\"co\r\nen-us-1775107888865\":{\"__typename\":\"CachedAsset\",\"id\":\"component:custom.widget.MicrosoftFooter-en-us-1775107888865\",\"value\":{\"component\":{\"id\":\"custom.widget.MicrosoftFooter\",\"template\":\r\n{\"id\":\"MicrosoftFooter\",\"markupLanguage\":\"HANDLEBARS\",\"style\":\".context-uhf {\\r\\n min-width: 280px;\\r\\n font-size:\r\n15px;\\r\\n box-sizing: border-box;\\r\\n -ms-text-size-adjust: 100%;\\r\\n -webkit-text-size-adjust: 100%;\\r\\n \u0026 *,\\r\\n \u0026\r\n*:before,\\r\\n \u0026 *:after {\\r\\n box-sizing: inherit;\\r\\n }\\r\\n a.c-uhff-link {\\r\\n color: #616161;\\r\\n word-break: break-word;\\r\\n\r\ntext-decoration: none;\\r\\n }\\r\\n \u0026a:link,\\r\\n \u0026a:focus,\\r\\n \u0026a:hover,\\r\\n \u0026a:active,\\r\\n \u0026a:visited {\\r\\n text-decoration:\r\nnone;\\r\\n color: inherit;\\r\\n }\\r\\n \u0026 div {\\r\\n font-family: 'Segoe UI', SegoeUI, 'Helvetica Neue', Helvetica, Arial, sans-serif;\\r\\n }\\r\\n}\\r\\n.c-uhff {\\r\\n background: #f2f2f2;\\r\\n margin: -1.5625;\\r\\n width: auto;\\r\\n height: auto;\\r\\n}\\r\\n.c-uhff-nav {\\r\\n margin: 0 auto;\\r\\n max-width: calc(1600px + 10%);\\r\\n padding: 0 5%;\\r\\n box-sizing: inherit;\\r\\n \u0026:before,\\r\\n\r\n\u0026:after {\\r\\n content: ' ';\\r\\n display: table;\\r\\n clear: left;\\r\\n }\\r\\n @media only screen and (max-width: 1083px) {\\r\\n\r\npadding-left: 12px;\\r\\n }\\r\\n .c-heading-4 {\\r\\n color: #616161;\\r\\n word-break: break-word;\\r\\n font-size: 15px;\\r\\n line-height: 20px;\\r\\n padding: 36px 0 4px;\\r\\n font-weight: 600;\\r\\n }\\r\\n .c-uhff-nav-row {\\r\\n .c-uhff-nav-group {\\r\\n display:\r\nblock;\\r\\n float: left;\\r\\n min-height: 1px;\\r\\n vertical-align: text-top;\\r\\n padding: 0 12px;\\r\\n width: 100%;\\r\\n zoom: 1;\\r\\n\r\n\u0026:first-child {\\r\\n padding-left: 0;\\r\\n @media only screen and (max-width: 1083px) {\\r\\n padding-left: 12px;\\r\\n }\\r\\n }\\r\\n\r\n@media only screen and (min-width: 540px) and (max-width: 1082px) {\\r\\n width: 33.33333%;\\r\\n }\\r\\n @media only\r\nscreen and (min-width: 1083px) {\\r\\n width: 16.6666666667%;\\r\\n }\\r\\n ul.c-list.f-bare {\\r\\n font-size: 11px;\\r\\n line-height:\r\n16px;\\r\\n margin-top: 0;\\r\\n margin-bottom: 0;\\r\\n padding-left: 0;\\r\\n list-style-type: none;\\r\\n li {\\r\\n word-break: break-word;\\r\\n padding: 8px 0;\\r\\n margin: 0;\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n}\\r\\n.c-uhff-base {\\r\\n background: #f2f2f2;\\r\\n margin: 0\r\nauto;\\r\\n max-width: calc(1600px + 10%);\\r\\n padding: 30px 5% 16px;\\r\\n \u0026:before,\\r\\n \u0026:after {\\r\\n content: ' ';\\r\\n\r\ndisplay: table;\\r\\n }\\r\\n \u0026:after {\\r\\n clear: both;\\r\\n }\\r\\n a.c-uhff-ccpa,\\r\\n a.c-uhff-consumer {\\r\\n display: flex;\\r\\n float:\r\nleft;\\r\\n font-size: 11px;\\r\\n line-height: 16px;\\r\\n padding: 4px 24px 0 0;\\r\\n }\\r\\n a.c-uhff-ccpa:hover,\\r\\n a.c-uhff-consumer:hover {\\r\\n text-decoration: underline;\\r\\n }\\r\\n ul.c-list {\\r\\n font-size: 11px;\\r\\n line-height: 16px;\\r\\n float:\r\nright;\\r\\n margin: 3px 0;\\r\\n color: #616161;\\r\\n li {\\r\\n padding: 0 24px 4px 0;\\r\\n display: inline-block;\\r\\n }\\r\\n }\\r\\n .c-list.f-bare {\\r\\n padding-left: 0;\\r\\n list-style-type: none;\\r\\n }\\r\\n @media only screen and (max-width: 1083px) {\\r\\n\r\ndisplay: flex;\\r\\n flex-wrap: wrap;\\r\\n padding: 30px 24px 16px;\\r\\n }\\r\\n}\\r\\n\\r\\n.social-share {\\r\\n position: fixed;\\r\\n top:\r\n60%;\\r\\n transform: translateY(-50%);\\r\\n left: 0;\\r\\n z-index: 1000;\\r\\n}\\r\\n\\r\\n.sharing-options {\\r\\n list-style: none;\\r\\n\r\npadding: 0;\\r\\n margin: 0;\\r\\n display: block;\\r\\n flex-direction: column;\\r\\n background-color: white;\\r\\n width: 50px;\\r\\n\r\nborder-radius: 0px 7px 7px 0px;\\r\\n}\\r\\n.linkedin-icon {\\r\\n border-top-right-radius: 7px;\\r\\n}\\r\\n.linkedin-icon:hover {\\r\\n\r\nborder-radius: 0;\\r\\n}\\r\\n\\r\\n.social-share-email-image:hover {\\r\\n border-radius: 0;\\r\\n}\\r\\n\\r\\n.social-link-footer:hover\r\n.linkedin-icon {\\r\\n border-radius: 0;\\r\\n}\\r\\n.social-link-footer:hover .social-share-email-image {\\r\\n border-radius:\r\n0;\\r\\n}\\r\\n\\r\\n.social-link-footer img {\\r\\n width: 30px;\\r\\n height: auto;\\r\\n transition: filter 0.3s ease;\\r\\n}\\r\\n\\r\\n.social-share-list {\\r\\n width: 50px;\\r\\n}\\r\\n.social-share-rss-image {\\r\\n width: 30px;\\r\\n height: auto;\\r\\n transition: filter 0.3s\r\nease;\\r\\n}\\r\\n.sharing-options li {\\r\\n width: 50px;\\r\\n height: 50px;\\r\\n padding: 8px;\\r\\n box-sizing: border-box;\\r\\n border:\r\n2px solid white;\\r\\n display: inline-block;\\r\\n text-align: center;\\r\\n opacity: 1;\\r\\n visibility: visible;\\r\\n transition: border\r\n0.3s ease; /* Smooth transition effect */\\r\\n border-left: none;\\r\\n border-bottom: none; /* Apply bottom border to only last\r\nitem */\\r\\n}\\r\\n\\r\\n.social-share-list-linkedin {\\r\\n background-color: #0474b4;\\r\\n border-top-right-radius: 5px; /* Rounded\r\ntop right corner of first item*/\\r\\n}\\r\\n.social-share-list-facebook {\\r\\n background-color: #3c5c9c;\\r\\n}\\r\\n.social-share-list-xicon {\\r\\n background-color: #000;\\r\\n}\\r\\n.social-share-list-reddit {\\r\\n background-color: #fc4404;\\r\\n}\\r\\n.social-share-list-bluesky {\\r\\n background-color: #f0f2f5;\\r\\n}\\r\\n.social-share-list-rss {\\r\\n background-color: #ec7b1c;\\r\\n}\\r\\n.social-share-list-mail {\\r\\n background-color: #848484;\\r\\n border-bottom-right-radius: 5px; /* Rounded bottom right corner of last\r\nitem*/\\r\\n}\\r\\n.sharing-options li.social-share-list-mail {\\r\\n border-bottom: 2px solid white; /* Add bottom border only to\r\nthe last item */\\r\\n height: 52px; /* Increase last child height to make in align with the hover label */\\r\\n}\\r\\n.x-icon {\\r\\n\r\nfilter: invert(100%);\\r\\n transition: filter 0.3s ease;\\r\\n width: 20px !important;\\r\\n height: auto;\\r\\n padding-top: 5px\r\n!important;\\r\\n}\\r\\n.bluesky-icon {\\r\\n filter: invert(20%) sepia(100%) saturate(3000%) hue-rotate(180deg);\\r\\n transition:\r\nfilter 0.3s ease;\\r\\n padding-top: 5px !important;\\r\\n width: 25px !important;\\r\\n}\\r\\n\\r\\n.share-icon {\\r\\n border: 2px solid\r\ntransparent;\\r\\n display: inline-block;\\r\\n position: relative;\\r\\n}\\r\\n\\r\\n.sharing-options li:hover {\\r\\n border: 2px solid\r\nwhite;\\r\\n border-left: none;\\r\\n border-bottom: none;\\r\\n border-radius: 0px;\\r\\n}\\r\\n.sharing-options li.social-share-list-mail:hover {\\r\\n border-bottom: 2px solid white; /* Add bottom border only to the last item */\\r\\n}\\r\\n\\r\\n.sharing-options\r\nli:hover .label {\\r\\n opacity: 1;\\r\\n visibility: visible;\\r\\n border: 2px solid white;\\r\\n box-sizing: border-box;\\r\\n border-left:\r\nnone;\\r\\n}\\r\\n\\r\\n.label {\\r\\n position: absolute;\\r\\n left: 100%;\\r\\n white-space: nowrap;\\r\\n opacity: 0;\\r\\n visibility:\r\nhidden;\\r\\n transition: all 0.2s ease;\\r\\n color: white;\\r\\n border-radius: 0 10 0 10px;\\r\\n top: 50%;\\r\\n transform:\r\ntranslateY(-50%);\\r\\n height: 52px;\\r\\n display: flex;\\r\\n align-items: center;\\r\\n justify-content: center;\\r\\n padding: 10px\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 57 of 65\n\n12px 15px 8px;\\r\\n border: 2px solid white;\\r\\n}\\r\\n.linkedin {\\r\\n background-color: #0474b4;\\r\\n border-top-right-radius:\r\n5px; /* Rounded top right corner of first item*/\\r\\n}\\r\\n.facebook {\\r\\n background-color: #3c5c9c;\\r\\n}\\r\\n.twitter {\\r\\n\r\nbackground-color: black;\\r\\n color: white;\\r\\n}\\r\\n.reddit {\\r\\n background-color: #fc4404;\\r\\n}\\r\\n.mail {\\r\\n background-color: #848484;\\r\\n border-bottom-right-radius: 5px; /* Rounded bottom right corner of last item*/\\r\\n}\\r\\n.bluesky {\\r\\n\r\nbackground-color: #f0f2f5;\\r\\n color: black;\\r\\n}\\r\\n.rss {\\r\\n background-color: #ec7b1c;\\r\\n}\\r\\n\\r\\n@media (max-width:\r\n991px) {\\r\\n .social-share {\\r\\n display: none;\\r\\n }\\r\\n}\\r\\n\",\"texts\":{\"heading.whatsNew\":\"What's\r\nnew\",\"heading.store\":\"Microsoft\r\nStore\",\"heading.education\":\"Education\",\"heading.business\":\"Business\",\"heading.developer\":\"Developer \u0026\r\nIT\",\"heading.company\":\"Company\",\"link.whatsNew.surfacePro\":\"Surface Pro\",\"aria.whatsNew.surfacePro\":\"Surface Pro\r\nWhat's new\",\"link.whatsNew.surfaceLaptop\":\"Surface Laptop\",\"aria.whatsNew.surfaceLaptop\":\"Surface Laptop What's\r\nnew\",\"link.whatsNew.surfaceLaptopStudio2\":\"Surface Laptop Studio 2\",\"aria.whatsNew.surfaceLaptopStudio2\":\"Surface\r\nLaptop Studio 2 What's new\",\"link.whatsNew.copilotOrganizations\":\"Copilot for\r\norganizations\",\"aria.whatsNew.copilotOrganizations\":\"Copilot for organizations What's\r\nnew\",\"link.whatsNew.copilotPersonal\":\"Copilot for personal use\",\"aria.whatsNew.copilotPersonal\":\"Copilot for personal\r\nuse What's new\",\"link.whatsNew.aiInWindows\":\"AI in Windows\",\"aria.whatsNew.aiInWindows\":\"AI in Windows What's\r\nnew\",\"link.whatsNew.exploreProducts\":\"Explore Microsoft products\",\"aria.whatsNew.exploreProducts\":\"Explore Microsoft\r\nproducts What's new\",\"link.whatsNew.windows11Apps\":\"Windows 11 apps\",\"aria.whatsNew.windows11Apps\":\"Windows\r\n11 apps What's new\",\"link.store.accountProfile\":\"Account profile\",\"aria.store.accountProfile\":\"Account profile Microsoft\r\nStore\",\"link.store.downloadCenter\":\"Download Center\",\"aria.store.downloadCenter\":\"Download Center Microsoft\r\nStore\",\"link.store.support\":\"Microsoft Store support\",\"aria.store.support\":\"Microsoft Store support Microsoft\r\nStore\",\"link.store.returns\":\"Returns\",\"aria.store.returns\":\"Returns Microsoft Store\",\"link.store.orderTracking\":\"Order\r\ntracking\",\"aria.store.orderTracking\":\"Order tracking Microsoft Store\",\"link.store.certifiedRefurbished\":\"Certified\r\nRefurbished\",\"aria.store.certifiedRefurbished\":\"Certified Refurbished Microsoft Store\",\"link.store.promise\":\"Microsoft\r\nStore Promise\",\"aria.store.promise\":\"Microsoft Store Promise Microsoft Store\",\"link.store.flexiblePayments\":\"Flexible\r\nPayments\",\"aria.store.flexiblePayments\":\"Flexible Payments Microsoft\r\nStore\",\"link.education.microsoftInEducation\":\"Microsoft in education\",\"aria.education.microsoftInEducation\":\"Microsoft in\r\neducation Education\",\"link.education.devices\":\"Devices for education\",\"aria.education.devices\":\"Devices for education\r\nEducation\",\"link.education.teams\":\"Microsoft Teams for Education\",\"aria.education.teams\":\"Microsoft Teams for Education\r\nEducation\",\"link.education.m365\":\"Microsoft 365 Education\",\"aria.education.m365\":\"Microsoft 365 Education\r\nEducation\",\"link.education.howToBuy\":\"How to buy for your school\",\"aria.education.howToBuy\":\"How to buy for your\r\nschool Education\",\"link.education.training\":\"Educator training and development\",\"aria.education.training\":\"Educator\r\ntraining and development Education\",\"link.education.deals\":\"Deals for students and parents\",\"aria.education.deals\":\"Deals\r\nfor students and parents Education\",\"link.education.ai\":\"AI for education\",\"aria.education.ai\":\"AI for education\r\nEducation\",\"link.business.microsoftAi\":\"Microsoft AI\",\"aria.business.microsoftAi\":\"Microsoft AI\r\nBusiness\",\"link.business.security\":\"Microsoft Security\",\"aria.business.security\":\"Microsoft Security\r\nBusiness\",\"link.business.dynamics\":\"Dynamics 365\",\"aria.business.dynamics\":\"Dynamics 365\r\nBusiness\",\"link.business.m365\":\"Microsoft 365\",\"aria.business.m365\":\"Microsoft 365\r\nBusiness\",\"link.business.powerPlatform\":\"Microsoft Power Platform\",\"aria.business.powerPlatform\":\"Microsoft Power\r\nPlatform Business\",\"link.business.teams\":\"Microsoft Teams\",\"aria.business.teams\":\"Microsoft Teams\r\nBusiness\",\"link.business.m365Copilot\":\"Microsoft 365 Copilot\",\"aria.business.m365Copilot\":\"Microsoft 365 Copilot\r\nBusiness\",\"link.business.smallBusiness\":\"Small Business\",\"aria.business.smallBusiness\":\"Small Business\r\nBusiness\",\"link.developer.azure\":\"Azure\",\"aria.developer.azure\":\"Azure Developer \u0026\r\nIT\",\"link.developer.developerCenter\":\"Microsoft Developer\",\"aria.developer.developerCenter\":\"Microsoft Developer\r\nDeveloper \u0026 IT\",\"link.developer.learn\":\"Microsoft Learn\",\"aria.developer.learn\":\"Microsoft Learn Developer \u0026\r\nIT\",\"link.developer.aiMarketplace\":\"Support for AI marketplace apps\",\"aria.developer.aiMarketplace\":\"Support for AI\r\nmarketplace apps Developer \u0026 IT\",\"link.developer.techCommunity\":\"Microsoft Tech\r\nCommunity\",\"aria.developer.techCommunity\":\"Microsoft Tech Community Developer \u0026\r\nIT\",\"link.developer.marketplace\":\"Microsoft Marketplace\",\"aria.developer.marketplace\":\"Microsoft Marketplace Developer\r\n\u0026 IT\",\"link.developer.marketplaceRewards\":\"Marketplace Rewards\",\"aria.developer.marketplaceRewards\":\"Marketplace\r\nRewards Developer \u0026 IT\",\"link.developer.visualStudio\":\"Visual Studio\",\"aria.developer.visualStudio\":\"Visual Studio\r\nDeveloper \u0026 IT\",\"link.company.careers\":\"Careers\",\"aria.company.careers\":\"Careers\r\nCompany\",\"link.company.about\":\"About Microsoft\",\"aria.company.about\":\"About Microsoft\r\nCompany\",\"link.company.news\":\"Company news\",\"aria.company.news\":\"Company news\r\nCompany\",\"link.company.privacy\":\"Privacy at Microsoft\",\"aria.company.privacy\":\"Privacy at Microsoft\r\nCompany\",\"link.company.investors\":\"Investors\",\"aria.company.investors\":\"Investors\r\nCompany\",\"link.company.diversity\":\"Diversity and inclusion\",\"aria.company.diversity\":\"Diversity and inclusion\r\nCompany\",\"link.company.accessibility\":\"Accessibility\",\"aria.company.accessibility\":\"Accessibility\r\nCompany\",\"link.company.sustainability\":\"Sustainability\",\"aria.company.sustainability\":\"Sustainability\r\nCompany\",\"ccpa.label\":\"Your Privacy Choices\",\"consumerhealthprivacy.label\":\"Consumer Health\r\nPrivacy\",\"corp.sitemap\":\"Sitemap\",\"corp.contact\":\"Contact\r\nMicrosoft\",\"corp.privacy\":\"Privacy\",\"corp.manageCookies\":\"Manage cookies\",\"corp.terms\":\"Terms of\r\nuse\",\"corp.trademarks\":\"Trademarks\",\"corp.safetyEco\":\"Safety \u0026\r\neco\",\"corp.recycling\":\"Recycling\",\"corp.aboutAds\":\"About our\r\nads\",\"corp.microsoft\":\"Microsoft\",\"social.linkedin.alt\":\"Share to LinkedIn\",\"social.linkedin.label\":\"Share on\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 58 of 65\n\nLinkedIn\",\"social.facebook.alt\":\"Share to Facebook\",\"social.facebook.label\":\"Share on Facebook\",\"social.x.alt\":\"Share to\r\nX\",\"social.x.label\":\"Share on X\",\"social.reddit.alt\":\"Share to Reddit\",\"social.reddit.label\":\"Share on\r\nReddit\",\"social.bluesky.alt\":\"Share to Blue Sky\",\"social.bluesky.label\":\"Share on Bluesky\",\"social.rss.alt\":\"Subscribe to\r\nRSS\",\"social.rss.label\":\"Share on RSS\",\"social.email.alt\":\"Share to Email\",\"social.email.label\":\"Share on\r\nEmail\"},\"defaults\":{\"config\":{\"applicablePages\":[],\"description\":\"The Microsoft\r\nFooter\",\"fetchedContent\":null,\"__typename\":\"ComponentConfiguration\"},\"props\":\r\n[],\"__typename\":\"ComponentProperties\"},\"components\":\r\n[{\"id\":\"custom.widget.MicrosoftFooter\",\"form\":null,\"config\":null,\"props\":\r\n[],\"__typename\":\"Component\"}],\"grouping\":\"CUSTOM\",\"__typename\":\"ComponentTemplate\"},\"properties\":{\"config\":\r\n{\"applicablePages\":[],\"description\":\"The Microsoft\r\nFooter\",\"fetchedContent\":null,\"__typename\":\"ComponentConfiguration\"},\"props\":\r\n[],\"__typename\":\"ComponentProperties\"},\"form\":null,\"__typename\":\"Component\",\"localOverride\":false},\"globalCss\":\r\n{\"css\":\".custom_widget_MicrosoftFooter_context-uhf_qp4x5_1 {\\r\\n min-width: 17.5rem;\\r\\n font-size: 0.9375rem;\\r\\n\r\nbox-sizing: border-box;\\r\\n -ms-text-size-adjust: 100%;\\r\\n -webkit-text-size-adjust: 100%;\\r\\n \u0026 *,\\r\\n \u0026 *:before,\\r\\n \u0026\r\n*:after {\\r\\n box-sizing: inherit;\\r\\n }\\r\\n a.custom_widget_MicrosoftFooter_c-uhff-link_qp4x5_23 {\\r\\n color: #616161;\\r\\n\r\nword-break: break-word;\\r\\n text-decoration: none;\\r\\n }\\r\\n \u0026a:link,\\r\\n \u0026a:focus,\\r\\n \u0026a:hover,\\r\\n \u0026a:active,\\r\\n\r\n\u0026a:visited {\\r\\n text-decoration: none;\\r\\n color: inherit;\\r\\n }\\r\\n \u0026 div {\\r\\n font-family: 'Segoe UI', SegoeUI, 'Helvetica\r\nNeue', Helvetica, Arial, sans-serif;\\r\\n }\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_c-uhff_qp4x5_23 {\\r\\n background:\r\n#f2f2f2;\\r\\n margin: -1.5625;\\r\\n width: auto;\\r\\n height: auto;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_c-uhff-nav_qp4x5_69 {\\r\\n margin: 0 auto;\\r\\n max-width: calc(100rem + 10%);\\r\\n padding: 0 5%;\\r\\n box-sizing: inherit;\\r\\n\r\n\u0026:before,\\r\\n \u0026:after {\\r\\n content: ' ';\\r\\n display: table;\\r\\n clear: left;\\r\\n }\\r\\n @media only screen and (max-width:\r\n1083px) {\\r\\n padding-left: 0.75rem;\\r\\n }\\r\\n .custom_widget_MicrosoftFooter_c-heading-4_qp4x5_97 {\\r\\n color:\r\n#616161;\\r\\n word-break: break-word;\\r\\n font-size: 0.9375rem;\\r\\n line-height: 1.25rem;\\r\\n padding: 2.25rem 0\r\n0.25rem;\\r\\n font-weight: 600;\\r\\n }\\r\\n .custom_widget_MicrosoftFooter_c-uhff-nav-row_qp4x5_113 {\\r\\n\r\n.custom_widget_MicrosoftFooter_c-uhff-nav-group_qp4x5_115 {\\r\\n display: block;\\r\\n float: left;\\r\\n min-height:\r\n0.0625rem;\\r\\n vertical-align: text-top;\\r\\n padding: 0 0.75rem;\\r\\n width: 100%;\\r\\n zoom: 1;\\r\\n \u0026:first-child {\\r\\n padding-left: 0;\\r\\n @media only screen and (max-width: 1083px) {\\r\\n padding-left: 0.75rem;\\r\\n }\\r\\n }\\r\\n @media only screen\r\nand (min-width: 540px) and (max-width: 1082px) {\\r\\n width: 33.33333%;\\r\\n }\\r\\n @media only screen and (min-width:\r\n1083px) {\\r\\n width: 16.6666666667%;\\r\\n }\\r\\n ul.custom_widget_MicrosoftFooter_c-list_qp4x5_155.custom_widget_MicrosoftFooter_f-bare_qp4x5_155 {\\r\\n font-size: 0.6875rem;\\r\\n line-height: 1rem;\\r\\n\r\nmargin-top: 0;\\r\\n margin-bottom: 0;\\r\\n padding-left: 0;\\r\\n list-style-type: none;\\r\\n li {\\r\\n word-break: break-word;\\r\\n\r\npadding: 0.5rem 0;\\r\\n margin: 0;\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_c-uhff-base_qp4x5_187\r\n{\\r\\n background: #f2f2f2;\\r\\n margin: 0 auto;\\r\\n max-width: calc(100rem + 10%);\\r\\n padding: 1.875rem 5% 1rem;\\r\\n\r\n\u0026:before,\\r\\n \u0026:after {\\r\\n content: ' ';\\r\\n display: table;\\r\\n }\\r\\n \u0026:after {\\r\\n clear: both;\\r\\n }\\r\\n\r\na.custom_widget_MicrosoftFooter_c-uhff-ccpa_qp4x5_213,\\r\\n a.custom_widget_MicrosoftFooter_c-uhff-consumer_qp4x5_215 {\\r\\n display: flex;\\r\\n float: left;\\r\\n font-size: 0.6875rem;\\r\\n line-height: 1rem;\\r\\n padding: 0.25rem\r\n1.5rem 0 0;\\r\\n }\\r\\n a.custom_widget_MicrosoftFooter_c-uhff-ccpa_qp4x5_213:hover,\\r\\n\r\na.custom_widget_MicrosoftFooter_c-uhff-consumer_qp4x5_215:hover {\\r\\n text-decoration: underline;\\r\\n }\\r\\n\r\nul.custom_widget_MicrosoftFooter_c-list_qp4x5_155 {\\r\\n font-size: 0.6875rem;\\r\\n line-height: 1rem;\\r\\n float: right;\\r\\n\r\nmargin: 0.1875rem 0;\\r\\n color: #616161;\\r\\n li {\\r\\n padding: 0 1.5rem 0.25rem 0;\\r\\n display: inline-block;\\r\\n }\\r\\n }\\r\\n\r\n.custom_widget_MicrosoftFooter_c-list_qp4x5_155.custom_widget_MicrosoftFooter_f-bare_qp4x5_155 {\\r\\n padding-left:\r\n0;\\r\\n list-style-type: none;\\r\\n }\\r\\n @media only screen and (max-width: 1083px) {\\r\\n display: flex;\\r\\n flex-wrap:\r\nwrap;\\r\\n padding: 1.875rem 1.5rem 1rem;\\r\\n }\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_social-share_qp4x5_281 {\\r\\n\r\nposition: fixed;\\r\\n top: 60%;\\r\\n transform: translateY(-50%);\\r\\n left: 0;\\r\\n z-index:\r\n1000;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_sharing-options_qp4x5_297 {\\r\\n list-style: none;\\r\\n padding: 0;\\r\\n\r\nmargin: 0;\\r\\n display: block;\\r\\n flex-direction: column;\\r\\n background-color: white;\\r\\n width: 3.125rem;\\r\\n border-radius: 0 0.4375rem 0.4375rem 0;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_linkedin-icon_qp4x5_317 {\\r\\n border-top-right-radius: 7px;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_linkedin-icon_qp4x5_317:hover {\\r\\n border-radius:\r\n0;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_social-share-email-image_qp4x5_331:hover {\\r\\n border-radius:\r\n0;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_social-link-footer_qp4x5_339:hover\r\n.custom_widget_MicrosoftFooter_linkedin-icon_qp4x5_317 {\\r\\n border-radius:\r\n0;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_social-link-footer_qp4x5_339:hover .custom_widget_MicrosoftFooter_social-share-email-image_qp4x5_331 {\\r\\n border-radius: 0;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_social-link-footer_qp4x5_339 img {\\r\\n width: 1.875rem;\\r\\n height: auto;\\r\\n transition: filter 0.3s\r\nease;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_social-share-list_qp4x5_365 {\\r\\n width:\r\n3.125rem;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_social-share-rss-image_qp4x5_371 {\\r\\n width: 1.875rem;\\r\\n height:\r\nauto;\\r\\n transition: filter 0.3s ease;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_sharing-options_qp4x5_297 li {\\r\\n width:\r\n3.125rem;\\r\\n height: 3.125rem;\\r\\n padding: 0.5rem;\\r\\n box-sizing: border-box;\\r\\n border: 2px solid white;\\r\\n display:\r\ninline-block;\\r\\n text-align: center;\\r\\n opacity: 1;\\r\\n visibility: visible;\\r\\n transition: border 0.3s ease; /* Smooth transition\r\neffect */\\r\\n border-left: none;\\r\\n border-bottom: none; /* Apply bottom border to only last item\r\n*/\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_social-share-list-linkedin_qp4x5_411 {\\r\\n background-color: #0474b4;\\r\\n\r\nborder-top-right-radius: 5px; /* Rounded top right corner of first item*/\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_social-share-list-facebook_qp4x5_419 {\\r\\n background-color: #3c5c9c;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_social-share-list-xicon_qp4x5_425 {\\r\\n background-color: #000;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_social-share-list-https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 59 of 65\n\nreddit_qp4x5_431 {\\r\\n background-color: #fc4404;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_social-share-list-bluesky_qp4x5_437 {\\r\\n background-color: #f0f2f5;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_social-share-list-rss_qp4x5_443 {\\r\\n background-color: #ec7b1c;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_social-share-list-mail_qp4x5_449 {\\r\\n background-color: #848484;\\r\\n border-bottom-right-radius: 5px; /* Rounded bottom right corner of\r\nlast item*/\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_sharing-options_qp4x5_297 li.custom_widget_MicrosoftFooter_social-share-list-mail_qp4x5_449 {\\r\\n border-bottom: 2px solid white; /* Add bottom border only to the last item */\\r\\n height:\r\n3.25rem; /* Increase last child height to make in align with the hover label */\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_x-icon_qp4x5_465 {\\r\\n filter: invert(100%);\\r\\n transition: filter 0.3s ease;\\r\\n width: 1.25rem !important;\\r\\n height: auto;\\r\\n\r\npadding-top: 0.3125rem !important;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_bluesky-icon_qp4x5_479 {\\r\\n filter:\r\ninvert(20%) sepia(100%) saturate(3000%) hue-rotate(180deg);\\r\\n transition: filter 0.3s ease;\\r\\n padding-top: 0.3125rem\r\n!important;\\r\\n width: 1.5625rem !important;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_share-icon_qp4x5_493 {\\r\\n border:\r\n2px solid transparent;\\r\\n display: inline-block;\\r\\n position: relative;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_sharing-options_qp4x5_297 li:hover {\\r\\n border: 2px solid white;\\r\\n border-left: none;\\r\\n border-bottom: none;\\r\\n border-radius:\r\n0;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_sharing-options_qp4x5_297 li.custom_widget_MicrosoftFooter_social-share-list-mail_qp4x5_449:hover {\\r\\n border-bottom: 2px solid white; /* Add bottom border only to the last item\r\n*/\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_sharing-options_qp4x5_297 li:hover\r\n.custom_widget_MicrosoftFooter_label_qp4x5_525 {\\r\\n opacity: 1;\\r\\n visibility: visible;\\r\\n border: 2px solid white;\\r\\n\r\nbox-sizing: border-box;\\r\\n border-left: none;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_label_qp4x5_525 {\\r\\n position:\r\nabsolute;\\r\\n left: 100%;\\r\\n white-space: nowrap;\\r\\n opacity: 0;\\r\\n visibility: hidden;\\r\\n transition: all 0.2s ease;\\r\\n color:\r\nwhite;\\r\\n border-radius: 0 10 0 0.625rem;\\r\\n top: 50%;\\r\\n transform: translateY(-50%);\\r\\n height: 3.25rem;\\r\\n display:\r\nflex;\\r\\n align-items: center;\\r\\n justify-content: center;\\r\\n padding: 0.625rem 0.75rem 0.9375rem 0.5rem;\\r\\n border: 2px\r\nsolid white;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_linkedin_qp4x5_317 {\\r\\n background-color: #0474b4;\\r\\n border-top-right-radius: 5px; /* Rounded top right corner of first\r\nitem*/\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_facebook_qp4x5_585 {\\r\\n background-color:\r\n#3c5c9c;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_twitter_qp4x5_591 {\\r\\n background-color: black;\\r\\n color:\r\nwhite;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_reddit_qp4x5_599 {\\r\\n background-color:\r\n#fc4404;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_mail_qp4x5_605 {\\r\\n background-color: #848484;\\r\\n border-bottom-right-radius: 5px; /* Rounded bottom right corner of last\r\nitem*/\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_bluesky_qp4x5_479 {\\r\\n background-color: #f0f2f5;\\r\\n color:\r\nblack;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_rss_qp4x5_621 {\\r\\n background-color: #ec7b1c;\\r\\n}\\r\\n@media (max-width: 991px) {\\r\\n .custom_widget_MicrosoftFooter_social-share_qp4x5_281 {\\r\\n display: none;\\r\\n }\\r\\n}\\r\\n\",\"tokens\":\r\n{\"context-uhf\":\"custom_widget_MicrosoftFooter_context-uhf_qp4x5_1\",\"c-uhff-link\":\"custom_widget_MicrosoftFooter_c-uhff-link_qp4x5_23\",\"c-uhff\":\"custom_widget_MicrosoftFooter_c-uhff_qp4x5_23\",\"c-uhff-nav\":\"custom_widget_MicrosoftFooter_c-uhff-nav_qp4x5_69\",\"c-heading-4\":\"custom_widget_MicrosoftFooter_c-heading-4_qp4x5_97\",\"c-uhff-nav-row\":\"custom_widget_MicrosoftFooter_c-uhff-nav-row_qp4x5_113\",\"c-uhff-nav-group\":\"custom_widget_MicrosoftFooter_c-uhff-nav-group_qp4x5_115\",\"c-list\":\"custom_widget_MicrosoftFooter_c-list_qp4x5_155\",\"f-bare\":\"custom_widget_MicrosoftFooter_f-bare_qp4x5_155\",\"c-uhff-base\":\"custom_widget_MicrosoftFooter_c-uhff-base_qp4x5_187\",\"c-uhff-ccpa\":\"custom_widget_MicrosoftFooter_c-uhff-ccpa_qp4x5_213\",\"c-uhff-consumer\":\"custom_widget_MicrosoftFooter_c-uhff-consumer_qp4x5_215\",\"social-share\":\"custom_widget_MicrosoftFooter_social-share_qp4x5_281\",\"sharing-options\":\"custom_widget_MicrosoftFooter_sharing-options_qp4x5_297\",\"linkedin-icon\":\"custom_widget_MicrosoftFooter_linkedin-icon_qp4x5_317\",\"social-share-email-image\":\"custom_widget_MicrosoftFooter_social-share-email-image_qp4x5_331\",\"social-link-footer\":\"custom_widget_MicrosoftFooter_social-link-footer_qp4x5_339\",\"social-share-list\":\"custom_widget_MicrosoftFooter_social-share-list_qp4x5_365\",\"social-share-rss-image\":\"custom_widget_MicrosoftFooter_social-share-rss-image_qp4x5_371\",\"social-share-list-linkedin\":\"custom_widget_MicrosoftFooter_social-share-list-linkedin_qp4x5_411\",\"social-share-list-facebook\":\"custom_widget_MicrosoftFooter_social-share-list-facebook_qp4x5_419\",\"social-share-list-xicon\":\"custom_widget_MicrosoftFooter_social-share-list-xicon_qp4x5_425\",\"social-share-list-reddit\":\"custom_widget_MicrosoftFooter_social-share-list-reddit_qp4x5_431\",\"social-share-list-bluesky\":\"custom_widget_MicrosoftFooter_social-share-list-bluesky_qp4x5_437\",\"social-share-list-rss\":\"custom_widget_MicrosoftFooter_social-share-list-rss_qp4x5_443\",\"social-share-list-mail\":\"custom_widget_MicrosoftFooter_social-share-list-mail_qp4x5_449\",\"x-icon\":\"custom_widget_MicrosoftFooter_x-icon_qp4x5_465\",\"bluesky-icon\":\"custom_widget_MicrosoftFooter_bluesky-icon_qp4x5_479\",\"share-icon\":\"custom_widget_MicrosoftFooter_share-icon_qp4x5_493\",\"label\":\"custom_widget_MicrosoftFooter_label_qp4x5_525\",\"linkedin\":\"custom_widget_MicrosoftFooter_linkedin_qp4x5_317\",\"faceb\r\ncomponents/community/Breadcrumb-1775111750899\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/community/Breadcrumb-1775111750899\",\"value\":{\"navLabel\":\"Breadcrumbs\",\"dropdown\":\"Additional parent\r\npage navigation\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/messages/MessageBanner-1775111750899\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/messages/MessageBanner-1775111750899\",\"value\":{\"messageMarkedAsSpam\":\"This post has been marked as\r\nspam\",\"messageMarkedAsSpam@board:TKB\":\"This article has been marked as\r\nspam\",\"messageMarkedAsSpam@board:BLOG\":\"This post has been marked as\r\nspam\",\"messageMarkedAsSpam@board:FORUM\":\"This discussion has been marked as\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 60 of 65\n\nspam\",\"messageMarkedAsSpam@board:OCCASION\":\"This event has been marked as\r\nspam\",\"messageMarkedAsSpam@board:IDEA\":\"This idea has been marked as spam\",\"manageSpam\":\"Manage\r\nSpam\",\"messageMarkedAsAbuse\":\"This post has been marked as abuse\",\"messageMarkedAsAbuse@board:TKB\":\"This\r\narticle has been marked as abuse\",\"messageMarkedAsAbuse@board:BLOG\":\"This post has been marked as\r\nabuse\",\"messageMarkedAsAbuse@board:FORUM\":\"This discussion has been marked as\r\nabuse\",\"messageMarkedAsAbuse@board:OCCASION\":\"This event has been marked as\r\nabuse\",\"messageMarkedAsAbuse@board:IDEA\":\"This idea has been marked as\r\nabuse\",\"preModCommentAuthorText\":\"This comment will be published as soon as it is\r\napproved\",\"preModCommentModeratorText\":\"This comment is awaiting moderation\",\"messageMarkedAsOther\":\"This post\r\nhas been rejected due to other reasons\",\"messageMarkedAsOther@board:TKB\":\"This article has been rejected due to other\r\nreasons\",\"messageMarkedAsOther@board:BLOG\":\"This post has been rejected due to other\r\nreasons\",\"messageMarkedAsOther@board:FORUM\":\"This discussion has been rejected due to other\r\nreasons\",\"messageMarkedAsOther@board:OCCASION\":\"This event has been rejected due to other\r\nreasons\",\"messageMarkedAsOther@board:IDEA\":\"This idea has been rejected due to other\r\nreasons\",\"messageArchived\":\"This post was archived on {date}\",\"relatedUrl\":\"View Related\r\nContent\",\"relatedContentText\":\"Showing related content\",\"archivedContentLink\":\"View Archived\r\nContent\"},\"localOverride\":false},\"Category:category:Exchange\":\r\n{\"__typename\":\"Category\",\"id\":\"category:Exchange\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:Outlook\":\r\n{\"__typename\":\"Category\",\"id\":\"category:Outlook\",\"categoryPolicies\":{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:Community-Info-Center\":\r\n{\"__typename\":\"Category\",\"id\":\"category:Community-Info-Center\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:EducationSector\":\r\n{\"__typename\":\"Category\",\"id\":\"category:EducationSector\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:DrivingAdoption\":\r\n{\"__typename\":\"Category\",\"id\":\"category:DrivingAdoption\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:Azure\":\r\n{\"__typename\":\"Category\",\"id\":\"category:Azure\",\"categoryPolicies\":{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:Windows-Server\":\r\n{\"__typename\":\"Category\",\"id\":\"category:Windows-Server\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:MicrosoftTeams\":\r\n{\"__typename\":\"Category\",\"id\":\"category:MicrosoftTeams\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:PublicSector\":\r\n{\"__typename\":\"Category\",\"id\":\"category:PublicSector\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:microsoft365\":\r\n{\"__typename\":\"Category\",\"id\":\"category:microsoft365\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:IoT\":\r\n{\"__typename\":\"Category\",\"id\":\"category:IoT\",\"categoryPolicies\":{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:HealthcareAndLifeSciences\":\r\n{\"__typename\":\"Category\",\"id\":\"category:HealthcareAndLifeSciences\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:ITOpsTalk\":\r\n{\"__typename\":\"Category\",\"id\":\"category:ITOpsTalk\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:MicrosoftMechanics\":\r\n{\"__typename\":\"Category\",\"id\":\"category:MicrosoftMechanics\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:MicrosoftforNonprofits\":\r\n{\"__typename\":\"Category\",\"id\":\"category:MicrosoftforNonprofits\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:PartnerCommunity\":\r\n{\"__typename\":\"Category\",\"id\":\"category:PartnerCommunity\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:Microsoft365Copilot\":\r\n{\"__typename\":\"Category\",\"id\":\"category:Microsoft365Copilot\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 61 of 65\n\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:Windows\":\r\n{\"__typename\":\"Category\",\"id\":\"category:Windows\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:Content_Management\":\r\n{\"__typename\":\"Category\",\"id\":\"category:Content_Management\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:CommunityNewsDesk\":\r\n{\"__typename\":\"Category\",\"id\":\"category:CommunityNewsDesk\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:microsoft-learn-for-educators\":\r\n{\"__typename\":\"Category\",\"id\":\"category:microsoft-learn-for-educators\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:mvp\":\r\n{\"__typename\":\"Category\",\"id\":\"category:mvp\",\"categoryPolicies\":{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:microsoftintune\":\r\n{\"__typename\":\"Category\",\"id\":\"category:microsoftintune\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:microsoft-global-community-initiative\":\r\n{\"__typename\":\"Category\",\"id\":\"category:microsoft-global-community-initiative\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:usergroups\":\r\n{\"__typename\":\"Category\",\"id\":\"category:usergroups\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:skills-hub\":\r\n{\"__typename\":\"Category\",\"id\":\"category:skills-hub\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Blog:board:skills-hub-blog\":\r\n{\"__typename\":\"Blog\",\"id\":\"board:skills-hub-blog\",\"blogPolicies\":{\"__typename\":\"BlogPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}},\"boardPolicies\":{\"__typename\":\"BoardPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"CachedAsset:text:en_US-components/community/Navbar-1775111750899\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/community/Navbar-1775111750899\",\"value\":{\"community\":\"Community Home\",\"inbox\":\"Inbox\",\"manageContent\":\"Manage\r\nContent\",\"tos\":\"Terms of Service\",\"forgotPassword\":\"Forgot Password\",\"themeEditor\":\"Theme Editor\",\"edit\":\"Edit\r\nNavigation Bar\",\"skipContent\":\"Skip to content\",\"gxcuf89792\":\"Tech Community\",\"windows-server\":\"Windows\r\nServer\",\"ms-learn-ext-security\":\"Microsoft Security\",\"Common_Enntvz-i-t-ops-talk-link\":\"ITOps Talk\",\"education-sector\":\"Education Sector\",\"Common-external-link-9\":\"Microsoft 365\",\"Common-external-link-8\":\"Dynamics\r\n365\",\"Common-external-link-7\":\"Skilling Room Directory\",\"Common-external-link-6\":\"Events\",\"Common-external-link-5\":\"Blogs\",\"Common-external-link-4\":\"View All\",\"Common-gxcuf89792-community\":\"Community\",\"Common-external-link-3\":\"Topics\",\"microsoft365\":\"Microsoft 365\",\"Common_Enntvz-community-news-desk-link\":\"Community News\r\nDesk\",\"Common_Enntvz-azure-link\":\"Azure\",\"Common-community-info-center-link\":\"Lounge\",\"azure\":\"Azure\",\"Common_Enntvz-windows-link\":\"Windows\",\"Common_Enntvz-education-sector-link\":\"Education Sector\",\"Common-windows-server-link\":\"Windows Server\",\"products-link\":\"Products\",\"Common_Enntvz-partner-community-link\":\"Microsoft Partner Community\",\"microsoft-learn-blog\":\"Blog\",\"Common-external-link-2\":\"View All\",\"community-hub-link\":\"Community Hubs\",\"Common-mvp-link\":\"Microsoft MVP Program\",\"community-info-center\":\"Lounge\",\"microsoft-endpoint-manager\":\"Microsoft\r\nIntune\",\"startupsat-microsoft\":\"Startups at Microsoft\",\"ms-learn-ext-azure\":\"Azure\",\"Common_Enntvz-content_management-link\":\"Content Management\",\"ms-learn-ext-github\":\"Github\",\"Common-microsoft365-\r\nlink\":\"Microsoft 365\",\"Common-i-t-ops-talk-link\":\"ITOps Talk\",\"Common_Enntvz-view-all-products-link\":\"View\r\nAll\",\"Common-microsoft-global-community-initiative-link\":\"Microsoft Global Community Initiative (MGCI)\",\"all-events-link\":\"Events\",\"Common_Enntvz-microsoft-learn-for-educators-link\":\"Microsoft Learn for Educators\",\"Common-external-link\":\"Community Hubs\",\"Common-partner-community-link\":\"Microsoft Partner Community\",\"Common-microsoft-learn-for-educators-link\":\"Microsoft Learn for Educators\",\"Common_Enntvz-microsoft-teams-link\":\"Microsoft Teams\",\"driving-adoption\":\"Driving Adoption\",\"microsoft-learn\":\"Microsoft Learn\",\"Common-healthcare-and-life-sciences-link\":\"Healthcare and Life Sciences\",\"planner\":\"Outlook\",\"Common_Enntvz-exchange-link\":\"Exchange\",\"healthcare-and-life-sciences\":\"Healthcare and Life Sciences\",\"Common-external-link-10\":\"View All\",\"Common-driving-adoption-link\":\"Driving Adoption\",\"ms-learn-ext-pp\":\"Power Platform\",\"Common_Enntvz-windows-server-link\":\"Windows\r\nServer\",\"Common-io-t-link\":\"Internet of Things (IoT)\",\"Skills-Hub\":\"Skills Hub\",\"microsoft-teams\":\"Microsoft\r\nTeams\",\"Common-outlook-link\":\"Outlook\",\"Common_Enntvz-public-sector-link\":\"Public Sector\",\"Common-windows-link\":\"Windows\",\"all-blogs-link\":\"Blogs\",\"communities\":\"Products\",\"Common_Enntvz-usergroups-link\":\"User\r\nGroups\",\"Common_Enntvz-microsoft-global-community-initiative-link\":\"Microsoft Global Community Initiative\r\n(MGCI)\",\"Skills-Hub-link\":\"Community\",\"Common_Enntvz-io-t-link\":\"Internet of Things (IoT)\",\"ms-learn-ext-m365\":\"Microsoft 365\",\"Common_Enntvz-microsoft-mechanics-link\":\"Microsoft Mechanics\",\"microsoft-learn-community\":\"Community\",\"partner-community\":\"Microsoft Partner Community\",\"Common-microsoft-mechanics-link\":\"Microsoft Mechanics\",\"Common_Enntvz-healthcare-and-life-sciences-link\":\"Healthcare and Life\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 62 of 65\n\nSciences\",\"microsoft-mechanics\":\"Microsoft Mechanics\",\"Common-microsoft-security-link\":\"Microsoft\r\nSecurity\",\"Common-education-sector-link\":\"Education Sector\",\"Skills-Hub-Blog\":\"Blog\",\"i-t-ops-talk\":\"ITOps\r\nTalk\",\"microsoft-securityand-compliance\":\"Microsoft Security\",\"Common_Enntvz-microsoftintune-link\":\"Microsoft\r\nIntune\",\"Common-azure-link\":\"Azure\",\"Common-microsoftintune-link\":\"Microsoft Intune\",\"Common_Enntvz-view-all-topics-link\":\"View All\",\"Common-usergroups-link\":\"User Groups\",\"Common-public-sector-link\":\"Public\r\nSector\",\"Common_Enntvz-microsoft-security-link\":\"Microsoft Security\",\"Common_Enntvz-outlook-link\":\"Outlook\",\"Common_Enntvz-mvp-link\":\"Microsoft MVP Program\",\"exchange\":\"Exchange\",\"topics-link\":\"Topics\",\"io-t\":\"Internet of Things (IoT)\",\"Common-microsoft365-copilot-link\":\"Microsoft 365 Copilot\",\"Common-microsoft-teams-link\":\"Microsoft Teams\",\"s-m-b\":\"Nonprofit Community\",\"Common_Enntvz-community-info-center-link\":\"Lounge\",\"Common_Enntvz-microsoft365-copilot-link\":\"Microsoft 365 Copilot\",\"Common_Enntvz-microsoftfor-nonprofits-link\":\"Nonprofit Community\",\"Common_Enntvz-microsoft365-link\":\"Microsoft 365\",\"Common-content_management-link\":\"Content Management\",\"ms-learn-ext-teams\":\"Teams\",\"s-q-l-server\":\"Content\r\nManagement\",\"products-services\":\"Products\",\"Common-community-news-desk-link\":\"Community News Desk\",\"ms-learn-ext-LD\":\"Skilling Room Directory\",\"Common-exchange-link\":\"Exchange\",\"Common-gxcuf89792-link\":\"Tech\r\nCommunity\",\"windows\":\"Windows\",\"public-sector\":\"Public Sector\",\"Common_Enntvz-driving-adoption-link\":\"Driving\r\nAdoption\",\"Common-microsoftfor-nonprofits-link\":\"Nonprofit Community\",\"ms-learn-ext-net\":\".NET\",\"ms-learn-ext-dynamics\":\"Dynamics 365\",\"a-i\":\"AI and Machine Learning\",\"outlook\":\"Microsoft 365\r\nCopilot\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/community/NavbarHamburgerDropdown-1775111750899\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/community/NavbarHamburgerDropdown-1775111750899\",\"value\":{\"hamburgerLabelOpen\":\"Open Side Menu\",\"hamburgerLabelClose\":\"Close Side\r\nMenu\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/community/BrandLogo-1775111750899\":\r\n{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/community/BrandLogo-1775111750899\",\"value\":\r\n{\"logoAlt\":\"Khoros\",\"themeLogoAlt\":\"Brand Logo\",\"linkAriaLabel\":\"Go to community home\r\npage\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/community/NavbarTextLinks-1775111750899\":\r\n{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/community/NavbarTextLinks-1775111750899\",\"value\":\r\n{\"more\":\"More\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/search/SpotlightSearchIcon-1775111750899\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/search/SpotlightSearchIcon-1775111750899\",\"value\":{\"search\":\"Search\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/authentication/AuthenticationLink-1775111750899\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/authentication/AuthenticationLink-1775111750899\",\"value\":{\"title.login\":\"Sign\r\nIn\",\"title.registration\":\"Register\",\"title.forgotPassword\":\"Forgot Password\",\"title.multiAuthLogin\":\"Sign\r\nIn\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/nodes/NodeLink-1775111750899\":\r\n{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/nodes/NodeLink-1775111750899\",\"value\":{\"place\":\"Go back\r\nto {name}\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/messages/MessageView/MessageViewStandard-1775111750899\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/messages/MessageView/MessageViewStandard-1775111750899\",\"value\":\r\n{\"anonymous\":\"Anonymous\",\"author\":\"{messageAuthorLogin}\",\"authorBy\":\"{messageAuthorLogin}\",\"board\":\"\r\n{messageBoardTitle}\",\"replyToUser\":\" to {parentAuthor}\",\"showMoreReplies\":\"Show\r\nMore\",\"replyText\":\"Reply\",\"repliesText\":\"Replies\",\"markedAsSolved\":\"Marked as Solution\",\"messageStatus\":\"Status:\r\n\",\"statusChanged\":\"Status changed: {previousStatus} to {currentStatus}\",\"statusAdded\":\"Status added:\r\n{status}\",\"statusRemoved\":\"Status removed: {status}\",\"labelExpand\":\"expand replies\",\"labelCollapse\":\"collapse\r\nreplies\",\"unhelpfulReason.reason1\":\"Content is outdated\",\"unhelpfulReason.reason2\":\"Article is missing\r\ninformation\",\"unhelpfulReason.reason3\":\"Content is for a different Product\",\"unhelpfulReason.reason4\":\"Doesn't match\r\nwhat I was searching for\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/messages/MessageReplyCallToAction-1775111750899\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/messages/MessageReplyCallToAction-1775111750899\",\"value\":{\"leaveReply\":\"Leave a\r\nreply...\",\"leaveReply@board:BLOG@message:root\":\"Leave a\r\ncomment...\",\"leaveReply@board:TKB@message:root\":\"Leave a\r\ncomment...\",\"leaveReply@board:IDEA@message:root\":\"Leave a\r\ncomment...\",\"leaveReply@board:OCCASION@message:root\":\"Leave a comment...\",\"repliesTurnedOff.FORUM\":\"Replies\r\nare turned off for this topic\",\"repliesTurnedOff.BLOG\":\"Comments are turned off for this\r\ntopic\",\"repliesTurnedOff.TKB\":\"Comments are turned off for this topic\",\"repliesTurnedOff.IDEA\":\"Comments are turned\r\noff for this topic\",\"repliesTurnedOff.OCCASION\":\"Comments are turned off for this topic\",\"infoText\":\"Stop poking\r\nme!\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/community/NavbarDropdownToggle-1775111750899\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/community/NavbarDropdownToggle-1775111750899\",\"value\":{\"ariaLabelClosed\":\"Press the down arrow to open the\r\nmenu\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/messages/MessageCoverImage-1775111750899\":\r\n{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/messages/MessageCoverImage-1775111750899\",\"value\":\r\n{\"coverImageTitle\":\"Cover Image\"},\"localOverride\":false},\"CachedAsset:text:en_US-shared/client/components/nodes/NodeTitle-1775111750899\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-shared/client/components/nodes/NodeTitle-1775111750899\",\"value\":{\"nodeTitle\":\"{nodeTitle, select, community\r\n{Community} other {{nodeTitle}}} \"},\"localOverride\":false},\"CachedAsset:text:en_US-components/messages/MessageTimeToRead-1775111750899\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/messages/MessageTimeToRead-1775111750899\",\"value\":{\"minReadText\":\"{min} MIN\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 63 of 65\n\nREAD\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/messages/MessageSubject-1775111750899\":\r\n{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/messages/MessageSubject-1775111750899\",\"value\":\r\n{\"noSubject\":\"(no subject)\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/users/UserLink-1775111750899\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/users/UserLink-1775111750899\",\"value\":\r\n{\"authorName\":\"View Profile: {author}\",\"anonymous\":\"Anonymous\",\"ariaLabel.rank\":\"Rank:\r\n{rankName}\"},\"localOverride\":false},\"CachedAsset:text:en_US-shared/client/components/users/UserRank-1775111750899\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-shared/client/components/users/UserRank-1775111750899\",\"value\":{\"rankName\":\"{rankName}\",\"userRank\":\"Author rank\r\n{rankName}\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/messages/MessageTime-1775111750899\":\r\n{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/messages/MessageTime-1775111750899\",\"value\":\r\n{\"postTime\":\"Published: {time}\",\"lastPublishTime\":\"Last Update: {time}\",\"conversation.lastPostingActivityTime\":\"Last\r\nposting activity time: {time}\",\"conversation.lastPostTime\":\"Last post time: {time}\",\"moderationData.rejectTime\":\"Rejected\r\ntime: {time}\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/messages/MessageBody-1775111750899\":\r\n{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/messages/MessageBody-1775111750899\",\"value\":\r\n{\"showMessageBody\":\"Show More\",\"mentionsErrorTitle\":\"{mentionsType, select, board {Board} user {User} message\r\n{Message} other {}} No Longer Available\",\"mentionsErrorMessage\":\"The {mentionsType} you are trying to view has been\r\nremoved from the community.\",\"videoProcessing\":\"Video is being processed. Please try again in a few\r\nminutes.\",\"bannerTitle\":\"Video provider requires cookies to play the video. Accept to continue or {url} it directly on the\r\nprovider's site.\",\"buttonTitle\":\"Accept\",\"urlText\":\"watch\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/messages/MessageCustomFields-1775111750899\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/messages/MessageCustomFields-1775111750899\",\"value\":{\"CustomField.default.label\":\"Value of\r\n{name}\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/messages/MessageRevision-1775111750899\":\r\n{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/messages/MessageRevision-1775111750899\",\"value\":\r\n{\"lastUpdatedDatePublished\":\"{publishCount, plural, one{Published} other{Updated}}\r\n{date}\",\"lastUpdatedDateDraft\":\"Created {date}\",\"version\":\"Version {major}.\r\n{minor}\"},\"localOverride\":false},\"CachedAsset:text:en_US-shared/client/components/common/QueryHandler-1775111750899\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-shared/client/components/common/QueryHandler-1775111750899\",\"value\":{\"title\":\"Query Handler\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/tags/TagList-1775111750899\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/tags/TagList-1775111750899\",\"value\":{\"showMoreFor\":\"Show more for {title}\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/messages/MessageReplyButton-1775111750899\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/messages/MessageReplyButton-1775111750899\",\"value\":{\"repliesCount\":\"\r\n{count}\",\"title\":\"Reply\",\"title@board:BLOG@message:root\":\"Comment\",\"title@board:TKB@message:root\":\"Comment\",\"title@board:IDEA@message:\r\ncomponents/messages/MessageAuthorBio-1775111750899\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/messages/MessageAuthorBio-1775111750899\",\"value\":{\"sendMessage\":\"Send\r\nMessage\",\"actionMessage\":\"Follow this blog board to get notified when there's new activity\",\"coAuthor\":\"CO-PUBLISHER\",\"contributor\":\"CONTRIBUTOR\",\"userProfile\":\"View Profile\",\"iconlink\":\"Go to {name}\r\n{type}\"},\"localOverride\":false},\"CachedAsset:text:en_US-shared/client/components/users/UserAvatar-1775111750899\":\r\n{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-shared/client/components/users/UserAvatar-1775111750899\",\"value\":\r\n{\"altText\":\"{login}'s avatar\",\"altTextGeneric\":\"User's avatar\"},\"localOverride\":false},\"CachedAsset:text:en_US-shared/client/components/ranks/UserRankLabel-1775111750899\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-shared/client/components/ranks/UserRankLabel-1775111750899\",\"value\":{\"altTitle\":\"Icon for {rankName}\r\nrank\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/tags/TagView/TagViewChip-1775111750899\":\r\n{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/tags/TagView/TagViewChip-1775111750899\",\"value\":\r\n{\"tagLabelName\":\"Tag name {tagName}\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/users/UserRegistrationDate-1775111750899\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/users/UserRegistrationDate-1775111750899\",\"value\":{\"noPrefix\":\"{date}\",\"withPrefix\":\"Joined\r\n{date}\"},\"localOverride\":false},\"CachedAsset:text:en_US-shared/client/components/nodes/NodeAvatar-1775111750899\":\r\n{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-shared/client/components/nodes/NodeAvatar-1775111750899\",\"value\":\r\n{\"altTitle\":\"Node avatar for {nodeTitle}\"},\"localOverride\":false},\"CachedAsset:text:en_US-shared/client/components/nodes/NodeDescription-1775111750899\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-shared/client/components/nodes/NodeDescription-1775111750899\",\"value\":{\"description\":\"\r\n{description}\"},\"localOverride\":false},\"CachedAsset:text:en_US-shared/client/components/nodes/NodeIcon-1775111750899\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-shared/client/components/nodes/NodeIcon-1775111750899\",\"value\":{\"contentType\":\"Content Type {style, select, FORUM {Forum} BLOG {Blog} TKB {Knowledge\r\nBase} IDEA {Ideas} OCCASION {Events} other {}}\r\nicon\"},\"localOverride\":false}}}},\"page\":\"/blogs/BlogMessagePage/BlogMessagePage\",\"query\":\r\n{\"boardId\":\"microsoftsentinelblog\",\"messageSubject\":\"solarwinds-post-compromise-hunting-with-azure-sentinel\",\"messageId\":\"1995095\"},\"buildId\":\"VXuOn2D5MfObWEiRanLQ9\",\"runtimeConfig\":\r\n{\"buildInformationVisible\":false,\"logLevelApp\":\"info\",\"logLevelMetrics\":\"info\",\"surveysEnabled\":true,\"openTelemetry\":\r\n{\"clientEnabled\":false,\"configName\":\"o365\",\"serviceVersion\":\"26.1.0\",\"universe\":\"prod\",\"collector\":\"http://localhost:4318\",\"logLevel\":\"error\",\"routeCha\r\n[\"components_community_Navbar_NavbarWidget\",\"components_community_Breadcrumb_BreadcrumbWidget\",\"components_customComponent_Custo\r\n[{\"id\":\"analytics\",\"src\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/pagescripts/1751476272000/analytics.js?\r\npage.id=BlogMessagePage\u0026entity.id=board%3Amicrosoftsentinelblog\u0026entity.id=message%3A1995095\",\"strategy\":\"afterInteractive\"}]}\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 64 of 65\n\nSource: https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\r\nPage 65 of 65", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095" ], "report_names": [ "1995095" ], "threat_actors": [ { "id": "faa4a29b-254a-45bd-b412-9a1cbddbd5e3", "created_at": "2022-10-25T16:07:23.80111Z", "updated_at": "2026-04-10T02:00:04.753677Z", "deleted_at": null, "main_name": "LookBack", "aliases": [ "FlowingFrog", "LookBack", "LookingFrog", "TA410", "Witchetty" ], "source_name": "ETDA:LookBack", "tools": [ "FlowCloud", "GUP Proxy Tool", "SodomMain", "SodomMain RAT", "SodomNormal" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434735, "ts_updated_at": 1775791484, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a9e9b9d06eb74e7b7b852ff10ad439527675f2ef.pdf", "text": "https://archive.orkl.eu/a9e9b9d06eb74e7b7b852ff10ad439527675f2ef.txt", "img": "https://archive.orkl.eu/a9e9b9d06eb74e7b7b852ff10ad439527675f2ef.jpg" } }