%3CLINGO-SUB%20id%3D%22lingo-sub-1875913%22%20slang%3D%22en-US%22%3EHunting%20for%20Barium%20using%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1875913%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22TextRun%20SCXW82731428%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW82731428%20BCX8%22%3ELeveraging%20Indictors%20of%20Compromise%20(IOC)%20and%20searching%20historical%20data%20for%20attack%20patterns%20is%20one%20of%20the%20primary%20responsibilities%20of%20a%20security%20monitoring%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW82731428%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW82731428%20BCX8%22%3Eteam%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW82731428%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW82731428%20BCX8%22%3E.%20%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW82731428%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW82731428%20BCX8%22%3ERelevant%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW82731428%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW82731428%20BCX8%22%3Esecurity%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW82731428%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW82731428%20BCX8%22%3Edata%20for%20threat%20hunting%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW82731428%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW82731428%20BCX8%22%3E%2F%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW82731428%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW82731428%20BCX8%22%3Einvestigation%20related%20to%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW82731428%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW82731428%20BCX8%22%3Ean%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW82731428%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW82731428%20BCX8%22%3Eenterprise%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW82731428%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW82731428%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eis%20produced%20in%20multiple%20locations%20-%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW82731428%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20ContextualSpellingAndGrammarErrorV2%20SCXW82731428%20BCX8%22%3Ecloud%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW82731428%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW82731428%20BCX8%22%3E%2C%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW82731428%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW82731428%20BCX8%22%3Eon-premises%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW82731428%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW82731428%20BCX8%22%3E%2C%20and%20being%20able%20to%20analyze%20all%20the%20data%20from%20a%20single%20point%20makes%20it%20easier%20to%20spot%20trends%20and%20attack.%20Azure%20Sentinel%20has%20made%20it%20super%20easy%20to%20collect%20data%20from%20multiple%20logs%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW82731428%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW82731428%20BCX8%22%3Eacross%20different%20environment%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW82731428%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW82731428%20BCX8%22%3Es%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW82731428%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW82731428%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW82731428%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW82731428%20BCX8%22%3Eand%20run%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdata-explorer%2Fkql-quick-reference%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW82731428%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW82731428%20BCX8%22%3EKQL%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20class%3D%22TextRun%20SCXW82731428%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW82731428%20BCX8%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdata-explorer%2Fkql-quick-reference%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Equeries%3C%2FA%3E%20of%20recently%20released%20threat%20indicators%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW82731428%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20CommentStart%20SCXW82731428%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eacross%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW82731428%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW82731428%20BCX8%22%3Ethis%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW82731428%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW82731428%20BCX8%22%3Eentire%20data%20set%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW82731428%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW82731428%20BCX8%22%3E.%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW82731428%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW82731428%20BCX8%22%3EFor%20example%2C%20through%20its%20recently%20released%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-microsoft-365-defender%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20class%3D%22FieldRange%20SCXW82731428%20BCX8%22%3E%3CSPAN%20class%3D%22TextRun%20Underlined%20SCXW82731428%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW82731428%20BCX8%22%20data-ccp-charstyle%3D%22Hyperlink%22%3EMicrosoft%20365%20Defender%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22FieldRange%20SCXW82731428%20BCX8%22%3E%3CSPAN%20class%3D%22TextRun%20Underlined%20SCXW82731428%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW82731428%20BCX8%22%20data-ccp-charstyle%3D%22Hyperlink%22%3Econnector%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20class%3D%22TextRun%20SCXW82731428%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW82731428%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Esecurity%20teams%20can%20now%20easily%20ingest%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW82731428%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW82731428%20BCX8%22%3EMicrosoft%20365%20data%20into%20Azure%20Sentinel%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW82731428%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW82731428%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eallowing%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW82731428%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW82731428%20BCX8%22%3Ecorrelation%20of%20M365%20raw%20logs%20with%20Sentinel%E2%80%99s%20additional%20data%20sources%20to%20provide%20additional%20insights%20for%20investigations%2C%20hunting%20and%20alerts.%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW82731428%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW82731428%20BCX8%22%3EIn%20this%20blog%20post%20we%20share%20some%20of%20the%20IOC%E2%80%99s%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW82731428%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW82731428%20BCX8%22%3Erelated%20to%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW82731428%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW82731428%20BCX8%22%3Eone%20such%20threat%20actor%20that%20Microsoft%20tracks%20as%20Barium%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW82731428%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW82731428%20BCX8%22%3Eand%20the%20sample%20Azure%20Sentinel%20queries%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW82731428%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW82731428%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Erelated%20to%20it%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW82731428%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW82731428%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ethat%20leverage%20multiple%20logs%20including%20t%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW82731428%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW82731428%20BCX8%22%3Ehose%20coming%20from%20Microsoft%20365%20Defender%20connector%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW82731428%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22EOP%20SCXW82731428%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3EAbout%20a%20month%20and%20a%20half%20ago%2C%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3Ethe%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3EUS%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3EDepartment%20of%20Justice%2C%20Office%20of%20Public%20Affairs%2C%20released%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CA%20class%3D%22Hyperlink%20SCXW253407441%20BCX8%22%20href%3D%22https%3A%2F%2Fwww.justice.gov%2Fopa%2Fpr%2Fseven-international-cyber-defendants-including-apt41-actors-charged-connection-computer%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20class%3D%22TextRun%20Underlined%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%20data-ccp-charstyle%3D%22Hyperlink%22%3Edocuments%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Edetailing%20work%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3Edone%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3Eby%20a%20range%20of%20public%20and%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3Eprivate%20sector%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3Eorganizations%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3E%2C%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eincluding%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3EMicrosoft%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3E%2C%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3Eto%20disrupt%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3EBarium%E2%80%99s%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3Ecyberattack%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3Einfrastructure%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3E.%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20CommentStart%20SCXW253407441%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3EBarium%20is%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3Eintent%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3Eon%20compromising%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eresearch%20and%20development%20(%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3ER%26amp%3BD%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3E)%20heavy%20organizations%20in%20telecom%2C%20high%20tech%2C%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3Ecomputer%2C%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eand%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3Ehealthcare%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3E%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3Ethe%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3Eir%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Efinancially%20motivated%20operations%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3Ehave%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Efocused%20primarily%20on%20the%20video%20game%20industry.%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3EThe%20techniques%20that%20the%20group%20have%20used%20in%20the%20past%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3Ehave%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Evaried%20from%20using%20malicious%20.%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW253407441%20BCX8%22%3Elnk%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Efiles%2C%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3EWord%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eand%20PowerPoint%20macros%2C%20to%20the%20use%20of%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3Eopen-source%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Etools%20like%20Cobalt%20strike%20to%20achieve%20their%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3Eobjective%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3E.%20The%20group%20has%20been%20pretty%20prolific%20in%20the%20use%20of%20%E2%80%9Csupply%20chain%E2%80%9D%20attacks%20to%20compromise%20software%20providers%20and%20then%20modify%20the%20providers%E2%80%99%20code%20to%20facilitate%20further%20intrusions%20against%20its%20customers.%20They%20have%20also%20been%20seen%20using%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3EC2%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%E2%80%9Cdead%20drops%2C%E2%80%9D%20which%20are%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3Eseemingly%20legitimate%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eweb%20pages%20that%20have%20encoded%20instructions%20to%20their%20malware%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3E.%20%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW253407441%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW253407441%20BCX8%22%3EIn%20their%20campaign%20they%20have%20also%20been%20seen%20using%20typo-squatted%20domains%20to%20impersonate%20legitimate%20companies%20and%20products.%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20TrackedChange%20SCXW253407441%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22EOP%20SCXW82731428%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20TrackedChange%20SCXW253407441%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22TextRun%20%20BCX8%20SCXW50672901%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW50672901%22%3EMicrosoft%20Threat%20Intelligence%20Center%20(MSTIC)%20along%20with%20partner%20teams%20have%20been%20tracking%20and%20gathering%20information%20on%20Barium%2C%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW50672901%22%3Emonitoring%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW50672901%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ethe%20group%E2%80%99s%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX8%20SCXW50672901%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW50672901%22%3Eactivities%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX8%20SCXW50672901%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW50672901%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eas%20they%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX8%20SCXW50672901%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW50672901%22%3Eoperat%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX8%20SCXW50672901%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW50672901%22%3Ee%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX8%20SCXW50672901%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW50672901%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX8%20SCXW50672901%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW50672901%22%3Ea%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX8%20SCXW50672901%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW50672901%22%3Enumber%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX8%20SCXW50672901%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW50672901%22%3Eof%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX8%20SCXW50672901%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW50672901%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ewebsites%2C%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW50672901%22%3Edomains%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW50672901%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eand%20internet-connected%20computers.%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX8%20SCXW50672901%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW50672901%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3EYou%20can%20read%20more%20about%20this%20in%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX8%20SCXW50672901%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW50672901%22%3Ethe%20September%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX8%20SCXW50672901%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW50672901%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX8%20SCXW50672901%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW50672901%22%3E2020%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX8%20SCXW50672901%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW50672901%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CA%20class%3D%22Hyperlink%20%20BCX8%20SCXW50672901%22%20href%3D%22https%3A%2F%2Fblogs.microsoft.com%2Fon-the-issues%2F2020%2F09%2F29%2Fmicrosoft-digital-defense-report-cyber-threats%2F%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20class%3D%22FieldRange%20%20BCX8%20SCXW50672901%22%3E%3CSPAN%20class%3D%22TextRun%20Underlined%20%20BCX8%20SCXW50672901%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW50672901%22%20data-ccp-charstyle%3D%22Hyperlink%22%3EMicrosoft%20Digital%20Defense%20report%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20class%3D%22TextRun%20%20BCX8%20SCXW50672901%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW50672901%22%3E.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22EOP%20SCXW82731428%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20TrackedChange%20SCXW253407441%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22TextRun%20%20BCX8%20SCXW50672901%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW929069%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW929069%20BCX8%22%3EMSTIC%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW929069%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW929069%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ehas%20now%20shared%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW929069%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW929069%20BCX8%22%3Emany%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW929069%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW929069%20BCX8%22%3Eof%20these%20indicators%20(IP%2Fdomains)%20so%20that%20you%20can%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW929069%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW929069%20BCX8%22%3Ehunt%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW929069%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW929069%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Efor%20them%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW929069%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW929069%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW929069%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW929069%20BCX8%22%3Ein%20Azure%20Sentinel%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW929069%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW929069%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW929069%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW929069%20BCX8%22%3Eusing%20relevant%20data%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW929069%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW929069%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW929069%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW929069%20BCX8%22%3Elike%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW929069%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW929069%20BCX8%22%3Ethe%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fwhat-s-new-microsoft-365-defender-connector-now-in-public%2Fba-p%2F1865651%22%20target%3D%22_self%22%3Enewly%20integrated%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FA%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fwhat-s-new-microsoft-365-defender-connector-now-in-public%2Fba-p%2F1865651%22%20target%3D%22_self%22%3E%3CSPAN%20class%3D%22TrackChangeTextInsertion%20TrackedChange%20SCXW929069%20BCX8%22%3E%3CSPAN%20class%3D%22FieldRange%20SCXW929069%20BCX8%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW929069%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW929069%20BCX8%22%3EMicrosoft%20365%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW929069%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20CommentStart%20CommentHighlightClicked%20CommentHighlightPipeClicked%20SCXW929069%20BCX8%22%3EDefender%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20Underlined%20SCXW929069%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20CommentHighlightPipeClicked%20SCXW929069%20BCX8%22%20data-ccp-charstyle%3D%22Hyperlink%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Edata%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20class%3D%22TextRun%20SCXW929069%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW929069%20BCX8%22%3E%2C%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW929069%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW929069%20BCX8%22%3EDNS%20logs%2C%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW929069%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW929069%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3EFirewall%20data%20etc%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW929069%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW929069%20BCX8%22%3E.%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW82731428%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20TrackedChange%20SCXW253407441%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22TextRun%20%20BCX8%20SCXW50672901%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW929069%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW929069%20BCX8%22%3EMicrosoft%20365%20E5%20customers%2C%20now%20also%20have%20the%20advantage%20of%20getting%20Azure%20credits%20towards%20Microsoft%20365%20data%20ingestion%20into%20Azure%20Sentinel%20-%20see%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fm365-sentinel-offer%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2Fm365-sentinel-offer%3C%2FA%3E%26nbsp%3B%20for%20details.%20With%20this%20new%20offer%2C%20you%20can%20take%20advantage%20of%20end-to-end%20integrated%20security%20and%20save%20significant%20costs%20when%20ingesting%20Microsoft%20365%20data%20into%20Azure%20Sentinel.%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22EOP%20SCXW82731428%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20TrackedChange%20SCXW253407441%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22TextRun%20%20BCX8%20SCXW50672901%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW929069%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW929069%20BCX8%22%3EBelow%20are%20sample%20Azure%20Sentinel%20queries%20that%20you%20can%20run%20to%20check%20for%20Barium%20activity%20in%20your%20environment.%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW929069%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fblob%2Fmaster%2FDetections%2FMultipleDataSources%2FBariumIPIOC112020.yaml%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EBarium%20IP%20Indicators%3C%2FA%3E%3C%2FP%3E%0A%3CTABLE%20border%3D%221%22%20width%3D%22100%25%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22100%25%22%3E%3CDIV%3E%0A%3CDIV%3E%3CSPAN%3Eid%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E6%3C%2FSPAN%3E%3CSPAN%3Eee72a9e-2e54-459c-bc9a-9c09a6502a63%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3Ename%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BKnown%26nbsp%3BBarium%26nbsp%3BIP%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3Edescription%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E'Identifies%26nbsp%3Ba%26nbsp%3Bmatch%26nbsp%3Bacross%26nbsp%3Bvarious%26nbsp%3Bdata%26nbsp%3Bfeeds%26nbsp%3Bfor%26nbsp%3BIP%26nbsp%3BIOCs%26nbsp%3Brelated%26nbsp%3Bto%26nbsp%3Bthe%26nbsp%3BBarium%26nbsp%3Bactivity%26nbsp%3Bgroup.%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EReferences%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.justice.gov%2Fopa%2Fpr%2Fseven-international-cyber-defendants-including-apt41-actors-charged-connection-computer%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.justice.gov%2Fopa%2Fpr%2Fseven-international-cyber-defendants-including-apt41-actors-charged-connection-computer%3C%2FA%3E'%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3Eseverity%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BHigh%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3ErequiredDataConnectors%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B-%26nbsp%3BconnectorId%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BOffice365%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BdataTypes%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B-%26nbsp%3BOfficeActivity%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B-%26nbsp%3BconnectorId%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BDNS%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BdataTypes%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B-%26nbsp%3BDnsEvents%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B-%26nbsp%3BconnectorId%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BAzureMonitor(VMInsights)%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BdataTypes%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B-%26nbsp%3BVMConnection%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B-%26nbsp%3BconnectorId%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BCiscoASA%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BdataTypes%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B-%26nbsp%3BCommonSecurityLog%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B-%26nbsp%3BconnectorId%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BPaloAltoNetworks%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BdataTypes%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B-%26nbsp%3BCommonSecurityLog%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B-%26nbsp%3BconnectorId%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BSecurityEvents%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BdataTypes%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B-%26nbsp%3BSecurityEvent%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B-%26nbsp%3BconnectorId%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BAzureActiveDirectory%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BdataTypes%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B-%26nbsp%3BSigninLogs%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B-%26nbsp%3BconnectorId%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BAzureMonitor(WireData)%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BdataTypes%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B-%26nbsp%3BWireData%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B-%26nbsp%3BconnectorId%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BAzureMonitor(IIS)%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BdataTypes%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B-%26nbsp%3BW3CIISLog%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B-%26nbsp%3BconnectorId%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BAzureActivity%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BdataTypes%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B-%26nbsp%3BAzureActivity%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B-%26nbsp%3BconnectorId%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BAWS%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BdataTypes%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B-%26nbsp%3BAWSCloudTrail%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B-%26nbsp%3BconnectorId%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BMicrosoft%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E365%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BDefender%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BdataTypes%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B-%26nbsp%3BDeviceNetworkEvents%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EqueryFrequency%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E1%3C%2FSPAN%3E%3CSPAN%3Ed%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EqueryPeriod%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E1%3C%2FSPAN%3E%3CSPAN%3Ed%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EtriggerOperator%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Bgt%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EtriggerThreshold%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E0%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3Etactics%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B-%26nbsp%3BCommandAndControl%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3Equery%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3Elet%26nbsp%3Btimeframe%26nbsp%3B%3D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E1%3C%2FSPAN%3E%3CSPAN%3Ed%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3Blet%26nbsp%3BIPList%26nbsp%3B%3D%26nbsp%3Bdynamic(%5B%3C%2FSPAN%3E%3CSPAN%3E%22216.24.185.74%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22107.175.189.159%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22192.210.132.102%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2267.230.163.214%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22199.19.110.240%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22107.148.130.176%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22154.212.129.218%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22172.86.75.54%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2245.61.136.199%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22149.28.150.195%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22108.61.214.194%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22144.202.98.198%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22149.28.84.98%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22103.99.209.78%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%2245.61.136.2%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22176.122.162.149%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22192.3.80.245%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22149.28.23.32%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22107.182.18.149%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22107.174.45.134%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22149.248.18.104%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2265.49.192.74%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22156.255.2.154%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2245.76.6.149%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%228.9.11.130%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22140.238.27.255%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22107.182.24.70%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22176.122.188.254%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22192.161.161.108%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2264.64.234.24%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22104.224.185.36%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22104.233.224.227%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22104.36.69.105%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22119.28.139.120%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22161.117.39.130%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2266.42.100.42%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2245.76.31.159%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22149.248.8.134%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22216.24.182.48%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2266.42.103.222%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22218.89.236.11%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22180.150.227.249%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2247.75.80.23%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22124.156.164.19%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22149.248.62.83%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22150.109.76.174%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22222.209.187.207%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22218.38.191.38%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22119.28.226.59%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2266.42.98.220%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2274.82.201.8%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22173.242.122.198%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2245.32.130.72%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2289.35.178.10%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%2289.43.60.113%22%3C%2FSPAN%3E%3CSPAN%3E%5D)%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B(%3C%2FSPAN%3E%3CSPAN%3Eunion%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Bisfuzzy%3D%3C%2FSPAN%3E%3CSPAN%3Etrue%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B(CommonSecurityLog%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BTimeGenerated%26nbsp%3B%26gt%3B%3D%26nbsp%3Bago(timeframe)%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Bisnotempty(SourceIP)%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eor%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Bisnotempty(DestinationIP)%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BSourceIP%26nbsp%3Bin%26nbsp%3B(IPList)%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eor%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BDestinationIP%26nbsp%3Bin%26nbsp%3B(IPList)%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eor%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BMessage%26nbsp%3Bhas_any%26nbsp%3B(IPList)%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eextend%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BIPMatch%26nbsp%3B%3D%26nbsp%3Bcase(SourceIP%26nbsp%3Bin%26nbsp%3B(IPList)%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22SourceIP%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3BDestinationIP%26nbsp%3Bin%26nbsp%3B(IPList)%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22DestinationIP%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22Message%22%3C%2FSPAN%3E%3CSPAN%3E)%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Esummarize%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BStartTimeUtc%26nbsp%3B%3D%26nbsp%3Bmin(TimeGenerated)%2C%26nbsp%3BEndTimeUtc%26nbsp%3B%3D%26nbsp%3Bmax(TimeGenerated)%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eby%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3ESourceIP%2C%26nbsp%3BDestinationIP%2C%26nbsp%3BDeviceProduct%2C%26nbsp%3BDeviceAction%2C%26nbsp%3BMessage%2C%26nbsp%3BProtocol%2C%26nbsp%3BSourcePort%2C%26nbsp%3BDestinationPort%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EDeviceAddress%2C%26nbsp%3BDeviceName%2C%26nbsp%3BIPMatch%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eextend%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Btimestamp%26nbsp%3B%3D%26nbsp%3BStartTimeUtc%2C%26nbsp%3BIPCustomEntity%26nbsp%3B%3D%26nbsp%3Bcase(IPMatch%26nbsp%3B%3D%3D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22SourceIP%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3BSourceIP%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EIPMatch%26nbsp%3B%3D%3D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22DestinationIP%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3BDestinationIP%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22IP%26nbsp%3Bin%26nbsp%3BMessage%26nbsp%3BField%22%3C%2FSPAN%3E%3CSPAN%3E)%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B)%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B(OfficeActivity%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BTimeGenerated%26nbsp%3B%26gt%3B%3D%26nbsp%3Bago(timeframe)%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%3C%2FSPAN%3E%3CSPAN%3Eextend%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BSourceIPAddress%26nbsp%3B%3D%26nbsp%3BClientIP%2C%26nbsp%3BAccount%26nbsp%3B%3D%26nbsp%3BUserId%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3BSourceIPAddress%26nbsp%3Bin%26nbsp%3B(IPList)%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eextend%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Btimestamp%26nbsp%3B%3D%26nbsp%3BTimeGenerated%26nbsp%3B%2C%26nbsp%3BIPCustomEntity%26nbsp%3B%3D%26nbsp%3BSourceIPAddress%26nbsp%3B%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EAccountCustomEntity%26nbsp%3B%3D%26nbsp%3BAccount%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B)%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B(DnsEvents%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BTimeGenerated%26nbsp%3B%26gt%3B%3D%26nbsp%3Bago(timeframe)%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eextend%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BDestinationIPAddress%26nbsp%3B%3D%26nbsp%3BIPAddresses%2C%26nbsp%3B%26nbsp%3BHost%26nbsp%3B%3D%26nbsp%3BComputer%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3BDestinationIPAddress%26nbsp%3Bhas_any%26nbsp%3B(IPList)%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eextend%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Btimestamp%26nbsp%3B%3D%26nbsp%3BTimeGenerated%2C%26nbsp%3BIPCustomEntity%26nbsp%3B%3D%26nbsp%3BDestinationIPAddress%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EHostCustomEntity%26nbsp%3B%3D%26nbsp%3BHost%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B)%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B(VMConnection%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BTimeGenerated%26nbsp%3B%26gt%3B%3D%26nbsp%3Bago(timeframe)%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Bisnotempty(SourceIp)%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eor%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Bisnotempty(DestinationIp)%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BSourceIp%26nbsp%3Bin%26nbsp%3B(IPList)%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eor%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BDestinationIp%26nbsp%3Bin%26nbsp%3B(IPList)%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eextend%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BIPMatch%26nbsp%3B%3D%26nbsp%3Bcase(%26nbsp%3BSourceIp%26nbsp%3Bin%26nbsp%3B(IPList)%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22SourceIP%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3BDestinationIp%26nbsp%3Bin%26nbsp%3B(IPList)%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22DestinationIP%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22None%22%3C%2FSPAN%3E%3CSPAN%3E)%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eextend%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Btimestamp%26nbsp%3B%3D%26nbsp%3BTimeGenerated%26nbsp%3B%2C%26nbsp%3BIPCustomEntity%26nbsp%3B%3D%26nbsp%3Bcase(IPMatch%26nbsp%3B%3D%3D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22SourceIP%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3BSourceIp%2C%26nbsp%3BIPMatch%26nbsp%3B%3D%3D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22DestinationIP%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3BDestinationIp%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22None%22%3C%2FSPAN%3E%3CSPAN%3E)%2C%26nbsp%3BHost%26nbsp%3B%3D%26nbsp%3BComputer%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B)%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B(Event%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BTimeGenerated%26nbsp%3B%26gt%3B%3D%26nbsp%3Bago(timeframe)%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BSource%26nbsp%3B%3D%3D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22Microsoft-Windows-Sysmon%22%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BEventID%26nbsp%3B%3D%3D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E3%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eextend%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BEvData%26nbsp%3B%3D%26nbsp%3Bparse_xml(EventData)%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eextend%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BEventDetail%26nbsp%3B%3D%26nbsp%3BEvData.DataItem.EventData.Data%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eextend%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BSourceIP%26nbsp%3B%3D%26nbsp%3BEventDetail.%5B%3C%2FSPAN%3E%3CSPAN%3E9%3C%2FSPAN%3E%3CSPAN%3E%5D.%5B%3C%2FSPAN%3E%3CSPAN%3E%22%23text%22%3C%2FSPAN%3E%3CSPAN%3E%5D%2C%26nbsp%3BDestinationIP%26nbsp%3B%3D%26nbsp%3BEventDetail.%5B%3C%2FSPAN%3E%3CSPAN%3E14%3C%2FSPAN%3E%3CSPAN%3E%5D.%5B%3C%2FSPAN%3E%3CSPAN%3E%22%23text%22%3C%2FSPAN%3E%3CSPAN%3E%5D%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BSourceIP%26nbsp%3Bin%26nbsp%3B(IPList)%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eor%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BDestinationIP%26nbsp%3Bin%26nbsp%3B(IPList)%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eextend%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BIPMatch%26nbsp%3B%3D%26nbsp%3Bcase(%26nbsp%3BSourceIP%26nbsp%3Bin%26nbsp%3B(IPList)%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22SourceIP%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3BDestinationIP%26nbsp%3Bin%26nbsp%3B(IPList)%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22DestinationIP%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22None%22%3C%2FSPAN%3E%3CSPAN%3E)%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eextend%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Btimestamp%26nbsp%3B%3D%26nbsp%3BTimeGenerated%2C%26nbsp%3BAccountCustomEntity%26nbsp%3B%3D%26nbsp%3BUserName%2C%26nbsp%3BHostCustomEntity%26nbsp%3B%3D%26nbsp%3BComputer%26nbsp%3B%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EIPCustomEntity%26nbsp%3B%3D%26nbsp%3Bcase(IPMatch%26nbsp%3B%3D%3D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22SourceIP%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3BSourceIP%2C%26nbsp%3BIPMatch%26nbsp%3B%3D%3D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22DestinationIP%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3BDestinationIP%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22None%22%3C%2FSPAN%3E%3CSPAN%3E)%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B)%2C%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B(WireData%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BTimeGenerated%26nbsp%3B%26gt%3B%3D%26nbsp%3Bago(timeframe)%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Bisnotempty(RemoteIP)%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BRemoteIP%26nbsp%3Bin%26nbsp%3B(IPList)%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eextend%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Btimestamp%26nbsp%3B%3D%26nbsp%3BTimeGenerated%2C%26nbsp%3BIPCustomEntity%26nbsp%3B%3D%26nbsp%3BRemoteIP%2C%26nbsp%3BHostCustomEntity%26nbsp%3B%3D%26nbsp%3BComputer%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B)%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B(SigninLogs%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BTimeGenerated%26nbsp%3B%26gt%3B%3D%26nbsp%3Bago(timeframe)%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Bisnotempty(IPAddress)%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BIPAddress%26nbsp%3Bin%26nbsp%3B(IPList)%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eextend%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Btimestamp%26nbsp%3B%3D%26nbsp%3BTimeGenerated%2C%26nbsp%3BAccountCustomEntity%26nbsp%3B%3D%26nbsp%3BUserPrincipalName%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EIPCustomEntity%26nbsp%3B%3D%26nbsp%3BIPAddress%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B)%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B(W3CIISLog%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BTimeGenerated%26nbsp%3B%26gt%3B%3D%26nbsp%3Bago(timeframe)%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Bisnotempty(cIP)%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BcIP%26nbsp%3Bin%26nbsp%3B(IPList)%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eextend%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Btimestamp%26nbsp%3B%3D%26nbsp%3BTimeGenerated%2C%26nbsp%3BIPCustomEntity%26nbsp%3B%3D%26nbsp%3BcIP%2C%26nbsp%3BHostCustomEntity%26nbsp%3B%3D%26nbsp%3BComputer%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EAccountCustomEntity%26nbsp%3B%3D%26nbsp%3BcsUserName%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B)%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B(AzureActivity%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BTimeGenerated%26nbsp%3B%26gt%3B%3D%26nbsp%3Bago(timeframe)%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Bisnotempty(CallerIpAddress)%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BCallerIpAddress%26nbsp%3Bin%26nbsp%3B(IPList)%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eextend%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Btimestamp%26nbsp%3B%3D%26nbsp%3BTimeGenerated%2C%26nbsp%3BIPCustomEntity%26nbsp%3B%3D%26nbsp%3BCallerIpAddress%2C%26nbsp%3BAccountCustomEntity%26nbsp%3B%3D%26nbsp%3BCaller%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B)%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B(%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3BAWSCloudTrail%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BTimeGenerated%26nbsp%3B%26gt%3B%3D%26nbsp%3Bago(timeframe)%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Bisnotempty(SourceIpAddress)%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BSourceIpAddress%26nbsp%3Bin%26nbsp%3B(IPList)%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eextend%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Btimestamp%26nbsp%3B%3D%26nbsp%3BTimeGenerated%2C%26nbsp%3BIPCustomEntity%26nbsp%3B%3D%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3ESourceIpAddress%2C%26nbsp%3BAccountCustomEntity%26nbsp%3B%3D%26nbsp%3BUserIdentityUserName%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B)%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B(%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3BDeviceNetworkEvents%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BTimeGenerated%26nbsp%3B%26gt%3B%3D%26nbsp%3Bago(timeframe)%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Bisnotempty(RemoteIP)%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BRemoteIP%26nbsp%3Bin%26nbsp%3B(IPList)%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eextend%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Btimestamp%26nbsp%3B%3D%26nbsp%3BTimeGenerated%2C%26nbsp%3BIPCustomEntity%26nbsp%3B%3D%26nbsp%3BRemoteIP%2C%26nbsp%3BHostCustomEntity%26nbsp%3B%3D%26nbsp%3BDeviceName%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B)%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B)%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fblob%2Fmaster%2FDetections%2FMultipleDataSources%2FBariumDomainIOC112020.yaml%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EBarium%20Domain%20Indicators%3C%2FA%3E%3C%2FP%3E%0A%3CTABLE%20border%3D%221%22%20width%3D%22100%25%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22100%25%22%3E%3CDIV%3E%0A%3CDIV%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CSPAN%3Eid%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E70%3C%2FSPAN%3E%3CSPAN%3Eb12a3b-4899-42cb-910c-5ffaf9d7997d%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3Ename%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BKnown%26nbsp%3BBarium%26nbsp%3Bdomains%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3Edescription%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E'Identifies%26nbsp%3Ba%26nbsp%3Bmatch%26nbsp%3Bacross%26nbsp%3Bvarious%26nbsp%3Bdata%26nbsp%3Bfeeds%26nbsp%3Bfor%26nbsp%3Bdomains%26nbsp%3BIOCs%26nbsp%3Brelated%26nbsp%3Bto%26nbsp%3Bthe%26nbsp%3BBarium%26nbsp%3Bactivity%26nbsp%3Bgroup.'%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3BReferences%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Bhttps%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%2F%2F%3CA%20href%3D%22http%3A%2F%2Fwww.justice.gov%2Fopa%2Fpr%2Fseven-international-cyber-defendants-including-apt41-actors-charged-connection-computer'%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ewww.justice.gov%2Fopa%2Fpr%2Fseven-international-cyber-defendants-including-apt41-actors-charged-connection-computer'%26nbsp%3B%3C%2FA%3E%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3Eseverity%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BHigh%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3ErequiredDataConnectors%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B-%26nbsp%3BconnectorId%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BDNS%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BdataTypes%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B-%26nbsp%3BDnsEvents%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B-%26nbsp%3BconnectorId%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BAzureMonitor(VMInsights)%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BdataTypes%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B-%26nbsp%3BVMConnection%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B-%26nbsp%3BconnectorId%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BCiscoASA%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BdataTypes%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B-%26nbsp%3BCommonSecurityLog%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B-%26nbsp%3BconnectorId%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BPaloAltoNetworks%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BdataTypes%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B-%26nbsp%3BCommonSecurityLog%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B-%26nbsp%3BconnectorId%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BMicrosoft%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E365%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BDefender%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BdataTypes%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B-%26nbsp%3BDeviceNetworkEvents%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EqueryFrequency%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E1%3C%2FSPAN%3E%3CSPAN%3Ed%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EqueryPeriod%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E1%3C%2FSPAN%3E%3CSPAN%3Ed%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EtriggerOperator%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Bgt%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EtriggerThreshold%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E0%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3Etactics%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B-%26nbsp%3BCommandAndControl%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3Equery%3A%26nbsp%3B%20%7C%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3Elet%26nbsp%3Btimeframe%26nbsp%3B%3D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E1%3C%2FSPAN%3E%3CSPAN%3Ed%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3Elet%26nbsp%3BDomainNames%26nbsp%3B%3D%26nbsp%3Bdynamic(%5B%3C%2FSPAN%3E%3CSPAN%3E%220.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%221.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2210.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22102.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22104.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2211.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22110.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22115.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22116.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22117.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22118.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2212.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22120.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22122.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22123.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22128.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2213.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22134.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22135.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22138.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2214.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22144.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2215.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22153.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22157.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2216.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2217.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2218.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2219.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%221a9604fa.ns1.feedsdns.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%221c7606b6.ns1.steamappstore.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%222.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2220.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22201.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22202.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22204.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22207.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2221.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22210.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22211.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22216.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2222.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22220.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22223.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2223.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2224.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2225.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2226.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%2227.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2228.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2229.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%223.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2230.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%2231.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2232.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2233.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2234.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2235.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%2236.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2237.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2239.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%223d6fe4b2.ns1.steamappstore.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%224.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2240.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2242.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2243.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2244.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%2245.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2246.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2248.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%225.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2250.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%2250417.service.gstatic.dnset.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2251.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2252.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2253.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2254.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2255.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2256.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2257.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2258.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%226.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2260.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2262.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2263.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2264.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%2265.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2267.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%227.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2270.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2271.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2273.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2277.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2277075.service.gstatic.dnset.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%227c1947fa.ns1.steamappstore.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%228.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2281.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2286.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2287.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%229.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%2294343.service.gstatic.dnset.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%229939.service.gstatic.dnset.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22aa.ns.mircosoftdoc.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22aaa.feeds.api.ns1.feedsdns.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22aaa.googlepublic.feeds.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22aaa.resolution.174547._get.cache.up.sourcedns.tk%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22acc.microsoftonetravel.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22accounts.longmusic.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22admin.dnstemplog.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22agent.updatenai.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22alibaba.zzux.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22api.feedsdns.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22app.portomnail.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22asia.updatenai.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22battllestategames.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22bguha.serveuser.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22binann-ce.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22bing.dsmtp.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22blog.cdsend.xyz%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22brives.minivineyapp.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22bsbana.dynamic-dns.net%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22californiaforce.000webhostapp.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22californiafroce.000webhostapp.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22cdn.freetcp.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22cdsend.xyz%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22cipla.zzux.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22cloudfeeddns.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22comcleanner.info%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22cs.microsoftsonline.net%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22dns05.cf%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22dns22.ml%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22dns224.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22dnsdist.org%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22dnstemplog.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22doc.mircosoftdoc.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22dropdns.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22eshop.cdn.freetcp.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22exchange.dumb1.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22exchange.misecure.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22exchange.mrbasic.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22facebookdocs.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22facebookint.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22facebookvi.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22feed.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22feedsdns.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22firejun.freeddns.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22ftp.dns-info.dyndns.pro%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22goallbandungtravel.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22goodhk.azurewebsites.net%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22googlepublic.feed.ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22gp.spotifylite.cloud%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22gskytop.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22gstatic.dnset.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22gxxservice.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22helpdesk.cdn.freetcp.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22id.serveuser.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22infestexe.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22item.itemdb.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22m.mircosoftdoc.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22mail.transferdkim.xyz%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22mcafee.updatenai.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22mecgjm.mircosoftdoc.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22microdocs.ga%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22microsock.website%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22microsocks.net%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22microsoft.sendsmtp.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22microsoftbook.dns05.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22microsoftcontactcenter.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22microsoftdocs.dns05.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22microsoftdocs.ml%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22microsoftonetravel.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22microsoftonlines.net%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22microsoftprod.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22microsofts.dns1.us%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22microsoftsonline.net%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22minivineyapp.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22mircosoftdoc.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22mircosoftdocs.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22mlcrosoft.ninth.biz%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22mlcrosoft.site%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22mm.portomnail.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22msdnupdate.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22msecdn.cloud%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22mtnl1.dynamic-dns.net%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22ns.gstatic.dnset.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22ns.microsoftprod.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22ns.steamappstore.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22ns1.cdn.freetcp.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22ns1.comcleanner.info%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22ns1.dns-info.gq%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22ns1.dns05.cf%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22ns1.dnstemplog.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22ns1.dropdns.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22ns1.microsoftonetravel.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22ns1.microsoftonlines.net%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22ns1.microsoftprod.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22ns1.microsoftsonline.net%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22ns1.mlcrosoft.site%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22ns1.teams.wikaba.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22ns1.windowsdefende.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22ns2.comcleanner.info%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22ns2.dnstemplog.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22ns2.microsoftonetravel.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22ns2.microsoftprod.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22ns2.microsoftsonline.net%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22ns2.mlcrosoft.site%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22ns2.windowsdefende.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22ns3.microsoftprod.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22ns3.mlcrosoft.site%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22nutrition.mrbasic.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22nutrition.youdontcare.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22online.mlcrosoft.site%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22online.msdnupdate.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22outlookservce.site%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22owa.jetos.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22owa.otzo.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22pornotime.co%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22portomnail.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22pricingdmdk.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22prod.microsoftprod.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22product.microsoftprod.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22ptcl.yourtrap.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22query.api.sourcedns.tk%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22rb.itemdb.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22redditcdn.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22rss.otzo.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22secure.msdnupdate.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22service.dns22.ml%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22service.gstatic.dnset.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22service04.dns04.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22settings.teams.wikaba.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22sip.outlookservce.site%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22sixindent.epizy.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22soft.msdnupdate.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22sourcedns.ml%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22sourcedns.tk%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22sport.msdnupdate.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22spotifylite.cloud%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22static.misecure.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22steamappstore.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22store.otzo.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22survey.outlookservce.site%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22team.itemdb.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22temp221.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22test.microsoftprod.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22thisisaaa.000webhostapp.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22token.dns04.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22token.dns05.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22transferdkim.xyz%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22travelsanignacio.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22update08.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22updated08.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22updatenai.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22wantforspeed.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22web.mircosoftdoc.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22webmail.pornotime.co%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22webwhois.team.itemdb.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22windowsdefende.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22wnswindows.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22ashcrack.freetcp.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22battllestategames.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22binannce.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22cdsend.xyz%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22comcleanner.info%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22microsock.website%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22microsocks.net%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22microsoftsonline.net%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22mlcrosoft.site%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22notify.serveuser.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22ns1.microsoftprod.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22ns2.microsoftprod.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22pricingdmdk.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22steamappstore.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22update08.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22wnswindows.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22youtube.dns05.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22z1.zalofilescdn.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22z2.zalofilescdn.com%22%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22zalofilescdn.com%22%3C%2FSPAN%3E%3CSPAN%3E%5D)%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B(%3C%2FSPAN%3E%3CSPAN%3Eunion%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Bisfuzzy%3D%3C%2FSPAN%3E%3CSPAN%3Etrue%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B(CommonSecurityLog%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BTimeGenerated%26nbsp%3B%26gt%3B%3D%26nbsp%3Bago(timeframe)%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eparse%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BMessage%26nbsp%3Bwith%26nbsp%3B*%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E'('%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BDNSName%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E')'%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B*%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BDNSName%26nbsp%3Bin~%26nbsp%3B(DomainNames)%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eextend%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BAccount%26nbsp%3B%3D%26nbsp%3BSourceUserID%2C%26nbsp%3BComputer%26nbsp%3B%3D%26nbsp%3BDeviceName%2C%26nbsp%3BIPAddress%26nbsp%3B%3D%26nbsp%3B%26nbsp%3BDestinationIP%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B)%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B(DnsEvents%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BTimeGenerated%26nbsp%3B%26gt%3B%3D%26nbsp%3Bago(timeframe)%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eextend%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BDNSName%26nbsp%3B%3D%26nbsp%3BName%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Bisnotempty(DNSName)%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BDNSName%26nbsp%3B%26nbsp%3Bin~%26nbsp%3B(DomainNames)%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eextend%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BIPAddress%26nbsp%3B%3D%26nbsp%3B%20ClientIP%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B)%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B(VMConnection%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BTimeGenerated%26nbsp%3B%26gt%3B%3D%26nbsp%3Bago(timeframe)%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eparse%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BRemoteDnsCanonicalNames%26nbsp%3Bwith%26nbsp%3B*%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E'%5B%22'%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BDNSName%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E'%22%5D'%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B*%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Bisnotempty(DNSName)%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BDNSName%26nbsp%3B%26nbsp%3Bin~%26nbsp%3B(DomainNames)%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eextend%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BIPAddress%26nbsp%3B%3D%26nbsp%3BRemoteIp%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B)%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B(%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3BDeviceNetworkEvents%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Bisnotempty(RemoteUrl)%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BRemoteUrl%26nbsp%3B%26nbsp%3Bin~%26nbsp%3B(DomainNames)%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eextend%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BIPAddress%26nbsp%3B%3D%26nbsp%3BRemoteIP%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eextend%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BComputer%26nbsp%3B%3D%26nbsp%3BDeviceName%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B)%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B)%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eextend%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Btimestamp%26nbsp%3B%3D%26nbsp%3BTimeGenerated%2C%26nbsp%3BAccountCustomEntity%26nbsp%3B%3D%26nbsp%3BAccount%2C%26nbsp%3BHostCustomEntity%26nbsp%3B%3D%26nbsp%3BComputer%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3EIPCustomEntity%26nbsp%3B%3D%26nbsp%3BIPAddress%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EReferences%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A257%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.justice.gov%2Fopa%2Fpr%2Fseven-international-cyber-defendants-including-apt41-actors-charged-connection-computer%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Ehttps%3A%2F%2Fwww.justice.gov%2Fopa%2Fpr%2Fseven-international-cyber-defendants-including-apt41-actors-charged-connection-computer%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fblogs.microsoft.com%2Fon-the-issues%2F2020%2F09%2F29%2Fmicrosoft-digital-defense-report-cyber-threats%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Ehttps%3A%2F%2Fblogs.microsoft.com%2Fon-the-issues%2F2020%2F09%2F29%2Fmicrosoft-digital-defense-report-cyber-threats%2F%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-microsoft-365-defender%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-microsoft-365-defender%3C%2FA%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fm365-sentinel-offer%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2Fm365-sentinel-offer%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fwhat-s-new-microsoft-365-defender-connector-now-in-public%2Fba-p%2F1865651%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fwhat-s-new-microsoft-365-defender-connector-now-in-public%2Fba-p%2F1865651%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1875913%22%20slang%3D%22en-US%22%3E%3CP%3EHunt%20for%20the%20Barium%20actor%20in%20your%20environment%20using%20the%20IOC's%20shared%20by%20the%20MSTIC%20team.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1875913%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Sentinel%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHunting%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

 

Leveraging Indictors of Compromise (IOC) and searching historical data for attack patterns is one of the primary responsibilities of a security monitoring team. Relevant security data for threat hunting/investigation related to an enterprise is produced in multiple locations - cloud, on-premises, and being able to analyze all the data from a single point makes it easier to spot trends and attack. Azure Sentinel has made it super easy to collect data from multiple logs across different environments and run KQL queries of recently released threat indicators across this entire data set. For example, through its recently released Microsoft 365 Defender connector security teams can now easily ingest Microsoft 365 data into Azure Sentinel allowing correlation of M365 raw logs with Sentinel’s additional data sources to provide additional insights for investigations, hunting and alerts. In this blog post we share some of the IOC’s related to one such threat actor that Microsoft tracks as Barium and the sample Azure Sentinel queries related to it that leverage multiple logs including those coming from Microsoft 365 Defender connector .

 

About a month and a half ago, the US Department of Justice, Office of Public Affairs, released documents detailing work done by a range of public and private sector organizations, including Microsoft, to disrupt Barium’s cyberattack infrastructure. Barium is intent on compromising research and development (R&D) heavy organizations in telecom, high tech, computer, and healthcare; their financially motivated operations have focused primarily on the video game industry. The techniques that the group have used in the past have varied from using malicious .lnk files, Word and PowerPoint macros, to the use of open-source tools like Cobalt strike to achieve their objective. The group has been pretty prolific in the use of “supply chain” attacks to compromise software providers and then modify the providers’ code to facilitate further intrusions against its customers. They have also been seen using C2 “dead drops,” which are seemingly legitimate web pages that have encoded instructions to their malware.  In their campaign they have also been seen using typo-squatted domains to impersonate legitimate companies and products.  

 

Microsoft Threat Intelligence Center (MSTIC) along with partner teams have been tracking and gathering information on Barium, monitoring the group’s activities as they operate a number of websites, domains and internet-connected computers. You can read more about this in the September 2020 Microsoft Digital Defense report.

 

MSTIC has now shared many of these indicators (IP/domains) so that you can hunt for them in Azure Sentinel using relevant data like the newly integrated Microsoft 365 Defender data, DNS logs, Firewall data etcMicrosoft 365 E5 customers, now also have the advantage of getting Azure credits towards Microsoft 365 data ingestion into Azure Sentinel - see https://aka.ms/m365-sentinel-offer  for details. With this new offer, you can take advantage of end-to-end integrated security and save significant costs when ingesting Microsoft 365 data into Azure Sentinel. 

 

Below are sample Azure Sentinel queries that you can run to check for Barium activity in your environment. 

 

Barium IP Indicators

id: 6ee72a9e-2e54-459c-bc9a-9c09a6502a63 
name: Known Barium IP 
description: | 
  'Identifies a match across various data feeds for IP IOCs related to the Barium activity group.  
severity: High 
requiredDataConnectors: 
  - connectorId: Office365 
    dataTypes: 
     - OfficeActivity 
  - connectorId: DNS 
    dataTypes: 
      - DnsEvents 
  - connectorId: AzureMonitor(VMInsights) 
    dataTypes: 
      - VMConnection 
  - connectorId: CiscoASA 
    dataTypes: 
      - CommonSecurityLog 
  - connectorId: PaloAltoNetworks 
    dataTypes: 
      - CommonSecurityLog 
  - connectorId: SecurityEvents 
    dataTypes: 
      - SecurityEvent 
  - connectorId: AzureActiveDirectory 
    dataTypes: 
      - SigninLogs 
  - connectorId: AzureMonitor(WireData) 
    dataTypes: 
      - WireData 
  - connectorId: AzureMonitor(IIS) 
    dataTypes: 
      - W3CIISLog 
  - connectorId: AzureActivity 
    dataTypes: 
      - AzureActivity 
  - connectorId: AWS 
    dataTypes: 
      - AWSCloudTrail 
  - connectorId: Microsoft 365 Defender 
    dataTypes: 
      - DeviceNetworkEvents 
queryFrequency: 1
queryPeriod: 1
triggerOperator: gt 
triggerThreshold: 0 
tactics: 
  - CommandAndControl 
query:  |  
let timeframe = 1d; 
  let IPList = dynamic(["216.24.185.74""107.175.189.159""192.210.132.102""67.230.163.214"
"199.19.110.240""107.148.130.176""154.212.129.218""172.86.75.54""45.61.136.199"
"149.28.150.195""108.61.214.194""144.202.98.198""149.28.84.98""103.99.209.78"
"45.61.136.2""176.122.162.149""192.3.80.245""149.28.23.32""107.182.18.149""107.174.45.134"
"149.248.18.104""65.49.192.74""156.255.2.154""45.76.6.149""8.9.11.130""140.238.27.255"
"107.182.24.70""176.122.188.254""192.161.161.108""64.64.234.24""104.224.185.36"
"104.233.224.227""104.36.69.105""119.28.139.120""161.117.39.130""66.42.100.42""45.76.31.159"
"149.248.8.134""216.24.182.48""66.42.103.222""218.89.236.11""180.150.227.249""47.75.80.23",
 "124.156.164.19""149.248.62.83""150.109.76.174""222.209.187.207""218.38.191.38"
"119.28.226.59""66.42.98.220""74.82.201.8""173.242.122.198""45.32.130.72""89.35.178.10"
"89.43.60.113"]); 
  (union isfuzzy=true 
  (CommonSecurityLog 
  | where TimeGenerated >= ago(timeframe)  
  | where isnotempty(SourceIP) or isnotempty(DestinationIP) 
  | where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) 
  | extend IPMatch = case(SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP"
"Message")  
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by 
SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, 
DeviceAddress, DeviceName, IPMatch 
  | extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, 
IPMatch == "DestinationIP", DestinationIP, "IP in Message Field")  
  ), 
  (OfficeActivity 
  | where TimeGenerated >= ago(timeframe)  
  |extend SourceIPAddress = ClientIP, Account = UserId 
  | where  SourceIPAddress in (IPList) 
  | extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , 
AccountCustomEntity = Account 
  ), 
  (DnsEvents  
  | where TimeGenerated >= ago(timeframe)  
  | extend DestinationIPAddress = IPAddresses,  Host = Computer 
  | where  DestinationIPAddress has_any (IPList)  
  | extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, 
HostCustomEntity = Host 
  ), 
  (VMConnection  
  | where TimeGenerated >= ago(timeframe)  
  | where isnotempty(SourceIp) or isnotempty(DestinationIp)  
  | where SourceIp in (IPList) or DestinationIp in (IPList)  
  | extend IPMatch = case( SourceIp in (IPList), "SourceIP", DestinationIp in (IPList), 
"DestinationIP""None")  
  | extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == "SourceIP",
 SourceIp, IPMatch == "DestinationIP", DestinationIp, "None"), Host = Computer 
  ), 
  (Event 
  | where TimeGenerated >= ago(timeframe) 
  | where Source == "Microsoft-Windows-Sysmon" 
  | where EventID == 3 
  | extend EvData = parse_xml(EventData) 
  | extend EventDetail = EvData.DataItem.EventData.Data 
  | extend SourceIP = EventDetail.[9].["#text"], DestinationIP = EventDetail.[14].["#text"
  | where SourceIP in (IPList) or DestinationIP in (IPList)  
  | extend IPMatch = case( SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP""None")  
  | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , 
IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, "None"
  ),  
  (WireData  
  | where TimeGenerated >= ago(timeframe) 
  | where isnotempty(RemoteIP) 
  | where RemoteIP in (IPList) 
  | extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer 
  ), 
  (SigninLogs 
  | where TimeGenerated >= ago(timeframe) 
  | where isnotempty(IPAddress) 
  | where IPAddress in (IPList) 
  | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, 
IPCustomEntity = IPAddress 
  ), 
  (W3CIISLog  
  | where TimeGenerated >= ago(timeframe) 
  | where isnotempty(cIP) 
  | where cIP in (IPList) 
  | extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, 
AccountCustomEntity = csUserName 
  ), 
  (AzureActivity  
  | where TimeGenerated >= ago(timeframe) 
  | where isnotempty(CallerIpAddress) 
  | where CallerIpAddress in (IPList) 
  | extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller 
  ), 
  ( 
  AWSCloudTrail 
  | where TimeGenerated >= ago(timeframe) 
  | where isnotempty(SourceIpAddress) 
  | where SourceIpAddress in (IPList) 
  | extend timestamp = TimeGenerated, IPCustomEntity = 
SourceIpAddress, AccountCustomEntity = UserIdentityUserName 
  ), 
  ( 
  DeviceNetworkEvents 
  | where TimeGenerated >= ago(timeframe)  
  | where isnotempty(RemoteIP)  
  | where RemoteIP in (IPList)  
  | extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName  
  ) 
  ) 

 

Barium Domain Indicators

id: 70b12a3b-4899-42cb-910c-5ffaf9d7997d 
name: Known Barium domains  
description: | 
  'Identifies a match across various data feeds for domains IOCs related to the Barium activity group.' 
severity: High 
requiredDataConnectors: 
  - connectorId: DNS 
    dataTypes: 
      - DnsEvents 
  - connectorId: AzureMonitor(VMInsights)  
    dataTypes: 
      - VMConnection 
  - connectorId: CiscoASA 
    dataTypes: 
      - CommonSecurityLog 
  - connectorId: PaloAltoNetworks 
    dataTypes: 
      - CommonSecurityLog 
  - connectorId: Microsoft 365 Defender 
    dataTypes: 
      - DeviceNetworkEvents 
queryFrequency: 1
queryPeriod: 1
triggerOperator: gt 
triggerThreshold: 0 
tactics: 
  - CommandAndControl 
query:  |  
 
let timeframe = 1d; 
let DomainNames = dynamic(["0.ns1.dns-info.gq""1.ns1.dns-info.gq""10.ns1.dns-info.gq""102.ns1.dns-info.gq"
"104.ns1.dns-info.gq""11.ns1.dns-info.gq""110.ns1.dns-info.gq""115.ns1.dns-info.gq""116.ns1.dns-info.gq"
"117.ns1.dns-info.gq""118.ns1.dns-info.gq""12.ns1.dns-info.gq""120.ns1.dns-info.gq""122.ns1.dns-info.gq"
"123.ns1.dns-info.gq""128.ns1.dns-info.gq""13.ns1.dns-info.gq""134.ns1.dns-info.gq""135.ns1.dns-info.gq"
"138.ns1.dns-info.gq""14.ns1.dns-info.gq""144.ns1.dns-info.gq""15.ns1.dns-info.gq""153.ns1.dns-info.gq"
"157.ns1.dns-info.gq""16.ns1.dns-info.gq""17.ns1.dns-info.gq""18.ns1.dns-info.gq""19.ns1.dns-info.gq"
"1a9604fa.ns1.feedsdns.com""1c7606b6.ns1.steamappstore.com""2.ns1.dns-info.gq""20.ns1.dns-info.gq"
"201.ns1.dns-info.gq""202.ns1.dns-info.gq""204.ns1.dns-info.gq""207.ns1.dns-info.gq""21.ns1.dns-info.gq"
"210.ns1.dns-info.gq""211.ns1.dns-info.gq""216.ns1.dns-info.gq""22.ns1.dns-info.gq""220.ns1.dns-info.gq"
"223.ns1.dns-info.gq""23.ns1.dns-info.gq""24.ns1.dns-info.gq""25.ns1.dns-info.gq""26.ns1.dns-info.gq"
"27.ns1.dns-info.gq""28.ns1.dns-info.gq""29.ns1.dns-info.gq""3.ns1.dns-info.gq""30.ns1.dns-info.gq"
"31.ns1.dns-info.gq""32.ns1.dns-info.gq""33.ns1.dns-info.gq""34.ns1.dns-info.gq""35.ns1.dns-info.gq"
"36.ns1.dns-info.gq""37.ns1.dns-info.gq""39.ns1.dns-info.gq""3d6fe4b2.ns1.steamappstore.com"
"4.ns1.dns-info.gq""40.ns1.dns-info.gq""42.ns1.dns-info.gq""43.ns1.dns-info.gq""44.ns1.dns-info.gq"
"45.ns1.dns-info.gq""46.ns1.dns-info.gq""48.ns1.dns-info.gq""5.ns1.dns-info.gq""50.ns1.dns-info.gq"
"50417.service.gstatic.dnset.com""51.ns1.dns-info.gq""52.ns1.dns-info.gq""53.ns1.dns-info.gq",
 "54.ns1.dns-info.gq""55.ns1.dns-info.gq""56.ns1.dns-info.gq""57.ns1.dns-info.gq""58.ns1.dns-info.gq"
"6.ns1.dns-info.gq""60.ns1.dns-info.gq""62.ns1.dns-info.gq""63.ns1.dns-info.gq""64.ns1.dns-info.gq"
"65.ns1.dns-info.gq""67.ns1.dns-info.gq""7.ns1.dns-info.gq""70.ns1.dns-info.gq""71.ns1.dns-info.gq",
 "73.ns1.dns-info.gq""77.ns1.dns-info.gq""77075.service.gstatic.dnset.com""7c1947fa.ns1.steamappstore.com",
 "8.ns1.dns-info.gq""81.ns1.dns-info.gq""86.ns1.dns-info.gq""87.ns1.dns-info.gq""9.ns1.dns-info.gq"
"94343.service.gstatic.dnset.com""9939.service.gstatic.dnset.com""aa.ns.mircosoftdoc.com"
"aaa.feeds.api.ns1.feedsdns.com""aaa.googlepublic.feeds.ns1.dns-info.gq"
"aaa.resolution.174547._get.cache.up.sourcedns.tk""acc.microsoftonetravel.com"
"accounts.longmusic.com""admin.dnstemplog.com""agent.updatenai.com"
"alibaba.zzux.com""api.feedsdns.com""app.portomnail.com""asia.updatenai.com"
"battllestategames.com""bguha.serveuser.com""binann-ce.com""bing.dsmtp.com"
"blog.cdsend.xyz""brives.minivineyapp.com""bsbana.dynamic-dns.net"
"californiaforce.000webhostapp.com""californiafroce.000webhostapp.com"
"cdn.freetcp.com""cdsend.xyz""cipla.zzux.com""cloudfeeddns.com""comcleanner.info",
 "cs.microsoftsonline.net""dns-info.gq""dns05.cf""dns22.ml""dns224.com"
"dnsdist.org""dnstemplog.com""doc.mircosoftdoc.com""dropdns.com"
"eshop.cdn.freetcp.com""exchange.dumb1.com""exchange.misecure.com""exchange.mrbasic.com",
 "facebookdocs.com""facebookint.com""facebookvi.com""feed.ns1.dns-info.gq""feedsdns.com"
"firejun.freeddns.com""ftp.dns-info.dyndns.pro""goallbandungtravel.com""goodhk.azurewebsites.net"
"googlepublic.feed.ns1.dns-info.gq""gp.spotifylite.cloud""gskytop.com""gstatic.dnset.com"
"gxxservice.com""helpdesk.cdn.freetcp.com""id.serveuser.com""infestexe.com""item.itemdb.com",
 "m.mircosoftdoc.com""mail.transferdkim.xyz""mcafee.updatenai.com""mecgjm.mircosoftdoc.com",
 "microdocs.ga""microsock.website""microsocks.net""microsoft.sendsmtp.com"
"microsoftbook.dns05.com""microsoftcontactcenter.com""microsoftdocs.dns05.com""microsoftdocs.ml"
"microsoftonetravel.com""microsoftonlines.net""microsoftprod.com""microsofts.dns1.us""microsoftsonline.net",
 "minivineyapp.com""mircosoftdoc.com""mircosoftdocs.com""mlcrosoft.ninth.biz""mlcrosoft.site"
"mm.portomnail.com""msdnupdate.com""msecdn.cloud""mtnl1.dynamic-dns.net""ns.gstatic.dnset.com"
"ns.microsoftprod.com""ns.steamappstore.com""ns1.cdn.freetcp.com""ns1.comcleanner.info""ns1.dns-info.gq"
"ns1.dns05.cf""ns1.dnstemplog.com""ns1.dropdns.com""ns1.microsoftonetravel.com"
"ns1.microsoftonlines.net""ns1.microsoftprod.com""ns1.microsoftsonline.net""ns1.mlcrosoft.site"
"ns1.teams.wikaba.com""ns1.windowsdefende.com""ns2.comcleanner.info""ns2.dnstemplog.com"
"ns2.microsoftonetravel.com""ns2.microsoftprod.com""ns2.microsoftsonline.net""ns2.mlcrosoft.site"
"ns2.windowsdefende.com""ns3.microsoftprod.com""ns3.mlcrosoft.site""nutrition.mrbasic.com"
"nutrition.youdontcare.com""online.mlcrosoft.site""online.msdnupdate.com""outlookservce.site"
"owa.jetos.com""owa.otzo.com""pornotime.co""portomnail.com"
"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com""pricingdmdk.com""prod.microsoftprod.com"
"product.microsoftprod.com""ptcl.yourtrap.com""query.api.sourcedns.tk""rb.itemdb.com""redditcdn.com"
"rss.otzo.com""secure.msdnupdate.com""service.dns22.ml""service.gstatic.dnset.com""service04.dns04.com"
"settings.teams.wikaba.com""sip.outlookservce.site""sixindent.epizy.com""soft.msdnupdate.com""sourcedns.ml"
"sourcedns.tk""sport.msdnupdate.com""spotifylite.cloud""static.misecure.com""steamappstore.com"
"store.otzo.com""survey.outlookservce.site""team.itemdb.com""temp221.com""test.microsoftprod.com"
"thisisaaa.000webhostapp.com""token.dns04.com""token.dns05.com""transferdkim.xyz"
"travelsanignacio.com""update08.com""updated08.com""updatenai.com""wantforspeed.com",
 "web.mircosoftdoc.com""webmail.pornotime.co""webwhois.team.itemdb.com""windowsdefende.com""wnswindows.com",
 "ashcrack.freetcp.com""battllestategames.com""binannce.com""cdsend.xyz""comcleanner.info""microsock.website"
"microsocks.net""microsoftsonline.net""mlcrosoft.site""notify.serveuser.com""ns1.microsoftprod.com"
"ns2.microsoftprod.com""pricingdmdk.com""steamappstore.com""update08.com""wnswindows.com"
"youtube.dns05.com""z1.zalofilescdn.com""z2.zalofilescdn.com""zalofilescdn.com"]); 
  (union isfuzzy=true 
  (CommonSecurityLog  
  | where TimeGenerated >= ago(timeframe)  
  | parse Message with * '(' DNSName ')' *  
  | where DNSName in~ (DomainNames) 
  | extend Account = SourceUserID, Computer = DeviceName, IPAddress =  DestinationIP 
  ), 
  (DnsEvents  
  | where TimeGenerated >= ago(timeframe)  
  | extend DNSName = Name 
  | where isnotempty(DNSName) 
  | where DNSName  in~ (DomainNames) 
  | extend IPAddress =  ClientIP
  ), 
  (VMConnection  
  | where TimeGenerated >= ago(timeframe)  
  | parse RemoteDnsCanonicalNames with * '["' DNSName '"]' * 
  | where isnotempty(DNSName) 
  | where DNSName  in~ (DomainNames) 
  | extend IPAddress = RemoteIp 
  ), 
  ( 
   DeviceNetworkEvents 
  | where isnotempty(RemoteUrl) 
  | where RemoteUrl  in~ (DomainNames)  
  | extend IPAddress = RemoteIP 
  | extend Computer = DeviceName 
  ) 
  ) 
  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress 

 

References: 

https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-c... 

https://blogs.microsoft.com/on-the-issues/2020/09/29/microsoft-digital-defense-report-cyber-threats/ 

https://docs.microsoft.com/en-us/azure/sentinel/connect-microsoft-365-defender 

https://aka.ms/m365-sentinel-offer 

https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-microsoft-365-defender-connector-no...