Blog Post

Microsoft Sentinel Blog
13 MIN READ

Hunting for Barium using Azure Sentinel

aprakash13's avatar
aprakash13
Icon for Microsoft rankMicrosoft
Nov 11, 2020

 

Leveraging Indictors of Compromise (IOC) and searching historical data for attack patterns is one of the primary responsibilities of a security monitoring team. Relevant security data for threat hunting/investigation related to an enterprise is produced in multiple locations - cloud, on-premises, and being able to analyze all the data from a single point makes it easier to spot trends and attack. Azure Sentinel has made it super easy to collect data from multiple logs across different environments and run KQL queries of recently released threat indicators across this entire data set. For example, through its recently released Microsoft 365 Defender connector security teams can now easily ingest Microsoft 365 data into Azure Sentinel allowing correlation of M365 raw logs with Sentinel’s additional data sources to provide additional insights for investigations, hunting and alerts. In this blog post we share some of the IOC’s related to one such threat actor that Microsoft tracks as Barium and the sample Azure Sentinel queries related to it that leverage multiple logs including those coming from Microsoft 365 Defender connector .

 

About a month and a half ago, the US Department of Justice, Office of Public Affairs, released documents detailing work done by a range of public and private sector organizations, including Microsoft, to disrupt Barium’s cyberattack infrastructure. Barium is intent on compromising research and development (R&D) heavy organizations in telecom, high tech, computer, and healthcare; their financially motivated operations have focused primarily on the video game industry. The techniques that the group have used in the past have varied from using malicious .lnk files, Word and PowerPoint macros, to the use of open-source tools like Cobalt strike to achieve their objective. The group has been pretty prolific in the use of “supply chain” attacks to compromise software providers and then modify the providers’ code to facilitate further intrusions against its customers. They have also been seen using C2 “dead drops,” which are seemingly legitimate web pages that have encoded instructions to their malware.  In their campaign they have also been seen using typo-squatted domains to impersonate legitimate companies and products.  

 

Microsoft Threat Intelligence Center (MSTIC) along with partner teams have been tracking and gathering information on Barium, monitoring the group’s activities as they operate a number of websites, domains and internet-connected computers. You can read more about this in the September 2020 Microsoft Digital Defense report.

 

MSTIC has now shared many of these indicators (IP/domains) so that you can hunt for them in Azure Sentinel using relevant data like the newly integrated Microsoft 365 Defender data, DNS logs, Firewall data etcMicrosoft 365 E5 customers, now also have the advantage of getting Azure credits towards Microsoft 365 data ingestion into Azure Sentinel - see https://aka.ms/m365-sentinel-offer  for details. With this new offer, you can take advantage of end-to-end integrated security and save significant costs when ingesting Microsoft 365 data into Azure Sentinel. 

 

Below are sample Azure Sentinel queries that you can run to check for Barium activity in your environment. 

 

Barium IP Indicators

id: 6ee72a9e-2e54-459c-bc9a-9c09a6502a63 
name: Known Barium IP 
description: | 
  'Identifies a match across various data feeds for IP IOCs related to the Barium activity group.  
severity: High 
requiredDataConnectors: 
  - connectorId: Office365 
    dataTypes: 
     - OfficeActivity 
  - connectorId: DNS 
    dataTypes: 
      - DnsEvents 
  - connectorId: AzureMonitor(VMInsights) 
    dataTypes: 
      - VMConnection 
  - connectorId: CiscoASA 
    dataTypes: 
      - CommonSecurityLog 
  - connectorId: PaloAltoNetworks 
    dataTypes: 
      - CommonSecurityLog 
  - connectorId: SecurityEvents 
    dataTypes: 
      - SecurityEvent 
  - connectorId: AzureActiveDirectory 
    dataTypes: 
      - SigninLogs 
  - connectorId: AzureMonitor(WireData) 
    dataTypes: 
      - WireData 
  - connectorId: AzureMonitor(IIS) 
    dataTypes: 
      - W3CIISLog 
  - connectorId: AzureActivity 
    dataTypes: 
      - AzureActivity 
  - connectorId: AWS 
    dataTypes: 
      - AWSCloudTrail 
  - connectorId: Microsoft 365 Defender 
    dataTypes: 
      - DeviceNetworkEvents 
queryFrequency: 1
queryPeriod: 1
triggerOperator: gt 
triggerThreshold: 0 
tactics: 
  - CommandAndControl 
query:  |  
let timeframe = 1d; 
  let IPList = dynamic(["216.24.185.74""107.175.189.159""192.210.132.102""67.230.163.214"
"199.19.110.240""107.148.130.176""154.212.129.218""172.86.75.54""45.61.136.199"
"149.28.150.195""108.61.214.194""144.202.98.198""149.28.84.98""103.99.209.78"
"45.61.136.2""176.122.162.149""192.3.80.245""149.28.23.32""107.182.18.149""107.174.45.134"
"149.248.18.104""65.49.192.74""156.255.2.154""45.76.6.149""8.9.11.130""140.238.27.255"
"107.182.24.70""176.122.188.254""192.161.161.108""64.64.234.24""104.224.185.36"
"104.233.224.227""104.36.69.105""119.28.139.120""161.117.39.130""66.42.100.42""45.76.31.159"
"149.248.8.134""216.24.182.48""66.42.103.222""218.89.236.11""180.150.227.249""47.75.80.23",
 "124.156.164.19""149.248.62.83""150.109.76.174""222.209.187.207""218.38.191.38"
"119.28.226.59""66.42.98.220""74.82.201.8""173.242.122.198""45.32.130.72""89.35.178.10"
"89.43.60.113"]); 
  (union isfuzzy=true 
  (CommonSecurityLog 
  | where TimeGenerated >= ago(timeframe)  
  | where isnotempty(SourceIP) or isnotempty(DestinationIP) 
  | where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) 
  | extend IPMatch = case(SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP"
"Message")  
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by 
SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, 
DeviceAddress, DeviceName, IPMatch 
  | extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, 
IPMatch == "DestinationIP", DestinationIP, "IP in Message Field")  
  ), 
  (OfficeActivity 
  | where TimeGenerated >= ago(timeframe)  
  |extend SourceIPAddress = ClientIP, Account = UserId 
  | where  SourceIPAddress in (IPList) 
  | extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , 
AccountCustomEntity = Account 
  ), 
  (DnsEvents  
  | where TimeGenerated >= ago(timeframe)  
  | extend DestinationIPAddress = IPAddresses,  Host = Computer 
  | where  DestinationIPAddress has_any (IPList)  
  | extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, 
HostCustomEntity = Host 
  ), 
  (VMConnection  
  | where TimeGenerated >= ago(timeframe)  
  | where isnotempty(SourceIp) or isnotempty(DestinationIp)  
  | where SourceIp in (IPList) or DestinationIp in (IPList)  
  | extend IPMatch = case( SourceIp in (IPList), "SourceIP", DestinationIp in (IPList), 
"DestinationIP""None")  
  | extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == "SourceIP",
 SourceIp, IPMatch == "DestinationIP", DestinationIp, "None"), Host = Computer 
  ), 
  (Event 
  | where TimeGenerated >= ago(timeframe) 
  | where Source == "Microsoft-Windows-Sysmon" 
  | where EventID == 3 
  | extend EvData = parse_xml(EventData) 
  | extend EventDetail = EvData.DataItem.EventData.Data 
  | extend SourceIP = EventDetail.[9].["#text"], DestinationIP = EventDetail.[14].["#text"
  | where SourceIP in (IPList) or DestinationIP in (IPList)  
  | extend IPMatch = case( SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP""None")  
  | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , 
IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, "None"
  ),  
  (WireData  
  | where TimeGenerated >= ago(timeframe) 
  | where isnotempty(RemoteIP) 
  | where RemoteIP in (IPList) 
  | extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer 
  ), 
  (SigninLogs 
  | where TimeGenerated >= ago(timeframe) 
  | where isnotempty(IPAddress) 
  | where IPAddress in (IPList) 
  | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, 
IPCustomEntity = IPAddress 
  ), 
  (W3CIISLog  
  | where TimeGenerated >= ago(timeframe) 
  | where isnotempty(cIP) 
  | where cIP in (IPList) 
  | extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, 
AccountCustomEntity = csUserName 
  ), 
  (AzureActivity  
  | where TimeGenerated >= ago(timeframe) 
  | where isnotempty(CallerIpAddress) 
  | where CallerIpAddress in (IPList) 
  | extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller 
  ), 
  ( 
  AWSCloudTrail 
  | where TimeGenerated >= ago(timeframe) 
  | where isnotempty(SourceIpAddress) 
  | where SourceIpAddress in (IPList) 
  | extend timestamp = TimeGenerated, IPCustomEntity = 
SourceIpAddress, AccountCustomEntity = UserIdentityUserName 
  ), 
  ( 
  DeviceNetworkEvents 
  | where TimeGenerated >= ago(timeframe)  
  | where isnotempty(RemoteIP)  
  | where RemoteIP in (IPList)  
  | extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName  
  ) 
  ) 

 

Barium Domain Indicators

id: 70b12a3b-4899-42cb-910c-5ffaf9d7997d 
name: Known Barium domains  
description: | 
  'Identifies a match across various data feeds for domains IOCs related to the Barium activity group.' 
severity: High 
requiredDataConnectors: 
  - connectorId: DNS 
    dataTypes: 
      - DnsEvents 
  - connectorId: AzureMonitor(VMInsights)  
    dataTypes: 
      - VMConnection 
  - connectorId: CiscoASA 
    dataTypes: 
      - CommonSecurityLog 
  - connectorId: PaloAltoNetworks 
    dataTypes: 
      - CommonSecurityLog 
  - connectorId: Microsoft 365 Defender 
    dataTypes: 
      - DeviceNetworkEvents 
queryFrequency: 1
queryPeriod: 1
triggerOperator: gt 
triggerThreshold: 0 
tactics: 
  - CommandAndControl 
query:  |  
 
let timeframe = 1d; 
let DomainNames = dynamic(["0.ns1.dns-info.gq""1.ns1.dns-info.gq""10.ns1.dns-info.gq""102.ns1.dns-info.gq"
"104.ns1.dns-info.gq""11.ns1.dns-info.gq""110.ns1.dns-info.gq""115.ns1.dns-info.gq""116.ns1.dns-info.gq"
"117.ns1.dns-info.gq""118.ns1.dns-info.gq""12.ns1.dns-info.gq""120.ns1.dns-info.gq""122.ns1.dns-info.gq"
"123.ns1.dns-info.gq""128.ns1.dns-info.gq""13.ns1.dns-info.gq""134.ns1.dns-info.gq""135.ns1.dns-info.gq"
"138.ns1.dns-info.gq""14.ns1.dns-info.gq""144.ns1.dns-info.gq""15.ns1.dns-info.gq""153.ns1.dns-info.gq"
"157.ns1.dns-info.gq""16.ns1.dns-info.gq""17.ns1.dns-info.gq""18.ns1.dns-info.gq""19.ns1.dns-info.gq"
"1a9604fa.ns1.feedsdns.com""1c7606b6.ns1.steamappstore.com""2.ns1.dns-info.gq""20.ns1.dns-info.gq"
"201.ns1.dns-info.gq""202.ns1.dns-info.gq""204.ns1.dns-info.gq""207.ns1.dns-info.gq""21.ns1.dns-info.gq"
"210.ns1.dns-info.gq""211.ns1.dns-info.gq""216.ns1.dns-info.gq""22.ns1.dns-info.gq""220.ns1.dns-info.gq"
"223.ns1.dns-info.gq""23.ns1.dns-info.gq""24.ns1.dns-info.gq""25.ns1.dns-info.gq""26.ns1.dns-info.gq"
"27.ns1.dns-info.gq""28.ns1.dns-info.gq""29.ns1.dns-info.gq""3.ns1.dns-info.gq""30.ns1.dns-info.gq"
"31.ns1.dns-info.gq""32.ns1.dns-info.gq""33.ns1.dns-info.gq""34.ns1.dns-info.gq""35.ns1.dns-info.gq"
"36.ns1.dns-info.gq""37.ns1.dns-info.gq""39.ns1.dns-info.gq""3d6fe4b2.ns1.steamappstore.com"
"4.ns1.dns-info.gq""40.ns1.dns-info.gq""42.ns1.dns-info.gq""43.ns1.dns-info.gq""44.ns1.dns-info.gq"
"45.ns1.dns-info.gq""46.ns1.dns-info.gq""48.ns1.dns-info.gq""5.ns1.dns-info.gq""50.ns1.dns-info.gq"
"50417.service.gstatic.dnset.com""51.ns1.dns-info.gq""52.ns1.dns-info.gq""53.ns1.dns-info.gq",
 "54.ns1.dns-info.gq""55.ns1.dns-info.gq""56.ns1.dns-info.gq""57.ns1.dns-info.gq""58.ns1.dns-info.gq"
"6.ns1.dns-info.gq""60.ns1.dns-info.gq""62.ns1.dns-info.gq""63.ns1.dns-info.gq""64.ns1.dns-info.gq"
"65.ns1.dns-info.gq""67.ns1.dns-info.gq""7.ns1.dns-info.gq""70.ns1.dns-info.gq""71.ns1.dns-info.gq",
 "73.ns1.dns-info.gq""77.ns1.dns-info.gq""77075.service.gstatic.dnset.com""7c1947fa.ns1.steamappstore.com",
 "8.ns1.dns-info.gq""81.ns1.dns-info.gq""86.ns1.dns-info.gq""87.ns1.dns-info.gq""9.ns1.dns-info.gq"
"94343.service.gstatic.dnset.com""9939.service.gstatic.dnset.com""aa.ns.mircosoftdoc.com"
"aaa.feeds.api.ns1.feedsdns.com""aaa.googlepublic.feeds.ns1.dns-info.gq"
"aaa.resolution.174547._get.cache.up.sourcedns.tk""acc.microsoftonetravel.com"
"accounts.longmusic.com""admin.dnstemplog.com""agent.updatenai.com"
"alibaba.zzux.com""api.feedsdns.com""app.portomnail.com""asia.updatenai.com"
"battllestategames.com""bguha.serveuser.com""binann-ce.com""bing.dsmtp.com"
"blog.cdsend.xyz""brives.minivineyapp.com""bsbana.dynamic-dns.net"
"californiaforce.000webhostapp.com""californiafroce.000webhostapp.com"
"cdn.freetcp.com""cdsend.xyz""cipla.zzux.com""cloudfeeddns.com""comcleanner.info",
 "cs.microsoftsonline.net""dns-info.gq""dns05.cf""dns22.ml""dns224.com"
"dnsdist.org""dnstemplog.com""doc.mircosoftdoc.com""dropdns.com"
"eshop.cdn.freetcp.com""exchange.dumb1.com""exchange.misecure.com""exchange.mrbasic.com",
 "facebookdocs.com""facebookint.com""facebookvi.com""feed.ns1.dns-info.gq""feedsdns.com"
"firejun.freeddns.com""ftp.dns-info.dyndns.pro""goallbandungtravel.com""goodhk.azurewebsites.net"
"googlepublic.feed.ns1.dns-info.gq""gp.spotifylite.cloud""gskytop.com""gstatic.dnset.com"
"gxxservice.com""helpdesk.cdn.freetcp.com""id.serveuser.com""infestexe.com""item.itemdb.com",
 "m.mircosoftdoc.com""mail.transferdkim.xyz""mcafee.updatenai.com""mecgjm.mircosoftdoc.com",
 "microdocs.ga""microsock.website""microsocks.net""microsoft.sendsmtp.com"
"microsoftbook.dns05.com""microsoftcontactcenter.com""microsoftdocs.dns05.com""microsoftdocs.ml"
"microsoftonetravel.com""microsoftonlines.net""microsoftprod.com""microsofts.dns1.us""microsoftsonline.net",
 "minivineyapp.com""mircosoftdoc.com""mircosoftdocs.com""mlcrosoft.ninth.biz""mlcrosoft.site"
"mm.portomnail.com""msdnupdate.com""msecdn.cloud""mtnl1.dynamic-dns.net""ns.gstatic.dnset.com"
"ns.microsoftprod.com""ns.steamappstore.com""ns1.cdn.freetcp.com""ns1.comcleanner.info""ns1.dns-info.gq"
"ns1.dns05.cf""ns1.dnstemplog.com""ns1.dropdns.com""ns1.microsoftonetravel.com"
"ns1.microsoftonlines.net""ns1.microsoftprod.com""ns1.microsoftsonline.net""ns1.mlcrosoft.site"
"ns1.teams.wikaba.com""ns1.windowsdefende.com""ns2.comcleanner.info""ns2.dnstemplog.com"
"ns2.microsoftonetravel.com""ns2.microsoftprod.com""ns2.microsoftsonline.net""ns2.mlcrosoft.site"
"ns2.windowsdefende.com""ns3.microsoftprod.com""ns3.mlcrosoft.site""nutrition.mrbasic.com"
"nutrition.youdontcare.com""online.mlcrosoft.site""online.msdnupdate.com""outlookservce.site"
"owa.jetos.com""owa.otzo.com""pornotime.co""portomnail.com"
"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com""pricingdmdk.com""prod.microsoftprod.com"
"product.microsoftprod.com""ptcl.yourtrap.com""query.api.sourcedns.tk""rb.itemdb.com""redditcdn.com"
"rss.otzo.com""secure.msdnupdate.com""service.dns22.ml""service.gstatic.dnset.com""service04.dns04.com"
"settings.teams.wikaba.com""sip.outlookservce.site""sixindent.epizy.com""soft.msdnupdate.com""sourcedns.ml"
"sourcedns.tk""sport.msdnupdate.com""spotifylite.cloud""static.misecure.com""steamappstore.com"
"store.otzo.com""survey.outlookservce.site""team.itemdb.com""temp221.com""test.microsoftprod.com"
"thisisaaa.000webhostapp.com""token.dns04.com""token.dns05.com""transferdkim.xyz"
"travelsanignacio.com""update08.com""updated08.com""updatenai.com""wantforspeed.com",
 "web.mircosoftdoc.com""webmail.pornotime.co""webwhois.team.itemdb.com""windowsdefende.com""wnswindows.com",
 "ashcrack.freetcp.com""battllestategames.com""binannce.com""cdsend.xyz""comcleanner.info""microsock.website"
"microsocks.net""microsoftsonline.net""mlcrosoft.site""notify.serveuser.com""ns1.microsoftprod.com"
"ns2.microsoftprod.com""pricingdmdk.com""steamappstore.com""update08.com""wnswindows.com"
"youtube.dns05.com""z1.zalofilescdn.com""z2.zalofilescdn.com""zalofilescdn.com"]); 
  (union isfuzzy=true 
  (CommonSecurityLog  
  | where TimeGenerated >= ago(timeframe)  
  | parse Message with * '(' DNSName ')' *  
  | where DNSName in~ (DomainNames) 
  | extend Account = SourceUserID, Computer = DeviceName, IPAddress =  DestinationIP 
  ), 
  (DnsEvents  
  | where TimeGenerated >= ago(timeframe)  
  | extend DNSName = Name 
  | where isnotempty(DNSName) 
  | where DNSName  in~ (DomainNames) 
  | extend IPAddress =  ClientIP
  ), 
  (VMConnection  
  | where TimeGenerated >= ago(timeframe)  
  | parse RemoteDnsCanonicalNames with * '["' DNSName '"]' * 
  | where isnotempty(DNSName) 
  | where DNSName  in~ (DomainNames) 
  | extend IPAddress = RemoteIp 
  ), 
  ( 
   DeviceNetworkEvents 
  | where isnotempty(RemoteUrl) 
  | where RemoteUrl  in~ (DomainNames)  
  | extend IPAddress = RemoteIP 
  | extend Computer = DeviceName 
  ) 
  ) 
  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress 

 

References: 

https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer 

https://blogs.microsoft.com/on-the-issues/2020/09/29/microsoft-digital-defense-report-cyber-threats/ 

https://docs.microsoft.com/en-us/azure/sentinel/connect-microsoft-365-defender 

https://aka.ms/m365-sentinel-offer 

https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-microsoft-365-defender-connector-now-in-public/ba-p/1865651 

 

Updated Nov 03, 2021
Version 3.0
hunting
microsoft sentinel
aprakash13's avatar
Icon for Microsoft rankMicrosoft
Joined March 01, 2019
View Profile
Microsoft Sentinel Blog

Microsoft Sentinel is a cloud-native SIEM, enriched with AI and automation to provide expansive visibility across your digital environment.

When evaluating various solutions, your peers value hearing from people like you who’ve used the product. Review Microsoft Sentinel by filling out a Gartner Peer Insights survey and receive a $25 USD gift card (for customers only). Here are the Privacy/Guideline links: Microsoft Privacy Statement, Gartner’s Community Guidelines & Gartner Peer Insights Review Guide.

No CommentsBe the first to comment
"}},"componentScriptGroups({\"componentId\":\"custom.widget.Social_Sharing\"})":{"__typename":"ComponentScriptGroups","scriptGroups":{"__typename":"ComponentScriptGroupsDefinition","afterInteractive":{"__typename":"PageScriptGroupDefinition","group":"AFTER_INTERACTIVE","scriptIds":[]},"lazyOnLoad":{"__typename":"PageScriptGroupDefinition","group":"LAZY_ON_LOAD","scriptIds":[]}},"componentScripts":[]},"component({\"componentId\":\"custom.widget.MicrosoftFooter\"})":{"__typename":"Component","render({\"context\":{\"component\":{\"entities\":[],\"props\":{}},\"page\":{\"entities\":[\"board:MicrosoftSentinelBlog\",\"message:1875913\"],\"name\":\"BlogMessagePage\",\"props\":{},\"url\":\"https://techcommunity.microsoft.com/blog/microsoftsentinelblog/hunting-for-barium-using-azure-sentinel/1875913\"}}})":{"__typename":"ComponentRenderResult","html":""}},"componentScriptGroups({\"componentId\":\"custom.widget.MicrosoftFooter\"})":{"__typename":"ComponentScriptGroups","scriptGroups":{"__typename":"ComponentScriptGroupsDefinition","afterInteractive":{"__typename":"PageScriptGroupDefinition","group":"AFTER_INTERACTIVE","scriptIds":[]},"lazyOnLoad":{"__typename":"PageScriptGroupDefinition","group":"LAZY_ON_LOAD","scriptIds":[]}},"componentScripts":[]},"cachedText({\"lastModified\":\"1737571274000\",\"locale\":\"en-US\",\"namespaces\":[\"components/community/NavbarDropdownToggle\"]})":[{"__ref":"CachedAsset:text:en_US-components/community/NavbarDropdownToggle-1737571274000"}],"cachedText({\"lastModified\":\"1737571274000\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/common/QueryHandler\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/common/QueryHandler-1737571274000"}],"cachedText({\"lastModified\":\"1737571274000\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageCoverImage\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageCoverImage-1737571274000"}],"cachedText({\"lastModified\":\"1737571274000\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/nodes/NodeTitle\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/nodes/NodeTitle-1737571274000"}],"cachedText({\"lastModified\":\"1737571274000\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageTimeToRead\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageTimeToRead-1737571274000"}],"cachedText({\"lastModified\":\"1737571274000\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageSubject\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageSubject-1737571274000"}],"cachedText({\"lastModified\":\"1737571274000\",\"locale\":\"en-US\",\"namespaces\":[\"components/users/UserLink\"]})":[{"__ref":"CachedAsset:text:en_US-components/users/UserLink-1737571274000"}],"cachedText({\"lastModified\":\"1737571274000\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/users/UserRank\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/users/UserRank-1737571274000"}],"cachedText({\"lastModified\":\"1737571274000\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageTime\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageTime-1737571274000"}],"cachedText({\"lastModified\":\"1737571274000\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageBody\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageBody-1737571274000"}],"cachedText({\"lastModified\":\"1737571274000\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageCustomFields\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageCustomFields-1737571274000"}],"cachedText({\"lastModified\":\"1737571274000\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageRevision\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageRevision-1737571274000"}],"cachedText({\"lastModified\":\"1737571274000\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageReplyButton\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageReplyButton-1737571274000"}],"cachedText({\"lastModified\":\"1737571274000\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageAuthorBio\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageAuthorBio-1737571274000"}],"cachedText({\"lastModified\":\"1737571274000\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/users/UserAvatar\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/users/UserAvatar-1737571274000"}],"cachedText({\"lastModified\":\"1737571274000\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/ranks/UserRankLabel\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/ranks/UserRankLabel-1737571274000"}],"cachedText({\"lastModified\":\"1737571274000\",\"locale\":\"en-US\",\"namespaces\":[\"components/users/UserRegistrationDate\"]})":[{"__ref":"CachedAsset:text:en_US-components/users/UserRegistrationDate-1737571274000"}],"cachedText({\"lastModified\":\"1737571274000\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/nodes/NodeAvatar\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/nodes/NodeAvatar-1737571274000"}],"cachedText({\"lastModified\":\"1737571274000\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/nodes/NodeDescription\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/nodes/NodeDescription-1737571274000"}],"cachedText({\"lastModified\":\"1737571274000\",\"locale\":\"en-US\",\"namespaces\":[\"components/tags/TagView/TagViewChip\"]})":[{"__ref":"CachedAsset:text:en_US-components/tags/TagView/TagViewChip-1737571274000"}],"cachedText({\"lastModified\":\"1737571274000\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/nodes/NodeIcon\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/nodes/NodeIcon-1737571274000"}]},"CachedAsset:pages-1742488286315":{"__typename":"CachedAsset","id":"pages-1742488286315","value":[{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"BlogViewAllPostsPage","type":"BLOG","urlPath":"/category/:categoryId/blog/:boardId/all-posts/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"CasePortalPage","type":"CASE_PORTAL","urlPath":"/caseportal","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"CreateGroupHubPage","type":"GROUP_HUB","urlPath":"/groups/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"CaseViewPage","type":"CASE_DETAILS","urlPath":"/case/:caseId/:caseNumber","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"InboxPage","type":"COMMUNITY","urlPath":"/inbox","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"HelpFAQPage","type":"COMMUNITY","urlPath":"/help","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"IdeaMessagePage","type":"IDEA_POST","urlPath":"/idea/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"IdeaViewAllIdeasPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId/all-ideas/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"LoginPage","type":"USER","urlPath":"/signin","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"BlogPostPage","type":"BLOG","urlPath":"/category/:categoryId/blogs/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"UserBlogPermissions.Page","type":"COMMUNITY","urlPath":"/c/user-blog-permissions/page","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"ThemeEditorPage","type":"COMMUNITY","urlPath":"/designer/themes","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"TkbViewAllArticlesPage","type":"TKB","urlPath":"/category/:categoryId/kb/:boardId/all-articles/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1730819800000,"localOverride":null,"page":{"id":"AllEvents","type":"CUSTOM","urlPath":"/Events","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"OccasionEditPage","type":"EVENT","urlPath":"/event/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"OAuthAuthorizationAllowPage","type":"USER","urlPath":"/auth/authorize/allow","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"PageEditorPage","type":"COMMUNITY","urlPath":"/designer/pages","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"PostPage","type":"COMMUNITY","urlPath":"/category/:categoryId/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"ForumBoardPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"TkbBoardPage","type":"TKB","urlPath":"/category/:categoryId/kb/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"EventPostPage","type":"EVENT","urlPath":"/category/:categoryId/events/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"UserBadgesPage","type":"COMMUNITY","urlPath":"/users/:login/:userId/badges","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"GroupHubMembershipAction","type":"GROUP_HUB","urlPath":"/membership/join/:nodeId/:membershipType","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"MaintenancePage","type":"COMMUNITY","urlPath":"/maintenance","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"IdeaReplyPage","type":"IDEA_REPLY","urlPath":"/idea/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"UserSettingsPage","type":"USER","urlPath":"/mysettings/:userSettingsTab","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"GroupHubsPage","type":"GROUP_HUB","urlPath":"/groups","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"ForumPostPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"OccasionRsvpActionPage","type":"OCCASION","urlPath":"/event/:boardId/:messageSubject/:messageId/rsvp/:responseType","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"VerifyUserEmailPage","type":"USER","urlPath":"/verifyemail/:userId/:verifyEmailToken","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"AllOccasionsPage","type":"OCCASION","urlPath":"/category/:categoryId/events/:boardId/all-events/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"EventBoardPage","type":"EVENT","urlPath":"/category/:categoryId/events/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"TkbReplyPage","type":"TKB_REPLY","urlPath":"/kb/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"IdeaBoardPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"CommunityGuideLinesPage","type":"COMMUNITY","urlPath":"/communityguidelines","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"CaseCreatePage","type":"SALESFORCE_CASE_CREATION","urlPath":"/caseportal/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"TkbEditPage","type":"TKB","urlPath":"/kb/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"ForgotPasswordPage","type":"USER","urlPath":"/forgotpassword","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"IdeaEditPage","type":"IDEA","urlPath":"/idea/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"TagPage","type":"COMMUNITY","urlPath":"/tag/:tagName","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"BlogBoardPage","type":"BLOG","urlPath":"/category/:categoryId/blog/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"OccasionMessagePage","type":"OCCASION_TOPIC","urlPath":"/event/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"ManageContentPage","type":"COMMUNITY","urlPath":"/managecontent","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"ClosedMembershipNodeNonMembersPage","type":"GROUP_HUB","urlPath":"/closedgroup/:groupHubId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"CommunityPage","type":"COMMUNITY","urlPath":"/","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"ForumMessagePage","type":"FORUM_TOPIC","urlPath":"/discussions/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"IdeaPostPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1730819800000,"localOverride":null,"page":{"id":"CommunityHub.Page","type":"CUSTOM","urlPath":"/Directory","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"BlogMessagePage","type":"BLOG_ARTICLE","urlPath":"/blog/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"RegistrationPage","type":"USER","urlPath":"/register","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"EditGroupHubPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"ForumEditPage","type":"FORUM","urlPath":"/discussions/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"ResetPasswordPage","type":"USER","urlPath":"/resetpassword/:userId/:resetPasswordToken","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1730819800000,"localOverride":null,"page":{"id":"AllBlogs.Page","type":"CUSTOM","urlPath":"/blogs","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"TkbMessagePage","type":"TKB_ARTICLE","urlPath":"/kb/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"BlogEditPage","type":"BLOG","urlPath":"/blog/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"ManageUsersPage","type":"USER","urlPath":"/users/manage/:tab?/:manageUsersTab?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"ForumReplyPage","type":"FORUM_REPLY","urlPath":"/discussions/:boardId/:messageSubject/:messageId/replies/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"PrivacyPolicyPage","type":"COMMUNITY","urlPath":"/privacypolicy","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"NotificationPage","type":"COMMUNITY","urlPath":"/notifications","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"UserPage","type":"USER","urlPath":"/users/:login/:userId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"OccasionReplyPage","type":"OCCASION_REPLY","urlPath":"/event/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"ManageMembersPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/manage/:tab?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"SearchResultsPage","type":"COMMUNITY","urlPath":"/search","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"BlogReplyPage","type":"BLOG_REPLY","urlPath":"/blog/:boardId/:messageSubject/:messageId/replies/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"GroupHubPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"TermsOfServicePage","type":"COMMUNITY","urlPath":"/termsofservice","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"CategoryPage","type":"CATEGORY","urlPath":"/category/:categoryId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"ForumViewAllTopicsPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId/all-topics/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"TkbPostPage","type":"TKB","urlPath":"/category/:categoryId/kbs/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742488286315,"localOverride":null,"page":{"id":"GroupHubPostPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"}],"localOverride":false},"CachedAsset:text:en_US-components/context/AppContext/AppContextProvider-0":{"__typename":"CachedAsset","id":"text:en_US-components/context/AppContext/AppContextProvider-0","value":{"noCommunity":"Cannot find community","noUser":"Cannot find current user","noNode":"Cannot find node with id {nodeId}","noMessage":"Cannot find message with id {messageId}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/Loading/LoadingDot-0":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/Loading/LoadingDot-0","value":{"title":"Loading..."},"localOverride":false},"User:user:-1":{"__typename":"User","id":"user:-1","uid":-1,"login":"Deleted","email":"","avatar":null,"rank":null,"kudosWeight":1,"registrationData":{"__typename":"RegistrationData","status":"ANONYMOUS","registrationTime":null,"confirmEmailStatus":false,"registrationAccessLevel":"VIEW","ssoRegistrationFields":[]},"ssoId":null,"profileSettings":{"__typename":"ProfileSettings","dateDisplayStyle":{"__typename":"InheritableStringSettingWithPossibleValues","key":"layout.friendly_dates_enabled","value":"false","localValue":"true","possibleValues":["true","false"]},"dateDisplayFormat":{"__typename":"InheritableStringSetting","key":"layout.format_pattern_date","value":"MMM dd yyyy","localValue":"MM-dd-yyyy"},"language":{"__typename":"InheritableStringSettingWithPossibleValues","key":"profile.language","value":"en-US","localValue":"en","possibleValues":["en-US"]}},"deleted":false},"Theme:customTheme1":{"__typename":"Theme","id":"customTheme1"},"Category:category:microsoft-sentinel":{"__typename":"Category","id":"category:microsoft-sentinel","entityType":"CATEGORY","displayId":"microsoft-sentinel","nodeType":"category","depth":4,"title":"Microsoft Sentinel","shortTitle":"Microsoft Sentinel","parent":{"__ref":"Category:category:microsoft-security"}},"Category:category:top":{"__typename":"Category","id":"category:top","displayId":"top","nodeType":"category","depth":0,"title":"Top","entityType":"CATEGORY","shortTitle":"Top"},"Category:category:communities":{"__typename":"Category","id":"category:communities","displayId":"communities","nodeType":"category","depth":1,"parent":{"__ref":"Category:category:top"},"title":"Communities","entityType":"CATEGORY","shortTitle":"Communities"},"Category:category:products-services":{"__typename":"Category","id":"category:products-services","displayId":"products-services","nodeType":"category","depth":2,"parent":{"__ref":"Category:category:communities"},"title":"Products","entityType":"CATEGORY","shortTitle":"Products"},"Category:category:microsoft-security":{"__typename":"Category","id":"category:microsoft-security","displayId":"microsoft-security","nodeType":"category","depth":3,"parent":{"__ref":"Category:category:products-services"},"title":"Microsoft Security","entityType":"CATEGORY","shortTitle":"Microsoft Security","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Blog:board:MicrosoftSentinelBlog":{"__typename":"Blog","id":"board:MicrosoftSentinelBlog","entityType":"BLOG","displayId":"MicrosoftSentinelBlog","nodeType":"board","depth":5,"conversationStyle":"BLOG","title":"Microsoft Sentinel Blog","description":"

Microsoft Sentinel is a cloud-native SIEM, enriched with AI and automation to provide expansive visibility across your digital environment.

\n\n\n

When evaluating various solutions, your peers value hearing from people like you who’ve used the product. Review Microsoft Sentinel by filling out a Gartner Peer Insights survey and receive a $25 USD gift card (for customers only). Here are the Privacy/Guideline links: Microsoft Privacy Statement, Gartner’s Community Guidelines & Gartner Peer Insights Review Guide.

","avatar":null,"profileSettings":{"__typename":"ProfileSettings","language":null},"parent":{"__ref":"Category:category:microsoft-sentinel"},"ancestors":{"__typename":"CoreNodeConnection","edges":[{"__typename":"CoreNodeEdge","node":{"__ref":"Community:community:gxcuf89792"}},{"__typename":"CoreNodeEdge","node":{"__ref":"Category:category:communities"}},{"__typename":"CoreNodeEdge","node":{"__ref":"Category:category:products-services"}},{"__typename":"CoreNodeEdge","node":{"__ref":"Category:category:microsoft-security"}},{"__typename":"CoreNodeEdge","node":{"__ref":"Category:category:microsoft-sentinel"}}]},"userContext":{"__typename":"NodeUserContext","canAddAttachments":false,"canUpdateNode":false,"canPostMessages":false,"isSubscribed":false},"boardPolicies":{"__typename":"BoardPolicies","canPublishArticleOnCreate":{"__typename":"PolicyResult","failureReason":{"__typename":"FailureReason","message":"error.lithium.policies.forums.policy_can_publish_on_create_workflow_action.accessDenied","key":"error.lithium.policies.forums.policy_can_publish_on_create_workflow_action.accessDenied","args":[]}}},"shortTitle":"Microsoft Sentinel Blog","repliesProperties":{"__typename":"RepliesProperties","sortOrder":"REVERSE_PUBLISH_TIME","repliesFormat":"threaded"},"tagProperties":{"__typename":"TagNodeProperties","tagsEnabled":{"__typename":"PolicyResult","failureReason":null}},"requireTags":false,"tagType":"PRESET_ONLY"},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/cmstNC05WEo0blc\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/cmstNC05WEo0blc","height":512,"width":512,"mimeType":"image/png"},"Rank:rank:4":{"__typename":"Rank","id":"rank:4","position":6,"name":"Microsoft","color":"333333","icon":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/cmstNC05WEo0blc\"}"},"rankStyle":"OUTLINE"},"User:user:293861":{"__typename":"User","id":"user:293861","uid":293861,"login":"aprakash13","deleted":false,"avatar":{"__typename":"UserAvatar","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/dS0yOTM4NjEtMTg4ODc0aTk2RjhFODk3MUJCOUM3MTM"},"rank":{"__ref":"Rank:rank:4"},"email":"","messagesCount":1,"biography":null,"topicsCount":1,"kudosReceivedCount":1,"kudosGivenCount":3,"kudosWeight":1,"registrationData":{"__typename":"RegistrationData","status":null,"registrationTime":"2019-03-01T11:10:18.387-08:00","confirmEmailStatus":null},"followersCount":null,"solutionsCount":0},"BlogTopicMessage:message:1875913":{"__typename":"BlogTopicMessage","uid":1875913,"subject":"Hunting for Barium using Azure Sentinel","id":"message:1875913","revisionNum":9,"repliesCount":0,"author":{"__ref":"User:user:293861"},"depth":0,"hasGivenKudo":false,"board":{"__ref":"Blog:board:MicrosoftSentinelBlog"},"conversation":{"__ref":"Conversation:conversation:1875913"},"messagePolicies":{"__typename":"MessagePolicies","canPublishArticleOnEdit":{"__typename":"PolicyResult","failureReason":{"__typename":"FailureReason","message":"error.lithium.policies.forums.policy_can_publish_on_edit_workflow_action.accessDenied","key":"error.lithium.policies.forums.policy_can_publish_on_edit_workflow_action.accessDenied","args":[]}},"canModerateSpamMessage":{"__typename":"PolicyResult","failureReason":{"__typename":"FailureReason","message":"error.lithium.policies.feature.moderation_spam.action.moderate_entity.allowed.accessDenied","key":"error.lithium.policies.feature.moderation_spam.action.moderate_entity.allowed.accessDenied","args":[]}}},"contentWorkflow":{"__typename":"ContentWorkflow","state":"PUBLISH","scheduledPublishTime":null,"scheduledTimezone":null,"userContext":{"__typename":"MessageWorkflowContext","canSubmitForReview":null,"canEdit":false,"canRecall":null,"canSubmitForPublication":null,"canReturnToAuthor":null,"canPublish":null,"canReturnToReview":null,"canSchedule":false},"shortScheduledTimezone":null},"readOnly":false,"editFrozen":false,"moderationData":{"__ref":"ModerationData:moderation_data:1875913"},"teaser":"

Hunt for the Barium actor in your environment using the IOC's shared by the MSTIC team.

","body":"

 

\n

Leveraging Indictors of Compromise (IOC) and searching historical data for attack patterns is one of the primary responsibilities of a security monitoring team. Relevant security data for threat hunting/investigation related to an enterprise is produced in multiple locations - cloud, on-premises, and being able to analyze all the data from a single point makes it easier to spot trends and attack. Azure Sentinel has made it super easy to collect data from multiple logs across different environments and run KQL queries of recently released threat indicators across this entire data set. For example, through its recently released Microsoft 365 Defender connector security teams can now easily ingest Microsoft 365 data into Azure Sentinel allowing correlation of M365 raw logs with Sentinel’s additional data sources to provide additional insights for investigations, hunting and alerts. In this blog post we share some of the IOC’s related to one such threat actor that Microsoft tracks as Barium and the sample Azure Sentinel queries related to it that leverage multiple logs including those coming from Microsoft 365 Defender connector .

\n

 

\n

About a month and a half ago, the US Department of Justice, Office of Public Affairs, released documents detailing work done by a range of public and private sector organizations, including Microsoft, to disrupt Barium’s cyberattack infrastructure. Barium is intent on compromising research and development (R&D) heavy organizations in telecom, high tech, computer, and healthcare; their financially motivated operations have focused primarily on the video game industry. The techniques that the group have used in the past have varied from using malicious .lnk files, Word and PowerPoint macros, to the use of open-source tools like Cobalt strike to achieve their objective. The group has been pretty prolific in the use of “supply chain” attacks to compromise software providers and then modify the providers’ code to facilitate further intrusions against its customers. They have also been seen using C2 “dead drops,” which are seemingly legitimate web pages that have encoded instructions to their malware.  In their campaign they have also been seen using typo-squatted domains to impersonate legitimate companies and products.  

\n

 

\n

Microsoft Threat Intelligence Center (MSTIC) along with partner teams have been tracking and gathering information on Barium, monitoring the group’s activities as they operate a number of websites, domains and internet-connected computers. You can read more about this in the September 2020 Microsoft Digital Defense report.

\n

 

\n

MSTIC has now shared many of these indicators (IP/domains) so that you can hunt for them in Azure Sentinel using relevant data like the newly integrated Microsoft 365 Defender data, DNS logs, Firewall data etcMicrosoft 365 E5 customers, now also have the advantage of getting Azure credits towards Microsoft 365 data ingestion into Azure Sentinel - see https://aka.ms/m365-sentinel-offer  for details. With this new offer, you can take advantage of end-to-end integrated security and save significant costs when ingesting Microsoft 365 data into Azure Sentinel. 

\n

 

\n

Below are sample Azure Sentinel queries that you can run to check for Barium activity in your environment. 

\n

 

\n

Barium IP Indicators

\n\n\n\n\n\n\n
\n
\n
id: 6ee72a9e-2e54-459c-bc9a-9c09a6502a63 
\n
name: Known Barium IP 
\n
description: | 
\n
  'Identifies a match across various data feeds for IP IOCs related to the Barium activity group.  
\n\n
severity: High 
\n
requiredDataConnectors: 
\n
  - connectorId: Office365 
\n
    dataTypes: 
\n
     - OfficeActivity 
\n
  - connectorId: DNS 
\n
    dataTypes: 
\n
      - DnsEvents 
\n
  - connectorId: AzureMonitor(VMInsights) 
\n
    dataTypes: 
\n
      - VMConnection 
\n
  - connectorId: CiscoASA 
\n
    dataTypes: 
\n
      - CommonSecurityLog 
\n
  - connectorId: PaloAltoNetworks 
\n
    dataTypes: 
\n
      - CommonSecurityLog 
\n
  - connectorId: SecurityEvents 
\n
    dataTypes: 
\n
      - SecurityEvent 
\n
  - connectorId: AzureActiveDirectory 
\n
    dataTypes: 
\n
      - SigninLogs 
\n
  - connectorId: AzureMonitor(WireData) 
\n
    dataTypes: 
\n
      - WireData 
\n
  - connectorId: AzureMonitor(IIS) 
\n
    dataTypes: 
\n
      - W3CIISLog 
\n
  - connectorId: AzureActivity 
\n
    dataTypes: 
\n
      - AzureActivity 
\n
  - connectorId: AWS 
\n
    dataTypes: 
\n
      - AWSCloudTrail 
\n
  - connectorId: Microsoft 365 Defender 
\n
    dataTypes: 
\n
      - DeviceNetworkEvents 
\n
queryFrequency: 1
\n
queryPeriod: 1
\n
triggerOperator: gt 
\n
triggerThreshold: 0 
\n
tactics: 
\n
  - CommandAndControl 
\n
query:  |  
\n
let timeframe = 1d; 
\n
  let IPList = dynamic([\"216.24.185.74\"\"107.175.189.159\"\"192.210.132.102\"\"67.230.163.214\"
\n
\"199.19.110.240\"\"107.148.130.176\"\"154.212.129.218\"\"172.86.75.54\"\"45.61.136.199\"
\n
\"149.28.150.195\"\"108.61.214.194\"\"144.202.98.198\"\"149.28.84.98\"\"103.99.209.78\"
\n
\"45.61.136.2\"\"176.122.162.149\"\"192.3.80.245\"\"149.28.23.32\"\"107.182.18.149\"\"107.174.45.134\"
\n
\"149.248.18.104\"\"65.49.192.74\"\"156.255.2.154\"\"45.76.6.149\"\"8.9.11.130\"\"140.238.27.255\"
\n
\"107.182.24.70\"\"176.122.188.254\"\"192.161.161.108\"\"64.64.234.24\"\"104.224.185.36\"
\n
\"104.233.224.227\"\"104.36.69.105\"\"119.28.139.120\"\"161.117.39.130\"\"66.42.100.42\"\"45.76.31.159\"
\n
\"149.248.8.134\"\"216.24.182.48\"\"66.42.103.222\"\"218.89.236.11\"\"180.150.227.249\"\"47.75.80.23\",
\n
 \"124.156.164.19\"\"149.248.62.83\"\"150.109.76.174\"\"222.209.187.207\"\"218.38.191.38\"
\n
\"119.28.226.59\"\"66.42.98.220\"\"74.82.201.8\"\"173.242.122.198\"\"45.32.130.72\"\"89.35.178.10\"
\n
\"89.43.60.113\"]); 
\n
  (union isfuzzy=true 
\n
  (CommonSecurityLog 
\n
  | where TimeGenerated >= ago(timeframe)  
\n
  | where isnotempty(SourceIP) or isnotempty(DestinationIP) 
\n
  | where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) 
\n
  | extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\"
\n
\"Message\")  
\n
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by 
\n
SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, 
\n
DeviceAddress, DeviceName, IPMatch 
\n
  | extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, 
\n
IPMatch == \"DestinationIP\", DestinationIP, \"IP in Message Field\")  
\n
  ), 
\n
  (OfficeActivity 
\n
  | where TimeGenerated >= ago(timeframe)  
\n
  |extend SourceIPAddress = ClientIP, Account = UserId 
\n
  | where  SourceIPAddress in (IPList) 
\n
  | extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , 
\n
AccountCustomEntity = Account 
\n
  ), 
\n
  (DnsEvents  
\n
  | where TimeGenerated >= ago(timeframe)  
\n
  | extend DestinationIPAddress = IPAddresses,  Host = Computer 
\n
  | where  DestinationIPAddress has_any (IPList)  
\n
  | extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, 
\n
HostCustomEntity = Host 
\n
  ), 
\n
  (VMConnection  
\n
  | where TimeGenerated >= ago(timeframe)  
\n
  | where isnotempty(SourceIp) or isnotempty(DestinationIp)  
\n
  | where SourceIp in (IPList) or DestinationIp in (IPList)  
\n
  | extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), 
\n
\"DestinationIP\"\"None\")  
\n
  | extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \"SourceIP\",
\n
 SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"None\"), Host = Computer 
\n
  ), 
\n
  (Event 
\n
  | where TimeGenerated >= ago(timeframe) 
\n
  | where Source == \"Microsoft-Windows-Sysmon\" 
\n
  | where EventID == 3 
\n
  | extend EvData = parse_xml(EventData) 
\n
  | extend EventDetail = EvData.DataItem.EventData.Data 
\n
  | extend SourceIP = EventDetail.[9].[\"#text\"], DestinationIP = EventDetail.[14].[\"#text\"
\n
  | where SourceIP in (IPList) or DestinationIP in (IPList)  
\n
  | extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\"\"None\")  
\n
  | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , 
\n
IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\"
\n
  ),  
\n
  (WireData  
\n
  | where TimeGenerated >= ago(timeframe) 
\n
  | where isnotempty(RemoteIP) 
\n
  | where RemoteIP in (IPList) 
\n
  | extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer 
\n
  ), 
\n
  (SigninLogs 
\n
  | where TimeGenerated >= ago(timeframe) 
\n
  | where isnotempty(IPAddress) 
\n
  | where IPAddress in (IPList) 
\n
  | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, 
\n
IPCustomEntity = IPAddress 
\n
  ), 
\n
  (W3CIISLog  
\n
  | where TimeGenerated >= ago(timeframe) 
\n
  | where isnotempty(cIP) 
\n
  | where cIP in (IPList) 
\n
  | extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, 
\n
AccountCustomEntity = csUserName 
\n
  ), 
\n
  (AzureActivity  
\n
  | where TimeGenerated >= ago(timeframe) 
\n
  | where isnotempty(CallerIpAddress) 
\n
  | where CallerIpAddress in (IPList) 
\n
  | extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller 
\n
  ), 
\n
  ( 
\n
  AWSCloudTrail 
\n
  | where TimeGenerated >= ago(timeframe) 
\n
  | where isnotempty(SourceIpAddress) 
\n
  | where SourceIpAddress in (IPList) 
\n
  | extend timestamp = TimeGenerated, IPCustomEntity = 
\n
SourceIpAddress, AccountCustomEntity = UserIdentityUserName 
\n
  ), 
\n
  ( 
\n
  DeviceNetworkEvents 
\n
  | where TimeGenerated >= ago(timeframe)  
\n
  | where isnotempty(RemoteIP)  
\n
  | where RemoteIP in (IPList)  
\n
  | extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName  
\n
  ) 
\n
  ) 
\n
\n
\n

 

\n

Barium Domain Indicators

\n\n\n\n\n\n\n
\n
\n
\n
\n
id: 70b12a3b-4899-42cb-910c-5ffaf9d7997d 
\n
name: Known Barium domains  
\n
description: | 
\n
  'Identifies a match across various data feeds for domains IOCs related to the Barium activity group.' 
\n\n
severity: High 
\n
requiredDataConnectors: 
\n
  - connectorId: DNS 
\n
    dataTypes: 
\n
      - DnsEvents 
\n
  - connectorId: AzureMonitor(VMInsights)  
\n
    dataTypes: 
\n
      - VMConnection 
\n
  - connectorId: CiscoASA 
\n
    dataTypes: 
\n
      - CommonSecurityLog 
\n
  - connectorId: PaloAltoNetworks 
\n
    dataTypes: 
\n
      - CommonSecurityLog 
\n
  - connectorId: Microsoft 365 Defender 
\n
    dataTypes: 
\n
      - DeviceNetworkEvents 
\n
queryFrequency: 1
\n
queryPeriod: 1
\n
triggerOperator: gt 
\n
triggerThreshold: 0 
\n
tactics: 
\n
  - CommandAndControl 
\n
query:  |  
\n
 
\n
\n
\n
let timeframe = 1d; 
\n
let DomainNames = dynamic([\"0.ns1.dns-info.gq\"\"1.ns1.dns-info.gq\"\"10.ns1.dns-info.gq\"\"102.ns1.dns-info.gq\"
\n
\"104.ns1.dns-info.gq\"\"11.ns1.dns-info.gq\"\"110.ns1.dns-info.gq\"\"115.ns1.dns-info.gq\"\"116.ns1.dns-info.gq\"
\n
\"117.ns1.dns-info.gq\"\"118.ns1.dns-info.gq\"\"12.ns1.dns-info.gq\"\"120.ns1.dns-info.gq\"\"122.ns1.dns-info.gq\"
\n
\"123.ns1.dns-info.gq\"\"128.ns1.dns-info.gq\"\"13.ns1.dns-info.gq\"\"134.ns1.dns-info.gq\"\"135.ns1.dns-info.gq\"
\n
\"138.ns1.dns-info.gq\"\"14.ns1.dns-info.gq\"\"144.ns1.dns-info.gq\"\"15.ns1.dns-info.gq\"\"153.ns1.dns-info.gq\"
\n
\"157.ns1.dns-info.gq\"\"16.ns1.dns-info.gq\"\"17.ns1.dns-info.gq\"\"18.ns1.dns-info.gq\"\"19.ns1.dns-info.gq\"
\n
\"1a9604fa.ns1.feedsdns.com\"\"1c7606b6.ns1.steamappstore.com\"\"2.ns1.dns-info.gq\"\"20.ns1.dns-info.gq\"
\n
\"201.ns1.dns-info.gq\"\"202.ns1.dns-info.gq\"\"204.ns1.dns-info.gq\"\"207.ns1.dns-info.gq\"\"21.ns1.dns-info.gq\"
\n
\"210.ns1.dns-info.gq\"\"211.ns1.dns-info.gq\"\"216.ns1.dns-info.gq\"\"22.ns1.dns-info.gq\"\"220.ns1.dns-info.gq\"
\n
\"223.ns1.dns-info.gq\"\"23.ns1.dns-info.gq\"\"24.ns1.dns-info.gq\"\"25.ns1.dns-info.gq\"\"26.ns1.dns-info.gq\"
\n
\"27.ns1.dns-info.gq\"\"28.ns1.dns-info.gq\"\"29.ns1.dns-info.gq\"\"3.ns1.dns-info.gq\"\"30.ns1.dns-info.gq\"
\n
\"31.ns1.dns-info.gq\"\"32.ns1.dns-info.gq\"\"33.ns1.dns-info.gq\"\"34.ns1.dns-info.gq\"\"35.ns1.dns-info.gq\"
\n
\"36.ns1.dns-info.gq\"\"37.ns1.dns-info.gq\"\"39.ns1.dns-info.gq\"\"3d6fe4b2.ns1.steamappstore.com\"
\n
\"4.ns1.dns-info.gq\"\"40.ns1.dns-info.gq\"\"42.ns1.dns-info.gq\"\"43.ns1.dns-info.gq\"\"44.ns1.dns-info.gq\"
\n
\"45.ns1.dns-info.gq\"\"46.ns1.dns-info.gq\"\"48.ns1.dns-info.gq\"\"5.ns1.dns-info.gq\"\"50.ns1.dns-info.gq\"
\n
\"50417.service.gstatic.dnset.com\"\"51.ns1.dns-info.gq\"\"52.ns1.dns-info.gq\"\"53.ns1.dns-info.gq\",
\n
 \"54.ns1.dns-info.gq\"\"55.ns1.dns-info.gq\"\"56.ns1.dns-info.gq\"\"57.ns1.dns-info.gq\"\"58.ns1.dns-info.gq\"
\n
\"6.ns1.dns-info.gq\"\"60.ns1.dns-info.gq\"\"62.ns1.dns-info.gq\"\"63.ns1.dns-info.gq\"\"64.ns1.dns-info.gq\"
\n
\"65.ns1.dns-info.gq\"\"67.ns1.dns-info.gq\"\"7.ns1.dns-info.gq\"\"70.ns1.dns-info.gq\"\"71.ns1.dns-info.gq\",
\n
 \"73.ns1.dns-info.gq\"\"77.ns1.dns-info.gq\"\"77075.service.gstatic.dnset.com\"\"7c1947fa.ns1.steamappstore.com\",
\n
 \"8.ns1.dns-info.gq\"\"81.ns1.dns-info.gq\"\"86.ns1.dns-info.gq\"\"87.ns1.dns-info.gq\"\"9.ns1.dns-info.gq\"
\n
\"94343.service.gstatic.dnset.com\"\"9939.service.gstatic.dnset.com\"\"aa.ns.mircosoftdoc.com\"
\n
\"aaa.feeds.api.ns1.feedsdns.com\"\"aaa.googlepublic.feeds.ns1.dns-info.gq\"
\n
\"aaa.resolution.174547._get.cache.up.sourcedns.tk\"\"acc.microsoftonetravel.com\"
\n
\"accounts.longmusic.com\"\"admin.dnstemplog.com\"\"agent.updatenai.com\"
\n
\"alibaba.zzux.com\"\"api.feedsdns.com\"\"app.portomnail.com\"\"asia.updatenai.com\"
\n
\"battllestategames.com\"\"bguha.serveuser.com\"\"binann-ce.com\"\"bing.dsmtp.com\"
\n
\"blog.cdsend.xyz\"\"brives.minivineyapp.com\"\"bsbana.dynamic-dns.net\"
\n
\"californiaforce.000webhostapp.com\"\"californiafroce.000webhostapp.com\"
\n
\"cdn.freetcp.com\"\"cdsend.xyz\"\"cipla.zzux.com\"\"cloudfeeddns.com\"\"comcleanner.info\",
\n
 \"cs.microsoftsonline.net\"\"dns-info.gq\"\"dns05.cf\"\"dns22.ml\"\"dns224.com\"
\n
\"dnsdist.org\"\"dnstemplog.com\"\"doc.mircosoftdoc.com\"\"dropdns.com\"
\n
\"eshop.cdn.freetcp.com\"\"exchange.dumb1.com\"\"exchange.misecure.com\"\"exchange.mrbasic.com\",
\n
 \"facebookdocs.com\"\"facebookint.com\"\"facebookvi.com\"\"feed.ns1.dns-info.gq\"\"feedsdns.com\"
\n
\"firejun.freeddns.com\"\"ftp.dns-info.dyndns.pro\"\"goallbandungtravel.com\"\"goodhk.azurewebsites.net\"
\n
\"googlepublic.feed.ns1.dns-info.gq\"\"gp.spotifylite.cloud\"\"gskytop.com\"\"gstatic.dnset.com\"
\n
\"gxxservice.com\"\"helpdesk.cdn.freetcp.com\"\"id.serveuser.com\"\"infestexe.com\"\"item.itemdb.com\",
\n
 \"m.mircosoftdoc.com\"\"mail.transferdkim.xyz\"\"mcafee.updatenai.com\"\"mecgjm.mircosoftdoc.com\",
\n
 \"microdocs.ga\"\"microsock.website\"\"microsocks.net\"\"microsoft.sendsmtp.com\"
\n
\"microsoftbook.dns05.com\"\"microsoftcontactcenter.com\"\"microsoftdocs.dns05.com\"\"microsoftdocs.ml\"
\n
\"microsoftonetravel.com\"\"microsoftonlines.net\"\"microsoftprod.com\"\"microsofts.dns1.us\"\"microsoftsonline.net\",
\n
 \"minivineyapp.com\"\"mircosoftdoc.com\"\"mircosoftdocs.com\"\"mlcrosoft.ninth.biz\"\"mlcrosoft.site\"
\n
\"mm.portomnail.com\"\"msdnupdate.com\"\"msecdn.cloud\"\"mtnl1.dynamic-dns.net\"\"ns.gstatic.dnset.com\"
\n
\"ns.microsoftprod.com\"\"ns.steamappstore.com\"\"ns1.cdn.freetcp.com\"\"ns1.comcleanner.info\"\"ns1.dns-info.gq\"
\n
\"ns1.dns05.cf\"\"ns1.dnstemplog.com\"\"ns1.dropdns.com\"\"ns1.microsoftonetravel.com\"
\n
\"ns1.microsoftonlines.net\"\"ns1.microsoftprod.com\"\"ns1.microsoftsonline.net\"\"ns1.mlcrosoft.site\"
\n
\"ns1.teams.wikaba.com\"\"ns1.windowsdefende.com\"\"ns2.comcleanner.info\"\"ns2.dnstemplog.com\"
\n
\"ns2.microsoftonetravel.com\"\"ns2.microsoftprod.com\"\"ns2.microsoftsonline.net\"\"ns2.mlcrosoft.site\"
\n
\"ns2.windowsdefende.com\"\"ns3.microsoftprod.com\"\"ns3.mlcrosoft.site\"\"nutrition.mrbasic.com\"
\n
\"nutrition.youdontcare.com\"\"online.mlcrosoft.site\"\"online.msdnupdate.com\"\"outlookservce.site\"
\n
\"owa.jetos.com\"\"owa.otzo.com\"\"pornotime.co\"\"portomnail.com\"
\n
\"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com\"\"pricingdmdk.com\"\"prod.microsoftprod.com\"
\n
\"product.microsoftprod.com\"\"ptcl.yourtrap.com\"\"query.api.sourcedns.tk\"\"rb.itemdb.com\"\"redditcdn.com\"
\n
\"rss.otzo.com\"\"secure.msdnupdate.com\"\"service.dns22.ml\"\"service.gstatic.dnset.com\"\"service04.dns04.com\"
\n
\"settings.teams.wikaba.com\"\"sip.outlookservce.site\"\"sixindent.epizy.com\"\"soft.msdnupdate.com\"\"sourcedns.ml\"
\n
\"sourcedns.tk\"\"sport.msdnupdate.com\"\"spotifylite.cloud\"\"static.misecure.com\"\"steamappstore.com\"
\n
\"store.otzo.com\"\"survey.outlookservce.site\"\"team.itemdb.com\"\"temp221.com\"\"test.microsoftprod.com\"
\n
\"thisisaaa.000webhostapp.com\"\"token.dns04.com\"\"token.dns05.com\"\"transferdkim.xyz\"
\n
\"travelsanignacio.com\"\"update08.com\"\"updated08.com\"\"updatenai.com\"\"wantforspeed.com\",
\n
 \"web.mircosoftdoc.com\"\"webmail.pornotime.co\"\"webwhois.team.itemdb.com\"\"windowsdefende.com\"\"wnswindows.com\",
\n
 \"ashcrack.freetcp.com\"\"battllestategames.com\"\"binannce.com\"\"cdsend.xyz\"\"comcleanner.info\"\"microsock.website\"
\n
\"microsocks.net\"\"microsoftsonline.net\"\"mlcrosoft.site\"\"notify.serveuser.com\"\"ns1.microsoftprod.com\"
\n
\"ns2.microsoftprod.com\"\"pricingdmdk.com\"\"steamappstore.com\"\"update08.com\"\"wnswindows.com\"
\n
\"youtube.dns05.com\"\"z1.zalofilescdn.com\"\"z2.zalofilescdn.com\"\"zalofilescdn.com\"]); 
\n
  (union isfuzzy=true 
\n
  (CommonSecurityLog  
\n
  | where TimeGenerated >= ago(timeframe)  
\n
  | parse Message with * '(' DNSName ')' *  
\n
  | where DNSName in~ (DomainNames) 
\n
  | extend Account = SourceUserID, Computer = DeviceName, IPAddress =  DestinationIP 
\n
  ), 
\n
  (DnsEvents  
\n
  | where TimeGenerated >= ago(timeframe)  
\n
  | extend DNSName = Name 
\n
  | where isnotempty(DNSName) 
\n
  | where DNSName  in~ (DomainNames) 
\n
  | extend IPAddress =  ClientIP
\n
  ), 
\n
  (VMConnection  
\n
  | where TimeGenerated >= ago(timeframe)  
\n
  | parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' * 
\n
  | where isnotempty(DNSName) 
\n
  | where DNSName  in~ (DomainNames) 
\n
  | extend IPAddress = RemoteIp 
\n
  ), 
\n
  ( 
\n
   DeviceNetworkEvents 
\n
  | where isnotempty(RemoteUrl) 
\n
  | where RemoteUrl  in~ (DomainNames)  
\n
  | extend IPAddress = RemoteIP 
\n
  | extend Computer = DeviceName 
\n
  ) 
\n
  ) 
\n
  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress 
\n
\n
\n

 

\n

References: 

\n

https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer 

\n

https://blogs.microsoft.com/on-the-issues/2020/09/29/microsoft-digital-defense-report-cyber-threats/ 

\n

https://docs.microsoft.com/en-us/azure/sentinel/connect-microsoft-365-defender 

\n

https://aka.ms/m365-sentinel-offer 

\n

https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-microsoft-365-defender-connector-now-in-public/ba-p/1865651 

\n

 

","body@stringLength":"70186","rawBody":"

 

\n

Leveraging Indictors of Compromise (IOC) and searching historical data for attack patterns is one of the primary responsibilities of a security monitoring team. Relevant security data for threat hunting/investigation related to an enterprise is produced in multiple locations - cloud, on-premises, and being able to analyze all the data from a single point makes it easier to spot trends and attack. Azure Sentinel has made it super easy to collect data from multiple logs across different environments and run KQL queries of recently released threat indicators across this entire data set. For example, through its recently released Microsoft 365 Defender connector security teams can now easily ingest Microsoft 365 data into Azure Sentinel allowing correlation of M365 raw logs with Sentinel’s additional data sources to provide additional insights for investigations, hunting and alerts. In this blog post we share some of the IOC’s related to one such threat actor that Microsoft tracks as Barium and the sample Azure Sentinel queries related to it that leverage multiple logs including those coming from Microsoft 365 Defender connector .

\n

 

\n

About a month and a half ago, the US Department of Justice, Office of Public Affairs, released documents detailing work done by a range of public and private sector organizations, including Microsoft, to disrupt Barium’s cyberattack infrastructure. Barium is intent on compromising research and development (R&D) heavy organizations in telecom, high tech, computer, and healthcare; their financially motivated operations have focused primarily on the video game industry. The techniques that the group have used in the past have varied from using malicious .lnk files, Word and PowerPoint macros, to the use of open-source tools like Cobalt strike to achieve their objective. The group has been pretty prolific in the use of “supply chain” attacks to compromise software providers and then modify the providers’ code to facilitate further intrusions against its customers. They have also been seen using C2 “dead drops,” which are seemingly legitimate web pages that have encoded instructions to their malware.  In their campaign they have also been seen using typo-squatted domains to impersonate legitimate companies and products.  

\n

 

\n

Microsoft Threat Intelligence Center (MSTIC) along with partner teams have been tracking and gathering information on Barium, monitoring the group’s activities as they operate a number of websites, domains and internet-connected computers. You can read more about this in the September 2020 Microsoft Digital Defense report.

\n

 

\n

MSTIC has now shared many of these indicators (IP/domains) so that you can hunt for them in Azure Sentinel using relevant data like the newly integrated Microsoft 365 Defender data, DNS logs, Firewall data etcMicrosoft 365 E5 customers, now also have the advantage of getting Azure credits towards Microsoft 365 data ingestion into Azure Sentinel - see https://aka.ms/m365-sentinel-offer  for details. With this new offer, you can take advantage of end-to-end integrated security and save significant costs when ingesting Microsoft 365 data into Azure Sentinel. 

\n

 

\n

Below are sample Azure Sentinel queries that you can run to check for Barium activity in your environment. 

\n

 

\n

Barium IP Indicators

\n\n\n\n\n\n\n
\n
\n
id: 6ee72a9e-2e54-459c-bc9a-9c09a6502a63 
\n
name: Known Barium IP 
\n
description: | 
\n
  'Identifies a match across various data feeds for IP IOCs related to the Barium activity group.  
\n\n
severity: High 
\n
requiredDataConnectors: 
\n
  - connectorId: Office365 
\n
    dataTypes: 
\n
     - OfficeActivity 
\n
  - connectorId: DNS 
\n
    dataTypes: 
\n
      - DnsEvents 
\n
  - connectorId: AzureMonitor(VMInsights) 
\n
    dataTypes: 
\n
      - VMConnection 
\n
  - connectorId: CiscoASA 
\n
    dataTypes: 
\n
      - CommonSecurityLog 
\n
  - connectorId: PaloAltoNetworks 
\n
    dataTypes: 
\n
      - CommonSecurityLog 
\n
  - connectorId: SecurityEvents 
\n
    dataTypes: 
\n
      - SecurityEvent 
\n
  - connectorId: AzureActiveDirectory 
\n
    dataTypes: 
\n
      - SigninLogs 
\n
  - connectorId: AzureMonitor(WireData) 
\n
    dataTypes: 
\n
      - WireData 
\n
  - connectorId: AzureMonitor(IIS) 
\n
    dataTypes: 
\n
      - W3CIISLog 
\n
  - connectorId: AzureActivity 
\n
    dataTypes: 
\n
      - AzureActivity 
\n
  - connectorId: AWS 
\n
    dataTypes: 
\n
      - AWSCloudTrail 
\n
  - connectorId: Microsoft 365 Defender 
\n
    dataTypes: 
\n
      - DeviceNetworkEvents 
\n
queryFrequency: 1
\n
queryPeriod: 1
\n
triggerOperator: gt 
\n
triggerThreshold: 0 
\n
tactics: 
\n
  - CommandAndControl 
\n
query:  |  
\n
let timeframe = 1d; 
\n
  let IPList = dynamic([\"216.24.185.74\"\"107.175.189.159\"\"192.210.132.102\"\"67.230.163.214\"
\n
\"199.19.110.240\"\"107.148.130.176\"\"154.212.129.218\"\"172.86.75.54\"\"45.61.136.199\"
\n
\"149.28.150.195\"\"108.61.214.194\"\"144.202.98.198\"\"149.28.84.98\"\"103.99.209.78\"
\n
\"45.61.136.2\"\"176.122.162.149\"\"192.3.80.245\"\"149.28.23.32\"\"107.182.18.149\"\"107.174.45.134\"
\n
\"149.248.18.104\"\"65.49.192.74\"\"156.255.2.154\"\"45.76.6.149\"\"8.9.11.130\"\"140.238.27.255\"
\n
\"107.182.24.70\"\"176.122.188.254\"\"192.161.161.108\"\"64.64.234.24\"\"104.224.185.36\"
\n
\"104.233.224.227\"\"104.36.69.105\"\"119.28.139.120\"\"161.117.39.130\"\"66.42.100.42\"\"45.76.31.159\"
\n
\"149.248.8.134\"\"216.24.182.48\"\"66.42.103.222\"\"218.89.236.11\"\"180.150.227.249\"\"47.75.80.23\",
\n
 \"124.156.164.19\"\"149.248.62.83\"\"150.109.76.174\"\"222.209.187.207\"\"218.38.191.38\"
\n
\"119.28.226.59\"\"66.42.98.220\"\"74.82.201.8\"\"173.242.122.198\"\"45.32.130.72\"\"89.35.178.10\"
\n
\"89.43.60.113\"]); 
\n
  (union isfuzzy=true 
\n
  (CommonSecurityLog 
\n
  | where TimeGenerated >= ago(timeframe)  
\n
  | where isnotempty(SourceIP) or isnotempty(DestinationIP) 
\n
  | where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) 
\n
  | extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\"
\n
\"Message\")  
\n
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by 
\n
SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, 
\n
DeviceAddress, DeviceName, IPMatch 
\n
  | extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, 
\n
IPMatch == \"DestinationIP\", DestinationIP, \"IP in Message Field\")  
\n
  ), 
\n
  (OfficeActivity 
\n
  | where TimeGenerated >= ago(timeframe)  
\n
  |extend SourceIPAddress = ClientIP, Account = UserId 
\n
  | where  SourceIPAddress in (IPList) 
\n
  | extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , 
\n
AccountCustomEntity = Account 
\n
  ), 
\n
  (DnsEvents  
\n
  | where TimeGenerated >= ago(timeframe)  
\n
  | extend DestinationIPAddress = IPAddresses,  Host = Computer 
\n
  | where  DestinationIPAddress has_any (IPList)  
\n
  | extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, 
\n
HostCustomEntity = Host 
\n
  ), 
\n
  (VMConnection  
\n
  | where TimeGenerated >= ago(timeframe)  
\n
  | where isnotempty(SourceIp) or isnotempty(DestinationIp)  
\n
  | where SourceIp in (IPList) or DestinationIp in (IPList)  
\n
  | extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), 
\n
\"DestinationIP\"\"None\")  
\n
  | extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \"SourceIP\",
\n
 SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"None\"), Host = Computer 
\n
  ), 
\n
  (Event 
\n
  | where TimeGenerated >= ago(timeframe) 
\n
  | where Source == \"Microsoft-Windows-Sysmon\" 
\n
  | where EventID == 3 
\n
  | extend EvData = parse_xml(EventData) 
\n
  | extend EventDetail = EvData.DataItem.EventData.Data 
\n
  | extend SourceIP = EventDetail.[9].[\"#text\"], DestinationIP = EventDetail.[14].[\"#text\"
\n
  | where SourceIP in (IPList) or DestinationIP in (IPList)  
\n
  | extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\"\"None\")  
\n
  | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , 
\n
IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\"
\n
  ),  
\n
  (WireData  
\n
  | where TimeGenerated >= ago(timeframe) 
\n
  | where isnotempty(RemoteIP) 
\n
  | where RemoteIP in (IPList) 
\n
  | extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer 
\n
  ), 
\n
  (SigninLogs 
\n
  | where TimeGenerated >= ago(timeframe) 
\n
  | where isnotempty(IPAddress) 
\n
  | where IPAddress in (IPList) 
\n
  | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, 
\n
IPCustomEntity = IPAddress 
\n
  ), 
\n
  (W3CIISLog  
\n
  | where TimeGenerated >= ago(timeframe) 
\n
  | where isnotempty(cIP) 
\n
  | where cIP in (IPList) 
\n
  | extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, 
\n
AccountCustomEntity = csUserName 
\n
  ), 
\n
  (AzureActivity  
\n
  | where TimeGenerated >= ago(timeframe) 
\n
  | where isnotempty(CallerIpAddress) 
\n
  | where CallerIpAddress in (IPList) 
\n
  | extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller 
\n
  ), 
\n
  ( 
\n
  AWSCloudTrail 
\n
  | where TimeGenerated >= ago(timeframe) 
\n
  | where isnotempty(SourceIpAddress) 
\n
  | where SourceIpAddress in (IPList) 
\n
  | extend timestamp = TimeGenerated, IPCustomEntity = 
\n
SourceIpAddress, AccountCustomEntity = UserIdentityUserName 
\n
  ), 
\n
  ( 
\n
  DeviceNetworkEvents 
\n
  | where TimeGenerated >= ago(timeframe)  
\n
  | where isnotempty(RemoteIP)  
\n
  | where RemoteIP in (IPList)  
\n
  | extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName  
\n
  ) 
\n
  ) 
\n
\n
\n

 

\n

Barium Domain Indicators

\n\n\n\n\n\n\n
\n
\n
\n
\n
id: 70b12a3b-4899-42cb-910c-5ffaf9d7997d 
\n
name: Known Barium domains  
\n
description: | 
\n
  'Identifies a match across various data feeds for domains IOCs related to the Barium activity group.' 
\n\n
severity: High 
\n
requiredDataConnectors: 
\n
  - connectorId: DNS 
\n
    dataTypes: 
\n
      - DnsEvents 
\n
  - connectorId: AzureMonitor(VMInsights)  
\n
    dataTypes: 
\n
      - VMConnection 
\n
  - connectorId: CiscoASA 
\n
    dataTypes: 
\n
      - CommonSecurityLog 
\n
  - connectorId: PaloAltoNetworks 
\n
    dataTypes: 
\n
      - CommonSecurityLog 
\n
  - connectorId: Microsoft 365 Defender 
\n
    dataTypes: 
\n
      - DeviceNetworkEvents 
\n
queryFrequency: 1
\n
queryPeriod: 1
\n
triggerOperator: gt 
\n
triggerThreshold: 0 
\n
tactics: 
\n
  - CommandAndControl 
\n
query:  |  
\n
 
\n
\n
\n
let timeframe = 1d; 
\n
let DomainNames = dynamic([\"0.ns1.dns-info.gq\"\"1.ns1.dns-info.gq\"\"10.ns1.dns-info.gq\"\"102.ns1.dns-info.gq\"
\n
\"104.ns1.dns-info.gq\"\"11.ns1.dns-info.gq\"\"110.ns1.dns-info.gq\"\"115.ns1.dns-info.gq\"\"116.ns1.dns-info.gq\"
\n
\"117.ns1.dns-info.gq\"\"118.ns1.dns-info.gq\"\"12.ns1.dns-info.gq\"\"120.ns1.dns-info.gq\"\"122.ns1.dns-info.gq\"
\n
\"123.ns1.dns-info.gq\"\"128.ns1.dns-info.gq\"\"13.ns1.dns-info.gq\"\"134.ns1.dns-info.gq\"\"135.ns1.dns-info.gq\"
\n
\"138.ns1.dns-info.gq\"\"14.ns1.dns-info.gq\"\"144.ns1.dns-info.gq\"\"15.ns1.dns-info.gq\"\"153.ns1.dns-info.gq\"
\n
\"157.ns1.dns-info.gq\"\"16.ns1.dns-info.gq\"\"17.ns1.dns-info.gq\"\"18.ns1.dns-info.gq\"\"19.ns1.dns-info.gq\"
\n
\"1a9604fa.ns1.feedsdns.com\"\"1c7606b6.ns1.steamappstore.com\"\"2.ns1.dns-info.gq\"\"20.ns1.dns-info.gq\"
\n
\"201.ns1.dns-info.gq\"\"202.ns1.dns-info.gq\"\"204.ns1.dns-info.gq\"\"207.ns1.dns-info.gq\"\"21.ns1.dns-info.gq\"
\n
\"210.ns1.dns-info.gq\"\"211.ns1.dns-info.gq\"\"216.ns1.dns-info.gq\"\"22.ns1.dns-info.gq\"\"220.ns1.dns-info.gq\"
\n
\"223.ns1.dns-info.gq\"\"23.ns1.dns-info.gq\"\"24.ns1.dns-info.gq\"\"25.ns1.dns-info.gq\"\"26.ns1.dns-info.gq\"
\n
\"27.ns1.dns-info.gq\"\"28.ns1.dns-info.gq\"\"29.ns1.dns-info.gq\"\"3.ns1.dns-info.gq\"\"30.ns1.dns-info.gq\"
\n
\"31.ns1.dns-info.gq\"\"32.ns1.dns-info.gq\"\"33.ns1.dns-info.gq\"\"34.ns1.dns-info.gq\"\"35.ns1.dns-info.gq\"
\n
\"36.ns1.dns-info.gq\"\"37.ns1.dns-info.gq\"\"39.ns1.dns-info.gq\"\"3d6fe4b2.ns1.steamappstore.com\"
\n
\"4.ns1.dns-info.gq\"\"40.ns1.dns-info.gq\"\"42.ns1.dns-info.gq\"\"43.ns1.dns-info.gq\"\"44.ns1.dns-info.gq\"
\n
\"45.ns1.dns-info.gq\"\"46.ns1.dns-info.gq\"\"48.ns1.dns-info.gq\"\"5.ns1.dns-info.gq\"\"50.ns1.dns-info.gq\"
\n
\"50417.service.gstatic.dnset.com\"\"51.ns1.dns-info.gq\"\"52.ns1.dns-info.gq\"\"53.ns1.dns-info.gq\",
\n
 \"54.ns1.dns-info.gq\"\"55.ns1.dns-info.gq\"\"56.ns1.dns-info.gq\"\"57.ns1.dns-info.gq\"\"58.ns1.dns-info.gq\"
\n
\"6.ns1.dns-info.gq\"\"60.ns1.dns-info.gq\"\"62.ns1.dns-info.gq\"\"63.ns1.dns-info.gq\"\"64.ns1.dns-info.gq\"
\n
\"65.ns1.dns-info.gq\"\"67.ns1.dns-info.gq\"\"7.ns1.dns-info.gq\"\"70.ns1.dns-info.gq\"\"71.ns1.dns-info.gq\",
\n
 \"73.ns1.dns-info.gq\"\"77.ns1.dns-info.gq\"\"77075.service.gstatic.dnset.com\"\"7c1947fa.ns1.steamappstore.com\",
\n
 \"8.ns1.dns-info.gq\"\"81.ns1.dns-info.gq\"\"86.ns1.dns-info.gq\"\"87.ns1.dns-info.gq\"\"9.ns1.dns-info.gq\"
\n
\"94343.service.gstatic.dnset.com\"\"9939.service.gstatic.dnset.com\"\"aa.ns.mircosoftdoc.com\"
\n
\"aaa.feeds.api.ns1.feedsdns.com\"\"aaa.googlepublic.feeds.ns1.dns-info.gq\"
\n
\"aaa.resolution.174547._get.cache.up.sourcedns.tk\"\"acc.microsoftonetravel.com\"
\n
\"accounts.longmusic.com\"\"admin.dnstemplog.com\"\"agent.updatenai.com\"
\n
\"alibaba.zzux.com\"\"api.feedsdns.com\"\"app.portomnail.com\"\"asia.updatenai.com\"
\n
\"battllestategames.com\"\"bguha.serveuser.com\"\"binann-ce.com\"\"bing.dsmtp.com\"
\n
\"blog.cdsend.xyz\"\"brives.minivineyapp.com\"\"bsbana.dynamic-dns.net\"
\n
\"californiaforce.000webhostapp.com\"\"californiafroce.000webhostapp.com\"
\n
\"cdn.freetcp.com\"\"cdsend.xyz\"\"cipla.zzux.com\"\"cloudfeeddns.com\"\"comcleanner.info\",
\n
 \"cs.microsoftsonline.net\"\"dns-info.gq\"\"dns05.cf\"\"dns22.ml\"\"dns224.com\"
\n
\"dnsdist.org\"\"dnstemplog.com\"\"doc.mircosoftdoc.com\"\"dropdns.com\"
\n
\"eshop.cdn.freetcp.com\"\"exchange.dumb1.com\"\"exchange.misecure.com\"\"exchange.mrbasic.com\",
\n
 \"facebookdocs.com\"\"facebookint.com\"\"facebookvi.com\"\"feed.ns1.dns-info.gq\"\"feedsdns.com\"
\n
\"firejun.freeddns.com\"\"ftp.dns-info.dyndns.pro\"\"goallbandungtravel.com\"\"goodhk.azurewebsites.net\"
\n
\"googlepublic.feed.ns1.dns-info.gq\"\"gp.spotifylite.cloud\"\"gskytop.com\"\"gstatic.dnset.com\"
\n
\"gxxservice.com\"\"helpdesk.cdn.freetcp.com\"\"id.serveuser.com\"\"infestexe.com\"\"item.itemdb.com\",
\n
 \"m.mircosoftdoc.com\"\"mail.transferdkim.xyz\"\"mcafee.updatenai.com\"\"mecgjm.mircosoftdoc.com\",
\n
 \"microdocs.ga\"\"microsock.website\"\"microsocks.net\"\"microsoft.sendsmtp.com\"
\n
\"microsoftbook.dns05.com\"\"microsoftcontactcenter.com\"\"microsoftdocs.dns05.com\"\"microsoftdocs.ml\"
\n
\"microsoftonetravel.com\"\"microsoftonlines.net\"\"microsoftprod.com\"\"microsofts.dns1.us\"\"microsoftsonline.net\",
\n
 \"minivineyapp.com\"\"mircosoftdoc.com\"\"mircosoftdocs.com\"\"mlcrosoft.ninth.biz\"\"mlcrosoft.site\"
\n
\"mm.portomnail.com\"\"msdnupdate.com\"\"msecdn.cloud\"\"mtnl1.dynamic-dns.net\"\"ns.gstatic.dnset.com\"
\n
\"ns.microsoftprod.com\"\"ns.steamappstore.com\"\"ns1.cdn.freetcp.com\"\"ns1.comcleanner.info\"\"ns1.dns-info.gq\"
\n
\"ns1.dns05.cf\"\"ns1.dnstemplog.com\"\"ns1.dropdns.com\"\"ns1.microsoftonetravel.com\"
\n
\"ns1.microsoftonlines.net\"\"ns1.microsoftprod.com\"\"ns1.microsoftsonline.net\"\"ns1.mlcrosoft.site\"
\n
\"ns1.teams.wikaba.com\"\"ns1.windowsdefende.com\"\"ns2.comcleanner.info\"\"ns2.dnstemplog.com\"
\n
\"ns2.microsoftonetravel.com\"\"ns2.microsoftprod.com\"\"ns2.microsoftsonline.net\"\"ns2.mlcrosoft.site\"
\n
\"ns2.windowsdefende.com\"\"ns3.microsoftprod.com\"\"ns3.mlcrosoft.site\"\"nutrition.mrbasic.com\"
\n
\"nutrition.youdontcare.com\"\"online.mlcrosoft.site\"\"online.msdnupdate.com\"\"outlookservce.site\"
\n
\"owa.jetos.com\"\"owa.otzo.com\"\"pornotime.co\"\"portomnail.com\"
\n
\"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com\"\"pricingdmdk.com\"\"prod.microsoftprod.com\"
\n
\"product.microsoftprod.com\"\"ptcl.yourtrap.com\"\"query.api.sourcedns.tk\"\"rb.itemdb.com\"\"redditcdn.com\"
\n
\"rss.otzo.com\"\"secure.msdnupdate.com\"\"service.dns22.ml\"\"service.gstatic.dnset.com\"\"service04.dns04.com\"
\n
\"settings.teams.wikaba.com\"\"sip.outlookservce.site\"\"sixindent.epizy.com\"\"soft.msdnupdate.com\"\"sourcedns.ml\"
\n
\"sourcedns.tk\"\"sport.msdnupdate.com\"\"spotifylite.cloud\"\"static.misecure.com\"\"steamappstore.com\"
\n
\"store.otzo.com\"\"survey.outlookservce.site\"\"team.itemdb.com\"\"temp221.com\"\"test.microsoftprod.com\"
\n
\"thisisaaa.000webhostapp.com\"\"token.dns04.com\"\"token.dns05.com\"\"transferdkim.xyz\"
\n
\"travelsanignacio.com\"\"update08.com\"\"updated08.com\"\"updatenai.com\"\"wantforspeed.com\",
\n
 \"web.mircosoftdoc.com\"\"webmail.pornotime.co\"\"webwhois.team.itemdb.com\"\"windowsdefende.com\"\"wnswindows.com\",
\n
 \"ashcrack.freetcp.com\"\"battllestategames.com\"\"binannce.com\"\"cdsend.xyz\"\"comcleanner.info\"\"microsock.website\"
\n
\"microsocks.net\"\"microsoftsonline.net\"\"mlcrosoft.site\"\"notify.serveuser.com\"\"ns1.microsoftprod.com\"
\n
\"ns2.microsoftprod.com\"\"pricingdmdk.com\"\"steamappstore.com\"\"update08.com\"\"wnswindows.com\"
\n
\"youtube.dns05.com\"\"z1.zalofilescdn.com\"\"z2.zalofilescdn.com\"\"zalofilescdn.com\"]); 
\n
  (union isfuzzy=true 
\n
  (CommonSecurityLog  
\n
  | where TimeGenerated >= ago(timeframe)  
\n
  | parse Message with * '(' DNSName ')' *  
\n
  | where DNSName in~ (DomainNames) 
\n
  | extend Account = SourceUserID, Computer = DeviceName, IPAddress =  DestinationIP 
\n
  ), 
\n
  (DnsEvents  
\n
  | where TimeGenerated >= ago(timeframe)  
\n
  | extend DNSName = Name 
\n
  | where isnotempty(DNSName) 
\n
  | where DNSName  in~ (DomainNames) 
\n
  | extend IPAddress =  ClientIP
\n
  ), 
\n
  (VMConnection  
\n
  | where TimeGenerated >= ago(timeframe)  
\n
  | parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' * 
\n
  | where isnotempty(DNSName) 
\n
  | where DNSName  in~ (DomainNames) 
\n
  | extend IPAddress = RemoteIp 
\n
  ), 
\n
  ( 
\n
   DeviceNetworkEvents 
\n
  | where isnotempty(RemoteUrl) 
\n
  | where RemoteUrl  in~ (DomainNames)  
\n
  | extend IPAddress = RemoteIP 
\n
  | extend Computer = DeviceName 
\n
  ) 
\n
  ) 
\n
  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress 
\n
\n
\n

 

\n

References: 

\n

https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer 

\n

https://blogs.microsoft.com/on-the-issues/2020/09/29/microsoft-digital-defense-report-cyber-threats/ 

\n

https://docs.microsoft.com/en-us/azure/sentinel/connect-microsoft-365-defender 

\n

https://aka.ms/m365-sentinel-offer 

\n

https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-microsoft-365-defender-connector-now-in-public/ba-p/1865651 

\n

 

","kudosSumWeight":1,"postTime":"2020-11-11T12:39:37.412-08:00","images":{"__typename":"AssociatedImageConnection","edges":[],"totalCount":0,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"attachments":{"__typename":"AttachmentConnection","pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null},"edges":[]},"tags":{"__typename":"TagConnection","pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null},"edges":[{"__typename":"TagEdge","cursor":"MjUuMXwyLjF8b3wxMHxfTlZffDE","node":{"__typename":"Tag","id":"tag:hunting","text":"hunting","time":"2019-04-11T09:00:00.012-07:00","lastActivityTime":null,"messagesCount":null,"followersCount":null}},{"__typename":"TagEdge","cursor":"MjUuMXwyLjF8b3wxMHxfTlZffDI","node":{"__typename":"Tag","id":"tag:microsoft sentinel","text":"microsoft sentinel","time":"2021-11-02T10:33:48.383-07:00","lastActivityTime":null,"messagesCount":null,"followersCount":null}}]},"timeToRead":13,"rawTeaser":"

Hunt for the Barium actor in your environment using the IOC's shared by the MSTIC team.

","introduction":"","coverImage":null,"coverImageProperties":{"__typename":"CoverImageProperties","style":"STANDARD","titlePosition":"BOTTOM","altText":""},"currentRevision":{"__ref":"Revision:revision:1875913_9"},"latestVersion":{"__typename":"FriendlyVersion","major":"3","minor":"0"},"metrics":{"__typename":"MessageMetrics","views":12266},"visibilityScope":"PUBLIC","canonicalUrl":null,"seoTitle":null,"seoDescription":null,"placeholder":false,"originalMessageForPlaceholder":null,"contributors":{"__typename":"UserConnection","edges":[]},"nonCoAuthorContributors":{"__typename":"UserConnection","edges":[]},"coAuthors":{"__typename":"UserConnection","edges":[]},"blogMessagePolicies":{"__typename":"BlogMessagePolicies","canDoAuthoringActionsOnBlog":{"__typename":"PolicyResult","failureReason":{"__typename":"FailureReason","message":"error.lithium.policies.blog.action_can_do_authoring_action.accessDenied","key":"error.lithium.policies.blog.action_can_do_authoring_action.accessDenied","args":[]}}},"archivalData":null,"replies":{"__typename":"MessageConnection","edges":[],"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"customFields":[],"revisions({\"constraints\":{\"isPublished\":{\"eq\":true}},\"first\":1})":{"__typename":"RevisionConnection","totalCount":9}},"Conversation:conversation:1875913":{"__typename":"Conversation","id":"conversation:1875913","solved":false,"topic":{"__ref":"BlogTopicMessage:message:1875913"},"lastPostingActivityTime":"2021-11-02T18:27:44.293-07:00","lastPostTime":"2020-11-11T12:39:37.412-08:00","unreadReplyCount":0,"isSubscribed":false},"ModerationData:moderation_data:1875913":{"__typename":"ModerationData","id":"moderation_data:1875913","status":"APPROVED","rejectReason":null,"isReportedAbuse":false,"rejectUser":null,"rejectTime":null,"rejectActorType":null},"Revision:revision:1875913_9":{"__typename":"Revision","id":"revision:1875913_9","lastEditTime":"2021-11-02T18:27:44.293-07:00"},"CachedAsset:theme:customTheme1-1742488285820":{"__typename":"CachedAsset","id":"theme:customTheme1-1742488285820","value":{"id":"customTheme1","animation":{"fast":"150ms","normal":"250ms","slow":"500ms","slowest":"750ms","function":"cubic-bezier(0.07, 0.91, 0.51, 1)","__typename":"AnimationThemeSettings"},"avatar":{"borderRadius":"50%","collections":["default"],"__typename":"AvatarThemeSettings"},"basics":{"browserIcon":{"imageAssetName":"favicon-1730836283320.png","imageLastModified":"1730836286415","__typename":"ThemeAsset"},"customerLogo":{"imageAssetName":"favicon-1730836271365.png","imageLastModified":"1730836274203","__typename":"ThemeAsset"},"maximumWidthOfPageContent":"1300px","oneColumnNarrowWidth":"800px","gridGutterWidthMd":"30px","gridGutterWidthXs":"10px","pageWidthStyle":"WIDTH_OF_BROWSER","__typename":"BasicsThemeSettings"},"buttons":{"borderRadiusSm":"3px","borderRadius":"3px","borderRadiusLg":"5px","paddingY":"5px","paddingYLg":"7px","paddingYHero":"var(--lia-bs-btn-padding-y-lg)","paddingX":"12px","paddingXLg":"16px","paddingXHero":"60px","fontStyle":"NORMAL","fontWeight":"700","textTransform":"NONE","disabledOpacity":0.5,"primaryTextColor":"var(--lia-bs-white)","primaryTextHoverColor":"var(--lia-bs-white)","primaryTextActiveColor":"var(--lia-bs-white)","primaryBgColor":"var(--lia-bs-primary)","primaryBgHoverColor":"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) * 0.85))","primaryBgActiveColor":"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) * 0.7))","primaryBorder":"1px solid transparent","primaryBorderHover":"1px solid transparent","primaryBorderActive":"1px solid transparent","primaryBorderFocus":"1px solid var(--lia-bs-white)","primaryBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","secondaryTextColor":"var(--lia-bs-gray-900)","secondaryTextHoverColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.95))","secondaryTextActiveColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.9))","secondaryBgColor":"var(--lia-bs-gray-200)","secondaryBgHoverColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.96))","secondaryBgActiveColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.92))","secondaryBorder":"1px solid transparent","secondaryBorderHover":"1px solid transparent","secondaryBorderActive":"1px solid transparent","secondaryBorderFocus":"1px solid transparent","secondaryBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","tertiaryTextColor":"var(--lia-bs-gray-900)","tertiaryTextHoverColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.95))","tertiaryTextActiveColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.9))","tertiaryBgColor":"transparent","tertiaryBgHoverColor":"transparent","tertiaryBgActiveColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.04)","tertiaryBorder":"1px solid transparent","tertiaryBorderHover":"1px solid hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","tertiaryBorderActive":"1px solid transparent","tertiaryBorderFocus":"1px solid transparent","tertiaryBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","destructiveTextColor":"var(--lia-bs-danger)","destructiveTextHoverColor":"hsl(var(--lia-bs-danger-h), var(--lia-bs-danger-s), calc(var(--lia-bs-danger-l) * 0.95))","destructiveTextActiveColor":"hsl(var(--lia-bs-danger-h), var(--lia-bs-danger-s), calc(var(--lia-bs-danger-l) * 0.9))","destructiveBgColor":"var(--lia-bs-gray-200)","destructiveBgHoverColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.96))","destructiveBgActiveColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.92))","destructiveBorder":"1px solid transparent","destructiveBorderHover":"1px solid transparent","destructiveBorderActive":"1px solid transparent","destructiveBorderFocus":"1px solid transparent","destructiveBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","__typename":"ButtonsThemeSettings"},"border":{"color":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","mainContent":"NONE","sideContent":"LIGHT","radiusSm":"3px","radius":"5px","radiusLg":"9px","radius50":"100vw","__typename":"BorderThemeSettings"},"boxShadow":{"xs":"0 0 0 1px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.08), 0 3px 0 -1px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.16)","sm":"0 2px 4px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.12)","md":"0 5px 15px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.3)","lg":"0 10px 30px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.3)","__typename":"BoxShadowThemeSettings"},"cards":{"bgColor":"var(--lia-panel-bg-color)","borderRadius":"var(--lia-panel-border-radius)","boxShadow":"var(--lia-box-shadow-xs)","__typename":"CardsThemeSettings"},"chip":{"maxWidth":"300px","height":"30px","__typename":"ChipThemeSettings"},"coreTypes":{"defaultMessageLinkColor":"var(--lia-bs-link-color)","defaultMessageLinkDecoration":"none","defaultMessageLinkFontStyle":"NORMAL","defaultMessageLinkFontWeight":"400","defaultMessageFontStyle":"NORMAL","defaultMessageFontWeight":"400","forumColor":"#4099E2","forumFontFamily":"var(--lia-bs-font-family-base)","forumFontWeight":"var(--lia-default-message-font-weight)","forumLineHeight":"var(--lia-bs-line-height-base)","forumFontStyle":"var(--lia-default-message-font-style)","forumMessageLinkColor":"var(--lia-default-message-link-color)","forumMessageLinkDecoration":"var(--lia-default-message-link-decoration)","forumMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","forumMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","forumSolvedColor":"#148563","blogColor":"#1CBAA0","blogFontFamily":"var(--lia-bs-font-family-base)","blogFontWeight":"var(--lia-default-message-font-weight)","blogLineHeight":"1.75","blogFontStyle":"var(--lia-default-message-font-style)","blogMessageLinkColor":"var(--lia-default-message-link-color)","blogMessageLinkDecoration":"var(--lia-default-message-link-decoration)","blogMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","blogMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","tkbColor":"#4C6B90","tkbFontFamily":"var(--lia-bs-font-family-base)","tkbFontWeight":"var(--lia-default-message-font-weight)","tkbLineHeight":"1.75","tkbFontStyle":"var(--lia-default-message-font-style)","tkbMessageLinkColor":"var(--lia-default-message-link-color)","tkbMessageLinkDecoration":"var(--lia-default-message-link-decoration)","tkbMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","tkbMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","qandaColor":"#4099E2","qandaFontFamily":"var(--lia-bs-font-family-base)","qandaFontWeight":"var(--lia-default-message-font-weight)","qandaLineHeight":"var(--lia-bs-line-height-base)","qandaFontStyle":"var(--lia-default-message-link-font-style)","qandaMessageLinkColor":"var(--lia-default-message-link-color)","qandaMessageLinkDecoration":"var(--lia-default-message-link-decoration)","qandaMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","qandaMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","qandaSolvedColor":"#3FA023","ideaColor":"#FF8000","ideaFontFamily":"var(--lia-bs-font-family-base)","ideaFontWeight":"var(--lia-default-message-font-weight)","ideaLineHeight":"var(--lia-bs-line-height-base)","ideaFontStyle":"var(--lia-default-message-font-style)","ideaMessageLinkColor":"var(--lia-default-message-link-color)","ideaMessageLinkDecoration":"var(--lia-default-message-link-decoration)","ideaMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","ideaMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","contestColor":"#FCC845","contestFontFamily":"var(--lia-bs-font-family-base)","contestFontWeight":"var(--lia-default-message-font-weight)","contestLineHeight":"var(--lia-bs-line-height-base)","contestFontStyle":"var(--lia-default-message-link-font-style)","contestMessageLinkColor":"var(--lia-default-message-link-color)","contestMessageLinkDecoration":"var(--lia-default-message-link-decoration)","contestMessageLinkFontStyle":"ITALIC","contestMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","occasionColor":"#D13A1F","occasionFontFamily":"var(--lia-bs-font-family-base)","occasionFontWeight":"var(--lia-default-message-font-weight)","occasionLineHeight":"var(--lia-bs-line-height-base)","occasionFontStyle":"var(--lia-default-message-font-style)","occasionMessageLinkColor":"var(--lia-default-message-link-color)","occasionMessageLinkDecoration":"var(--lia-default-message-link-decoration)","occasionMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","occasionMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","grouphubColor":"#333333","categoryColor":"#949494","communityColor":"#FFFFFF","productColor":"#949494","__typename":"CoreTypesThemeSettings"},"colors":{"black":"#000000","white":"#FFFFFF","gray100":"#F7F7F7","gray200":"#F7F7F7","gray300":"#E8E8E8","gray400":"#D9D9D9","gray500":"#CCCCCC","gray600":"#717171","gray700":"#707070","gray800":"#545454","gray900":"#333333","dark":"#545454","light":"#F7F7F7","primary":"#0069D4","secondary":"#333333","bodyText":"#333333","bodyBg":"#FFFFFF","info":"#409AE2","success":"#41C5AE","warning":"#FCC844","danger":"#BC341B","alertSystem":"#FF6600","textMuted":"#707070","highlight":"#FFFCAD","outline":"var(--lia-bs-primary)","custom":["#D3F5A4","#243A5E"],"__typename":"ColorsThemeSettings"},"divider":{"size":"3px","marginLeft":"4px","marginRight":"4px","borderRadius":"50%","bgColor":"var(--lia-bs-gray-600)","bgColorActive":"var(--lia-bs-gray-600)","__typename":"DividerThemeSettings"},"dropdown":{"fontSize":"var(--lia-bs-font-size-sm)","borderColor":"var(--lia-bs-border-color)","borderRadius":"var(--lia-bs-border-radius-sm)","dividerBg":"var(--lia-bs-gray-300)","itemPaddingY":"5px","itemPaddingX":"20px","headerColor":"var(--lia-bs-gray-700)","__typename":"DropdownThemeSettings"},"email":{"link":{"color":"#0069D4","hoverColor":"#0061c2","decoration":"none","hoverDecoration":"underline","__typename":"EmailLinkSettings"},"border":{"color":"#e4e4e4","__typename":"EmailBorderSettings"},"buttons":{"borderRadiusLg":"5px","paddingXLg":"16px","paddingYLg":"7px","fontWeight":"700","primaryTextColor":"#ffffff","primaryTextHoverColor":"#ffffff","primaryBgColor":"#0069D4","primaryBgHoverColor":"#005cb8","primaryBorder":"1px solid transparent","primaryBorderHover":"1px solid transparent","__typename":"EmailButtonsSettings"},"panel":{"borderRadius":"5px","borderColor":"#e4e4e4","__typename":"EmailPanelSettings"},"__typename":"EmailThemeSettings"},"emoji":{"skinToneDefault":"#ffcd43","skinToneLight":"#fae3c5","skinToneMediumLight":"#e2cfa5","skinToneMedium":"#daa478","skinToneMediumDark":"#a78058","skinToneDark":"#5e4d43","__typename":"EmojiThemeSettings"},"heading":{"color":"var(--lia-bs-body-color)","fontFamily":"Segoe UI","fontStyle":"NORMAL","fontWeight":"400","h1FontSize":"34px","h2FontSize":"32px","h3FontSize":"28px","h4FontSize":"24px","h5FontSize":"20px","h6FontSize":"16px","lineHeight":"1.3","subHeaderFontSize":"11px","subHeaderFontWeight":"500","h1LetterSpacing":"normal","h2LetterSpacing":"normal","h3LetterSpacing":"normal","h4LetterSpacing":"normal","h5LetterSpacing":"normal","h6LetterSpacing":"normal","subHeaderLetterSpacing":"2px","h1FontWeight":"var(--lia-bs-headings-font-weight)","h2FontWeight":"var(--lia-bs-headings-font-weight)","h3FontWeight":"var(--lia-bs-headings-font-weight)","h4FontWeight":"var(--lia-bs-headings-font-weight)","h5FontWeight":"var(--lia-bs-headings-font-weight)","h6FontWeight":"var(--lia-bs-headings-font-weight)","__typename":"HeadingThemeSettings"},"icons":{"size10":"10px","size12":"12px","size14":"14px","size16":"16px","size20":"20px","size24":"24px","size30":"30px","size40":"40px","size50":"50px","size60":"60px","size80":"80px","size120":"120px","size160":"160px","__typename":"IconsThemeSettings"},"imagePreview":{"bgColor":"var(--lia-bs-gray-900)","titleColor":"var(--lia-bs-white)","controlColor":"var(--lia-bs-white)","controlBgColor":"var(--lia-bs-gray-800)","__typename":"ImagePreviewThemeSettings"},"input":{"borderColor":"var(--lia-bs-gray-600)","disabledColor":"var(--lia-bs-gray-600)","focusBorderColor":"var(--lia-bs-primary)","labelMarginBottom":"10px","btnFontSize":"var(--lia-bs-font-size-sm)","focusBoxShadow":"0 0 0 3px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","checkLabelMarginBottom":"2px","checkboxBorderRadius":"3px","borderRadiusSm":"var(--lia-bs-border-radius-sm)","borderRadius":"var(--lia-bs-border-radius)","borderRadiusLg":"var(--lia-bs-border-radius-lg)","formTextMarginTop":"4px","textAreaBorderRadius":"var(--lia-bs-border-radius)","activeFillColor":"var(--lia-bs-primary)","__typename":"InputThemeSettings"},"loading":{"dotDarkColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.2)","dotLightColor":"hsla(var(--lia-bs-white-h), var(--lia-bs-white-s), var(--lia-bs-white-l), 0.5)","barDarkColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.06)","barLightColor":"hsla(var(--lia-bs-white-h), var(--lia-bs-white-s), var(--lia-bs-white-l), 0.4)","__typename":"LoadingThemeSettings"},"link":{"color":"var(--lia-bs-primary)","hoverColor":"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) - 10%))","decoration":"none","hoverDecoration":"underline","__typename":"LinkThemeSettings"},"listGroup":{"itemPaddingY":"15px","itemPaddingX":"15px","borderColor":"var(--lia-bs-gray-300)","__typename":"ListGroupThemeSettings"},"modal":{"contentTextColor":"var(--lia-bs-body-color)","contentBg":"var(--lia-bs-white)","backgroundBg":"var(--lia-bs-black)","smSize":"440px","mdSize":"760px","lgSize":"1080px","backdropOpacity":0.3,"contentBoxShadowXs":"var(--lia-bs-box-shadow-sm)","contentBoxShadow":"var(--lia-bs-box-shadow)","headerFontWeight":"700","__typename":"ModalThemeSettings"},"navbar":{"position":"FIXED","background":{"attachment":null,"clip":null,"color":"var(--lia-bs-white)","imageAssetName":"","imageLastModified":"0","origin":null,"position":"CENTER_CENTER","repeat":"NO_REPEAT","size":"COVER","__typename":"BackgroundProps"},"backgroundOpacity":0.8,"paddingTop":"15px","paddingBottom":"15px","borderBottom":"1px solid var(--lia-bs-border-color)","boxShadow":"var(--lia-bs-box-shadow-sm)","brandMarginRight":"30px","brandMarginRightSm":"10px","brandLogoHeight":"30px","linkGap":"10px","linkJustifyContent":"flex-start","linkPaddingY":"5px","linkPaddingX":"10px","linkDropdownPaddingY":"9px","linkDropdownPaddingX":"var(--lia-nav-link-px)","linkColor":"var(--lia-bs-body-color)","linkHoverColor":"var(--lia-bs-primary)","linkFontSize":"var(--lia-bs-font-size-sm)","linkFontStyle":"NORMAL","linkFontWeight":"400","linkTextTransform":"NONE","linkLetterSpacing":"normal","linkBorderRadius":"var(--lia-bs-border-radius-sm)","linkBgColor":"transparent","linkBgHoverColor":"transparent","linkBorder":"none","linkBorderHover":"none","linkBoxShadow":"none","linkBoxShadowHover":"none","linkTextBorderBottom":"none","linkTextBorderBottomHover":"none","dropdownPaddingTop":"10px","dropdownPaddingBottom":"15px","dropdownPaddingX":"10px","dropdownMenuOffset":"2px","dropdownDividerMarginTop":"10px","dropdownDividerMarginBottom":"10px","dropdownBorderColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","controllerBgHoverColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.1)","controllerIconColor":"var(--lia-bs-body-color)","controllerIconHoverColor":"var(--lia-bs-body-color)","controllerTextColor":"var(--lia-nav-controller-icon-color)","controllerTextHoverColor":"var(--lia-nav-controller-icon-hover-color)","controllerHighlightColor":"hsla(30, 100%, 50%)","controllerHighlightTextColor":"var(--lia-yiq-light)","controllerBorderRadius":"var(--lia-border-radius-50)","hamburgerColor":"var(--lia-nav-controller-icon-color)","hamburgerHoverColor":"var(--lia-nav-controller-icon-color)","hamburgerBgColor":"transparent","hamburgerBgHoverColor":"transparent","hamburgerBorder":"none","hamburgerBorderHover":"none","collapseMenuMarginLeft":"20px","collapseMenuDividerBg":"var(--lia-nav-link-color)","collapseMenuDividerOpacity":0.16,"__typename":"NavbarThemeSettings"},"pager":{"textColor":"var(--lia-bs-link-color)","textFontWeight":"var(--lia-font-weight-md)","textFontSize":"var(--lia-bs-font-size-sm)","__typename":"PagerThemeSettings"},"panel":{"bgColor":"var(--lia-bs-white)","borderRadius":"var(--lia-bs-border-radius)","borderColor":"var(--lia-bs-border-color)","boxShadow":"none","__typename":"PanelThemeSettings"},"popover":{"arrowHeight":"8px","arrowWidth":"16px","maxWidth":"300px","minWidth":"100px","headerBg":"var(--lia-bs-white)","borderColor":"var(--lia-bs-border-color)","borderRadius":"var(--lia-bs-border-radius)","boxShadow":"0 0.5rem 1rem hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.15)","__typename":"PopoverThemeSettings"},"prism":{"color":"#000000","bgColor":"#f5f2f0","fontFamily":"var(--font-family-monospace)","fontSize":"var(--lia-bs-font-size-base)","fontWeightBold":"var(--lia-bs-font-weight-bold)","fontStyleItalic":"italic","tabSize":2,"highlightColor":"#b3d4fc","commentColor":"#62707e","punctuationColor":"#6f6f6f","namespaceOpacity":"0.7","propColor":"#990055","selectorColor":"#517a00","operatorColor":"#906736","operatorBgColor":"hsla(0, 0%, 100%, 0.5)","keywordColor":"#0076a9","functionColor":"#d3284b","variableColor":"#c14700","__typename":"PrismThemeSettings"},"rte":{"bgColor":"var(--lia-bs-white)","borderRadius":"var(--lia-panel-border-radius)","boxShadow":" var(--lia-panel-box-shadow)","customColor1":"#bfedd2","customColor2":"#fbeeb8","customColor3":"#f8cac6","customColor4":"#eccafa","customColor5":"#c2e0f4","customColor6":"#2dc26b","customColor7":"#f1c40f","customColor8":"#e03e2d","customColor9":"#b96ad9","customColor10":"#3598db","customColor11":"#169179","customColor12":"#e67e23","customColor13":"#ba372a","customColor14":"#843fa1","customColor15":"#236fa1","customColor16":"#ecf0f1","customColor17":"#ced4d9","customColor18":"#95a5a6","customColor19":"#7e8c8d","customColor20":"#34495e","customColor21":"#000000","customColor22":"#ffffff","defaultMessageHeaderMarginTop":"40px","defaultMessageHeaderMarginBottom":"20px","defaultMessageItemMarginTop":"0","defaultMessageItemMarginBottom":"10px","diffAddedColor":"hsla(170, 53%, 51%, 0.4)","diffChangedColor":"hsla(43, 97%, 63%, 0.4)","diffNoneColor":"hsla(0, 0%, 80%, 0.4)","diffRemovedColor":"hsla(9, 74%, 47%, 0.4)","specialMessageHeaderMarginTop":"40px","specialMessageHeaderMarginBottom":"20px","specialMessageItemMarginTop":"0","specialMessageItemMarginBottom":"10px","__typename":"RteThemeSettings"},"tags":{"bgColor":"var(--lia-bs-gray-200)","bgHoverColor":"var(--lia-bs-gray-400)","borderRadius":"var(--lia-bs-border-radius-sm)","color":"var(--lia-bs-body-color)","hoverColor":"var(--lia-bs-body-color)","fontWeight":"var(--lia-font-weight-md)","fontSize":"var(--lia-font-size-xxs)","textTransform":"UPPERCASE","letterSpacing":"0.5px","__typename":"TagsThemeSettings"},"toasts":{"borderRadius":"var(--lia-bs-border-radius)","paddingX":"12px","__typename":"ToastsThemeSettings"},"typography":{"fontFamilyBase":"Segoe UI","fontStyleBase":"NORMAL","fontWeightBase":"400","fontWeightLight":"300","fontWeightNormal":"400","fontWeightMd":"500","fontWeightBold":"700","letterSpacingSm":"normal","letterSpacingXs":"normal","lineHeightBase":"1.5","fontSizeBase":"16px","fontSizeXxs":"11px","fontSizeXs":"12px","fontSizeSm":"14px","fontSizeLg":"20px","fontSizeXl":"24px","smallFontSize":"14px","customFonts":[{"source":"SERVER","name":"Segoe UI","styles":[{"style":"NORMAL","weight":"400","__typename":"FontStyleData"},{"style":"NORMAL","weight":"300","__typename":"FontStyleData"},{"style":"NORMAL","weight":"600","__typename":"FontStyleData"},{"style":"NORMAL","weight":"700","__typename":"FontStyleData"},{"style":"ITALIC","weight":"400","__typename":"FontStyleData"}],"assetNames":["SegoeUI-normal-400.woff2","SegoeUI-normal-300.woff2","SegoeUI-normal-600.woff2","SegoeUI-normal-700.woff2","SegoeUI-italic-400.woff2"],"__typename":"CustomFont"},{"source":"SERVER","name":"MWF Fluent Icons","styles":[{"style":"NORMAL","weight":"400","__typename":"FontStyleData"}],"assetNames":["MWFFluentIcons-normal-400.woff2"],"__typename":"CustomFont"}],"__typename":"TypographyThemeSettings"},"unstyledListItem":{"marginBottomSm":"5px","marginBottomMd":"10px","marginBottomLg":"15px","marginBottomXl":"20px","marginBottomXxl":"25px","__typename":"UnstyledListItemThemeSettings"},"yiq":{"light":"#ffffff","dark":"#000000","__typename":"YiqThemeSettings"},"colorLightness":{"primaryDark":0.36,"primaryLight":0.74,"primaryLighter":0.89,"primaryLightest":0.95,"infoDark":0.39,"infoLight":0.72,"infoLighter":0.85,"infoLightest":0.93,"successDark":0.24,"successLight":0.62,"successLighter":0.8,"successLightest":0.91,"warningDark":0.39,"warningLight":0.68,"warningLighter":0.84,"warningLightest":0.93,"dangerDark":0.41,"dangerLight":0.72,"dangerLighter":0.89,"dangerLightest":0.95,"__typename":"ColorLightnessThemeSettings"},"localOverride":false,"__typename":"Theme"},"localOverride":false},"CachedAsset:text:en_US-components/common/EmailVerification-1737571274000":{"__typename":"CachedAsset","id":"text:en_US-components/common/EmailVerification-1737571274000","value":{"email.verification.title":"Email Verification Required","email.verification.message.update.email":"To participate in the community, you must first verify your email address. The verification email was sent to {email}. To change your email, visit My Settings.","email.verification.message.resend.email":"To participate in the community, you must first verify your email address. The verification email was sent to {email}. Resend email."},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/Loading/LoadingDot-1737571274000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/Loading/LoadingDot-1737571274000","value":{"title":"Loading..."},"localOverride":false},"CachedAsset:quilt:o365.prod:pages/blogs/BlogMessagePage:board:MicrosoftSentinelBlog-1742488283959":{"__typename":"CachedAsset","id":"quilt:o365.prod:pages/blogs/BlogMessagePage:board:MicrosoftSentinelBlog-1742488283959","value":{"id":"BlogMessagePage","container":{"id":"Common","headerProps":{"backgroundImageProps":null,"backgroundColor":null,"addComponents":null,"removeComponents":["community.widget.bannerWidget"],"componentOrder":null,"__typename":"QuiltContainerSectionProps"},"headerComponentProps":{"community.widget.breadcrumbWidget":{"disableLastCrumbForDesktop":false}},"footerProps":null,"footerComponentProps":null,"items":[{"id":"blog-article","layout":"ONE_COLUMN","bgColor":null,"showTitle":null,"showDescription":null,"textPosition":null,"textColor":null,"sectionEditLevel":"LOCKED","bgImage":null,"disableSpacing":null,"edgeToEdgeDisplay":null,"fullHeight":null,"showBorder":null,"__typename":"OneColumnQuiltSection","columnMap":{"main":[{"id":"blogs.widget.blogArticleWidget","className":"lia-blog-container","props":null,"__typename":"QuiltComponent"}],"__typename":"OneSectionColumns"}},{"id":"section-1729184836777","layout":"MAIN_SIDE","bgColor":"transparent","showTitle":false,"showDescription":false,"textPosition":"CENTER","textColor":"var(--lia-bs-body-color)","sectionEditLevel":null,"bgImage":null,"disableSpacing":null,"edgeToEdgeDisplay":null,"fullHeight":null,"showBorder":null,"__typename":"MainSideQuiltSection","columnMap":{"main":[],"side":[{"id":"custom.widget.Social_Sharing","className":null,"props":{"widgetVisibility":"signedInOrAnonymous","useTitle":true,"useBackground":true,"title":"Share","lazyLoad":false},"__typename":"QuiltComponent"}],"__typename":"MainSideSectionColumns"}}],"__typename":"QuiltContainer"},"__typename":"Quilt","localOverride":false},"localOverride":false},"CachedAsset:text:en_US-pages/blogs/BlogMessagePage-1737571274000":{"__typename":"CachedAsset","id":"text:en_US-pages/blogs/BlogMessagePage-1737571274000","value":{"title":"{contextMessageSubject} | {communityTitle}","errorMissing":"This blog post cannot be found","name":"Blog Message Page","section.blog-article.title":"Blog Post","archivedMessageTitle":"This Content Has Been Archived","section.section-1729184836777.title":"","section.section-1729184836777.description":"","section.CncIde.title":"Blog Post","section.tifEmD.description":"","section.tifEmD.title":""},"localOverride":false},"CachedAsset:quiltWrapper:o365.prod:Common:1742488083619":{"__typename":"CachedAsset","id":"quiltWrapper:o365.prod:Common:1742488083619","value":{"id":"Common","header":{"backgroundImageProps":{"assetName":null,"backgroundSize":"COVER","backgroundRepeat":"NO_REPEAT","backgroundPosition":"CENTER_CENTER","lastModified":null,"__typename":"BackgroundImageProps"},"backgroundColor":"transparent","items":[{"id":"community.widget.navbarWidget","props":{"showUserName":true,"showRegisterLink":true,"useIconLanguagePicker":true,"useLabelLanguagePicker":true,"className":"QuiltComponent_lia-component-edit-mode__0nCcm","links":{"sideLinks":[],"mainLinks":[{"children":[],"linkType":"INTERNAL","id":"gxcuf89792","params":{},"routeName":"CommunityPage"},{"children":[],"linkType":"EXTERNAL","id":"external-link","url":"/Directory","target":"SELF"},{"children":[{"linkType":"INTERNAL","id":"microsoft365","params":{"categoryId":"microsoft365"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"microsoft-teams","params":{"categoryId":"MicrosoftTeams"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"windows","params":{"categoryId":"Windows"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"microsoft-securityand-compliance","params":{"categoryId":"microsoft-security"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"outlook","params":{"categoryId":"Outlook"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"planner","params":{"categoryId":"Planner"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"windows-server","params":{"categoryId":"Windows-Server"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"azure","params":{"categoryId":"Azure"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"exchange","params":{"categoryId":"Exchange"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"microsoft-endpoint-manager","params":{"categoryId":"microsoft-endpoint-manager"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"s-q-l-server","params":{"categoryId":"SQL-Server"},"routeName":"CategoryPage"},{"linkType":"EXTERNAL","id":"external-link-2","url":"/Directory","target":"SELF"}],"linkType":"EXTERNAL","id":"communities","url":"/","target":"BLANK"},{"children":[{"linkType":"INTERNAL","id":"education-sector","params":{"categoryId":"EducationSector"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"a-i","params":{"categoryId":"AI"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"i-t-ops-talk","params":{"categoryId":"ITOpsTalk"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"partner-community","params":{"categoryId":"PartnerCommunity"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"microsoft-mechanics","params":{"categoryId":"MicrosoftMechanics"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"healthcare-and-life-sciences","params":{"categoryId":"HealthcareAndLifeSciences"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"public-sector","params":{"categoryId":"PublicSector"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"io-t","params":{"categoryId":"IoT"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"driving-adoption","params":{"categoryId":"DrivingAdoption"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"s-m-b","params":{"categoryId":"SMB"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"startupsat-microsoft","params":{"categoryId":"StartupsatMicrosoft"},"routeName":"CategoryPage"},{"linkType":"EXTERNAL","id":"external-link-1","url":"/Directory","target":"SELF"}],"linkType":"EXTERNAL","id":"communities-1","url":"/","target":"SELF"},{"children":[],"linkType":"EXTERNAL","id":"external","url":"/Blogs","target":"SELF"},{"children":[],"linkType":"EXTERNAL","id":"external-1","url":"/Events","target":"SELF"},{"children":[{"linkType":"INTERNAL","id":"microsoft-learn-1","params":{"categoryId":"MicrosoftLearn"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"microsoft-learn-blog","params":{"boardId":"MicrosoftLearnBlog","categoryId":"MicrosoftLearn"},"routeName":"BlogBoardPage"},{"linkType":"EXTERNAL","id":"external-10","url":"https://learningroomdirectory.microsoft.com/","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-3","url":"https://docs.microsoft.com/learn/dynamics365/?WT.mc_id=techcom_header-webpage-m365","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-4","url":"https://docs.microsoft.com/learn/m365/?wt.mc_id=techcom_header-webpage-m365","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-5","url":"https://docs.microsoft.com/learn/topics/sci/?wt.mc_id=techcom_header-webpage-m365","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-6","url":"https://docs.microsoft.com/learn/powerplatform/?wt.mc_id=techcom_header-webpage-powerplatform","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-7","url":"https://docs.microsoft.com/learn/github/?wt.mc_id=techcom_header-webpage-github","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-8","url":"https://docs.microsoft.com/learn/teams/?wt.mc_id=techcom_header-webpage-teams","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-9","url":"https://docs.microsoft.com/learn/dotnet/?wt.mc_id=techcom_header-webpage-dotnet","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-2","url":"https://docs.microsoft.com/learn/azure/?WT.mc_id=techcom_header-webpage-m365","target":"BLANK"}],"linkType":"INTERNAL","id":"microsoft-learn","params":{"categoryId":"MicrosoftLearn"},"routeName":"CategoryPage"},{"children":[],"linkType":"INTERNAL","id":"community-info-center","params":{"categoryId":"Community-Info-Center"},"routeName":"CategoryPage"}]},"style":{"boxShadow":"var(--lia-bs-box-shadow-sm)","controllerHighlightColor":"hsla(30, 100%, 50%)","linkFontWeight":"400","dropdownDividerMarginBottom":"10px","hamburgerBorderHover":"none","linkBoxShadowHover":"none","linkFontSize":"14px","backgroundOpacity":0.8,"controllerBorderRadius":"var(--lia-border-radius-50)","hamburgerBgColor":"transparent","hamburgerColor":"var(--lia-nav-controller-icon-color)","linkTextBorderBottom":"none","brandLogoHeight":"30px","linkBgHoverColor":"transparent","linkLetterSpacing":"normal","collapseMenuDividerOpacity":0.16,"dropdownPaddingBottom":"15px","paddingBottom":"15px","dropdownMenuOffset":"2px","hamburgerBgHoverColor":"transparent","borderBottom":"1px solid var(--lia-bs-border-color)","hamburgerBorder":"none","dropdownPaddingX":"10px","brandMarginRightSm":"10px","linkBoxShadow":"none","collapseMenuDividerBg":"var(--lia-nav-link-color)","linkColor":"var(--lia-bs-body-color)","linkJustifyContent":"flex-start","dropdownPaddingTop":"10px","controllerHighlightTextColor":"var(--lia-yiq-dark)","controllerTextColor":"var(--lia-nav-controller-icon-color)","background":{"imageAssetName":"","color":"var(--lia-bs-white)","size":"COVER","repeat":"NO_REPEAT","position":"CENTER_CENTER","imageLastModified":""},"linkBorderRadius":"var(--lia-bs-border-radius-sm)","linkHoverColor":"var(--lia-bs-body-color)","position":"FIXED","linkBorder":"none","linkTextBorderBottomHover":"2px solid var(--lia-bs-body-color)","brandMarginRight":"30px","hamburgerHoverColor":"var(--lia-nav-controller-icon-color)","linkBorderHover":"none","collapseMenuMarginLeft":"20px","linkFontStyle":"NORMAL","controllerTextHoverColor":"var(--lia-nav-controller-icon-hover-color)","linkPaddingX":"10px","linkPaddingY":"5px","paddingTop":"15px","linkTextTransform":"NONE","dropdownBorderColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","controllerBgHoverColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.1)","linkBgColor":"transparent","linkDropdownPaddingX":"var(--lia-nav-link-px)","linkDropdownPaddingY":"9px","controllerIconColor":"var(--lia-bs-body-color)","dropdownDividerMarginTop":"10px","linkGap":"10px","controllerIconHoverColor":"var(--lia-bs-body-color)"},"showSearchIcon":false,"languagePickerStyle":"iconAndLabel"},"__typename":"QuiltComponent"},{"id":"community.widget.breadcrumbWidget","props":{"backgroundColor":"transparent","linkHighlightColor":"var(--lia-bs-primary)","visualEffects":{"showBottomBorder":true},"linkTextColor":"var(--lia-bs-gray-700)"},"__typename":"QuiltComponent"},{"id":"custom.widget.community_banner","props":{"widgetVisibility":"signedInOrAnonymous","useTitle":true,"usePageWidth":false,"useBackground":false,"title":"","lazyLoad":false},"__typename":"QuiltComponent"},{"id":"custom.widget.HeroBanner","props":{"widgetVisibility":"signedInOrAnonymous","usePageWidth":false,"useTitle":true,"cMax_items":3,"useBackground":false,"title":"","lazyLoad":false,"widgetChooser":"custom.widget.HeroBanner"},"__typename":"QuiltComponent"}],"__typename":"QuiltWrapperSection"},"footer":{"backgroundImageProps":{"assetName":null,"backgroundSize":"COVER","backgroundRepeat":"NO_REPEAT","backgroundPosition":"CENTER_CENTER","lastModified":null,"__typename":"BackgroundImageProps"},"backgroundColor":"transparent","items":[{"id":"custom.widget.MicrosoftFooter","props":{"widgetVisibility":"signedInOrAnonymous","useTitle":true,"useBackground":false,"title":"","lazyLoad":false},"__typename":"QuiltComponent"}],"__typename":"QuiltWrapperSection"},"__typename":"QuiltWrapper","localOverride":false},"localOverride":false},"CachedAsset:text:en_US-components/common/ActionFeedback-1737571274000":{"__typename":"CachedAsset","id":"text:en_US-components/common/ActionFeedback-1737571274000","value":{"joinedGroupHub.title":"Welcome","joinedGroupHub.message":"You are now a member of this group and are subscribed to updates.","groupHubInviteNotFound.title":"Invitation Not Found","groupHubInviteNotFound.message":"Sorry, we could not find your invitation to the group. The owner may have canceled the invite.","groupHubNotFound.title":"Group Not Found","groupHubNotFound.message":"The grouphub you tried to join does not exist. It may have been deleted.","existingGroupHubMember.title":"Already Joined","existingGroupHubMember.message":"You are already a member of this group.","accountLocked.title":"Account Locked","accountLocked.message":"Your account has been locked due to multiple failed attempts. Try again in {lockoutTime} minutes.","editedGroupHub.title":"Changes Saved","editedGroupHub.message":"Your group has been updated.","leftGroupHub.title":"Goodbye","leftGroupHub.message":"You are no longer a member of this group and will not receive future updates.","deletedGroupHub.title":"Deleted","deletedGroupHub.message":"The group has been deleted.","groupHubCreated.title":"Group Created","groupHubCreated.message":"{groupHubName} is ready to use","accountClosed.title":"Account Closed","accountClosed.message":"The account has been closed and you will now be redirected to the homepage","resetTokenExpired.title":"Reset Password Link has Expired","resetTokenExpired.message":"Try resetting your password again","invalidUrl.title":"Invalid URL","invalidUrl.message":"The URL you're using is not recognized. Verify your URL and try again.","accountClosedForUser.title":"Account Closed","accountClosedForUser.message":"{userName}'s account is closed","inviteTokenInvalid.title":"Invitation Invalid","inviteTokenInvalid.message":"Your invitation to the community has been canceled or expired.","inviteTokenError.title":"Invitation Verification Failed","inviteTokenError.message":"The url you are utilizing is not recognized. Verify your URL and try again","pageNotFound.title":"Access Denied","pageNotFound.message":"You do not have access to this area of the community or it doesn't exist","eventAttending.title":"Responded as Attending","eventAttending.message":"You'll be notified when there's new activity and reminded as the event approaches","eventInterested.title":"Responded as Interested","eventInterested.message":"You'll be notified when there's new activity and reminded as the event approaches","eventNotFound.title":"Event Not Found","eventNotFound.message":"The event you tried to respond to does not exist.","redirectToRelatedPage.title":"Showing Related Content","redirectToRelatedPageForBaseUsers.title":"Showing Related Content","redirectToRelatedPageForBaseUsers.message":"The content you are trying to access is archived","redirectToRelatedPage.message":"The content you are trying to access is archived","relatedUrl.archivalLink.flyoutMessage":"The content you are trying to access is archived View Archived Content"},"localOverride":false},"CachedAsset:component:custom.widget.community_banner-en-1742488318810":{"__typename":"CachedAsset","id":"component:custom.widget.community_banner-en-1742488318810","value":{"component":{"id":"custom.widget.community_banner","template":{"id":"community_banner","markupLanguage":"HANDLEBARS","style":".community-banner {\n a.top-bar.btn {\n top: 0px;\n width: 100%;\n z-index: 999;\n text-align: center;\n left: 0px;\n background: #0068b8;\n color: white;\n padding: 10px 0px;\n display:block;\n box-shadow:none !important;\n border: none !important;\n border-radius: none !important;\n margin: 0px !important;\n font-size:14px;\n }\n}","texts":null,"defaults":{"config":{"applicablePages":[],"description":"community announcement text","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"components":[{"id":"custom.widget.community_banner","form":null,"config":null,"props":[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":{"applicablePages":[],"description":"community announcement text","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":{"css":".custom_widget_community_banner_community-banner_1a5zb_1 {\n a.custom_widget_community_banner_top-bar_1a5zb_2.custom_widget_community_banner_btn_1a5zb_2 {\n top: 0;\n width: 100%;\n z-index: 999;\n text-align: center;\n left: 0;\n background: #0068b8;\n color: white;\n padding: 0.625rem 0;\n display:block;\n box-shadow:none !important;\n border: none !important;\n border-radius: none !important;\n margin: 0 !important;\n font-size:0.875rem;\n }\n}","tokens":{"community-banner":"custom_widget_community_banner_community-banner_1a5zb_1","top-bar":"custom_widget_community_banner_top-bar_1a5zb_2","btn":"custom_widget_community_banner_btn_1a5zb_2"}},"form":null},"localOverride":false},"CachedAsset:component:custom.widget.HeroBanner-en-1742488318810":{"__typename":"CachedAsset","id":"component:custom.widget.HeroBanner-en-1742488318810","value":{"component":{"id":"custom.widget.HeroBanner","template":{"id":"HeroBanner","markupLanguage":"REACT","style":null,"texts":{"searchPlaceholderText":"Search this community","followActionText":"Follow","unfollowActionText":"Following","searchOnHoverText":"Please enter your search term(s) and then press return key to complete a search."},"defaults":{"config":{"applicablePages":[],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[{"id":"max_items","dataType":"NUMBER","list":false,"defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"control":"INPUT","__typename":"PropDefinition"}],"__typename":"ComponentProperties"},"components":[{"id":"custom.widget.HeroBanner","form":{"fields":[{"id":"widgetChooser","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"title","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"useTitle","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"useBackground","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"widgetVisibility","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"moreOptions","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"cMax_items","validation":null,"noValidation":null,"dataType":"NUMBER","list":false,"control":"INPUT","defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"__typename":"FormField"}],"layout":{"rows":[{"id":"widgetChooserGroup","type":"fieldset","as":null,"items":[{"id":"widgetChooser","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"titleGroup","type":"fieldset","as":null,"items":[{"id":"title","className":null,"__typename":"FormFieldRef"},{"id":"useTitle","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"useBackground","type":"fieldset","as":null,"items":[{"id":"useBackground","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"widgetVisibility","type":"fieldset","as":null,"items":[{"id":"widgetVisibility","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"moreOptionsGroup","type":"fieldset","as":null,"items":[{"id":"moreOptions","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"componentPropsGroup","type":"fieldset","as":null,"items":[{"id":"cMax_items","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"}],"actionButtons":null,"className":"custom_widget_HeroBanner_form","formGroupFieldSeparator":"divider","__typename":"FormLayout"},"__typename":"Form"},"config":null,"props":[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":{"applicablePages":[],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[{"id":"max_items","dataType":"NUMBER","list":false,"defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"control":"INPUT","__typename":"PropDefinition"}],"__typename":"ComponentProperties"},"form":{"fields":[{"id":"widgetChooser","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"title","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"useTitle","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"useBackground","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"widgetVisibility","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"moreOptions","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"cMax_items","validation":null,"noValidation":null,"dataType":"NUMBER","list":false,"control":"INPUT","defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"__typename":"FormField"}],"layout":{"rows":[{"id":"widgetChooserGroup","type":"fieldset","as":null,"items":[{"id":"widgetChooser","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"titleGroup","type":"fieldset","as":null,"items":[{"id":"title","className":null,"__typename":"FormFieldRef"},{"id":"useTitle","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"useBackground","type":"fieldset","as":null,"items":[{"id":"useBackground","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"widgetVisibility","type":"fieldset","as":null,"items":[{"id":"widgetVisibility","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"moreOptionsGroup","type":"fieldset","as":null,"items":[{"id":"moreOptions","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"componentPropsGroup","type":"fieldset","as":null,"items":[{"id":"cMax_items","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"}],"actionButtons":null,"className":"custom_widget_HeroBanner_form","formGroupFieldSeparator":"divider","__typename":"FormLayout"},"__typename":"Form"},"__typename":"Component","localOverride":false},"globalCss":null,"form":{"fields":[{"id":"widgetChooser","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"title","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"useTitle","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"useBackground","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"widgetVisibility","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"moreOptions","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"cMax_items","validation":null,"noValidation":null,"dataType":"NUMBER","list":false,"control":"INPUT","defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"__typename":"FormField"}],"layout":{"rows":[{"id":"widgetChooserGroup","type":"fieldset","as":null,"items":[{"id":"widgetChooser","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"titleGroup","type":"fieldset","as":null,"items":[{"id":"title","className":null,"__typename":"FormFieldRef"},{"id":"useTitle","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"useBackground","type":"fieldset","as":null,"items":[{"id":"useBackground","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"widgetVisibility","type":"fieldset","as":null,"items":[{"id":"widgetVisibility","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"moreOptionsGroup","type":"fieldset","as":null,"items":[{"id":"moreOptions","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"componentPropsGroup","type":"fieldset","as":null,"items":[{"id":"cMax_items","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"}],"actionButtons":null,"className":"custom_widget_HeroBanner_form","formGroupFieldSeparator":"divider","__typename":"FormLayout"},"__typename":"Form"}},"localOverride":false},"CachedAsset:component:custom.widget.Social_Sharing-en-1742488318810":{"__typename":"CachedAsset","id":"component:custom.widget.Social_Sharing-en-1742488318810","value":{"component":{"id":"custom.widget.Social_Sharing","template":{"id":"Social_Sharing","markupLanguage":"HANDLEBARS","style":".social-share {\n .sharing-options {\n position: relative;\n margin: 0;\n padding: 0;\n line-height: 10px;\n display: flex;\n justify-content: left;\n gap: 5px;\n list-style-type: none;\n li {\n text-align: left;\n a {\n min-width: 30px;\n min-height: 30px;\n display: block;\n padding: 1px;\n .social-share-linkedin {\n img {\n background-color: rgb(0, 119, 181);\n }\n }\n .social-share-facebook {\n img {\n background-color: rgb(59, 89, 152);\n }\n }\n .social-share-x {\n img {\n background-color: rgb(0, 0, 0);\n }\n }\n .social-share-rss {\n img {\n background-color: rgb(0, 0, 0);\n }\n }\n .social-share-reddit {\n img {\n background-color: rgb(255, 69, 0);\n }\n }\n .social-share-email {\n img {\n background-color: rgb(132, 132, 132);\n }\n }\n }\n a {\n img {\n height: 2rem;\n }\n }\n }\n }\n}\n","texts":null,"defaults":{"config":{"applicablePages":[],"description":"Adds buttons to share to various social media websites","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"components":[{"id":"custom.widget.Social_Sharing","form":null,"config":null,"props":[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":{"applicablePages":[],"description":"Adds buttons to share to various social media websites","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":{"css":".custom_widget_Social_Sharing_social-share_c7xxz_1 {\n .custom_widget_Social_Sharing_sharing-options_c7xxz_2 {\n position: relative;\n margin: 0;\n padding: 0;\n line-height: 0.625rem;\n display: flex;\n justify-content: left;\n gap: 0.3125rem;\n list-style-type: none;\n li {\n text-align: left;\n a {\n min-width: 1.875rem;\n min-height: 1.875rem;\n display: block;\n padding: 0.0625rem;\n .custom_widget_Social_Sharing_social-share-linkedin_c7xxz_18 {\n img {\n background-color: rgb(0, 119, 181);\n }\n }\n .custom_widget_Social_Sharing_social-share-facebook_c7xxz_23 {\n img {\n background-color: rgb(59, 89, 152);\n }\n }\n .custom_widget_Social_Sharing_social-share-x_c7xxz_28 {\n img {\n background-color: rgb(0, 0, 0);\n }\n }\n .custom_widget_Social_Sharing_social-share-rss_c7xxz_33 {\n img {\n background-color: rgb(0, 0, 0);\n }\n }\n .custom_widget_Social_Sharing_social-share-reddit_c7xxz_38 {\n img {\n background-color: rgb(255, 69, 0);\n }\n }\n .custom_widget_Social_Sharing_social-share-email_c7xxz_43 {\n img {\n background-color: rgb(132, 132, 132);\n }\n }\n }\n a {\n img {\n height: 2rem;\n }\n }\n }\n }\n}\n","tokens":{"social-share":"custom_widget_Social_Sharing_social-share_c7xxz_1","sharing-options":"custom_widget_Social_Sharing_sharing-options_c7xxz_2","social-share-linkedin":"custom_widget_Social_Sharing_social-share-linkedin_c7xxz_18","social-share-facebook":"custom_widget_Social_Sharing_social-share-facebook_c7xxz_23","social-share-x":"custom_widget_Social_Sharing_social-share-x_c7xxz_28","social-share-rss":"custom_widget_Social_Sharing_social-share-rss_c7xxz_33","social-share-reddit":"custom_widget_Social_Sharing_social-share-reddit_c7xxz_38","social-share-email":"custom_widget_Social_Sharing_social-share-email_c7xxz_43"}},"form":null},"localOverride":false},"CachedAsset:component:custom.widget.MicrosoftFooter-en-1742488318810":{"__typename":"CachedAsset","id":"component:custom.widget.MicrosoftFooter-en-1742488318810","value":{"component":{"id":"custom.widget.MicrosoftFooter","template":{"id":"MicrosoftFooter","markupLanguage":"HANDLEBARS","style":".context-uhf {\n min-width: 280px;\n font-size: 15px;\n box-sizing: border-box;\n -ms-text-size-adjust: 100%;\n -webkit-text-size-adjust: 100%;\n & *,\n & *:before,\n & *:after {\n box-sizing: inherit;\n }\n a.c-uhff-link {\n color: #616161;\n word-break: break-word;\n text-decoration: none;\n }\n &a:link,\n &a:focus,\n &a:hover,\n &a:active,\n &a:visited {\n text-decoration: none;\n color: inherit;\n }\n & div {\n font-family: 'Segoe UI', SegoeUI, 'Helvetica Neue', Helvetica, Arial, sans-serif;\n }\n}\n.c-uhff {\n background: #f2f2f2;\n margin: -1.5625;\n width: auto;\n height: auto;\n}\n.c-uhff-nav {\n margin: 0 auto;\n max-width: calc(1600px + 10%);\n padding: 0 5%;\n box-sizing: inherit;\n &:before,\n &:after {\n content: ' ';\n display: table;\n clear: left;\n }\n @media only screen and (max-width: 1083px) {\n padding-left: 12px;\n }\n .c-heading-4 {\n color: #616161;\n word-break: break-word;\n font-size: 15px;\n line-height: 20px;\n padding: 36px 0 4px;\n font-weight: 600;\n }\n .c-uhff-nav-row {\n .c-uhff-nav-group {\n display: block;\n float: left;\n min-height: 1px;\n vertical-align: text-top;\n padding: 0 12px;\n width: 100%;\n zoom: 1;\n &:first-child {\n padding-left: 0;\n @media only screen and (max-width: 1083px) {\n padding-left: 12px;\n }\n }\n @media only screen and (min-width: 540px) and (max-width: 1082px) {\n width: 33.33333%;\n }\n @media only screen and (min-width: 1083px) {\n width: 16.6666666667%;\n }\n ul.c-list.f-bare {\n font-size: 11px;\n line-height: 16px;\n margin-top: 0;\n margin-bottom: 0;\n padding-left: 0;\n list-style-type: none;\n li {\n word-break: break-word;\n padding: 8px 0;\n margin: 0;\n }\n }\n }\n }\n}\n.c-uhff-base {\n background: #f2f2f2;\n margin: 0 auto;\n max-width: calc(1600px + 10%);\n padding: 30px 5% 16px;\n &:before,\n &:after {\n content: ' ';\n display: table;\n }\n &:after {\n clear: both;\n }\n a.c-uhff-ccpa {\n font-size: 11px;\n line-height: 16px;\n float: left;\n margin: 3px 0;\n }\n a.c-uhff-ccpa:hover {\n text-decoration: underline;\n }\n ul.c-list {\n font-size: 11px;\n line-height: 16px;\n float: right;\n margin: 3px 0;\n color: #616161;\n li {\n padding: 0 24px 4px 0;\n display: inline-block;\n }\n }\n .c-list.f-bare {\n padding-left: 0;\n list-style-type: none;\n }\n @media only screen and (max-width: 1083px) {\n display: flex;\n flex-wrap: wrap;\n padding: 30px 24px 16px;\n }\n}\n","texts":{"New tab":"What's New","New 1":"Surface Laptop Studio 2","New 2":"Surface Laptop Go 3","New 3":"Surface Pro 9","New 4":"Surface Laptop 5","New 5":"Surface Studio 2+","New 6":"Copilot in Windows","New 7":"Microsoft 365","New 8":"Windows 11 apps","Store tab":"Microsoft Store","Store 1":"Account Profile","Store 2":"Download Center","Store 3":"Microsoft Store Support","Store 4":"Returns","Store 5":"Order tracking","Store 6":"Certified Refurbished","Store 7":"Microsoft Store Promise","Store 8":"Flexible Payments","Education tab":"Education","Edu 1":"Microsoft in education","Edu 2":"Devices for education","Edu 3":"Microsoft Teams for Education","Edu 4":"Microsoft 365 Education","Edu 5":"How to buy for your school","Edu 6":"Educator Training and development","Edu 7":"Deals for students and parents","Edu 8":"Azure for students","Business tab":"Business","Bus 1":"Microsoft Cloud","Bus 2":"Microsoft Security","Bus 3":"Dynamics 365","Bus 4":"Microsoft 365","Bus 5":"Microsoft Power Platform","Bus 6":"Microsoft Teams","Bus 7":"Microsoft Industry","Bus 8":"Small Business","Developer tab":"Developer & IT","Dev 1":"Azure","Dev 2":"Developer Center","Dev 3":"Documentation","Dev 4":"Microsoft Learn","Dev 5":"Microsoft Tech Community","Dev 6":"Azure Marketplace","Dev 7":"AppSource","Dev 8":"Visual Studio","Company tab":"Company","Com 1":"Careers","Com 2":"About Microsoft","Com 3":"Company News","Com 4":"Privacy at Microsoft","Com 5":"Investors","Com 6":"Diversity and inclusion","Com 7":"Accessiblity","Com 8":"Sustainibility"},"defaults":{"config":{"applicablePages":[],"description":"The Microsoft Footer","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"components":[{"id":"custom.widget.MicrosoftFooter","form":null,"config":null,"props":[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":{"applicablePages":[],"description":"The Microsoft Footer","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":{"css":".custom_widget_MicrosoftFooter_context-uhf_f95yq_1 {\n min-width: 17.5rem;\n font-size: 0.9375rem;\n box-sizing: border-box;\n -ms-text-size-adjust: 100%;\n -webkit-text-size-adjust: 100%;\n & *,\n & *:before,\n & *:after {\n box-sizing: inherit;\n }\n a.custom_widget_MicrosoftFooter_c-uhff-link_f95yq_12 {\n color: #616161;\n word-break: break-word;\n text-decoration: none;\n }\n &a:link,\n &a:focus,\n &a:hover,\n &a:active,\n &a:visited {\n text-decoration: none;\n color: inherit;\n }\n & div {\n font-family: 'Segoe UI', SegoeUI, 'Helvetica Neue', Helvetica, Arial, sans-serif;\n }\n}\n.custom_widget_MicrosoftFooter_c-uhff_f95yq_12 {\n background: #f2f2f2;\n margin: -1.5625;\n width: auto;\n height: auto;\n}\n.custom_widget_MicrosoftFooter_c-uhff-nav_f95yq_35 {\n margin: 0 auto;\n max-width: calc(100rem + 10%);\n padding: 0 5%;\n box-sizing: inherit;\n &:before,\n &:after {\n content: ' ';\n display: table;\n clear: left;\n }\n @media only screen and (max-width: 1083px) {\n padding-left: 0.75rem;\n }\n .custom_widget_MicrosoftFooter_c-heading-4_f95yq_49 {\n color: #616161;\n word-break: break-word;\n font-size: 0.9375rem;\n line-height: 1.25rem;\n padding: 2.25rem 0 0.25rem;\n font-weight: 600;\n }\n .custom_widget_MicrosoftFooter_c-uhff-nav-row_f95yq_57 {\n .custom_widget_MicrosoftFooter_c-uhff-nav-group_f95yq_58 {\n display: block;\n float: left;\n min-height: 0.0625rem;\n vertical-align: text-top;\n padding: 0 0.75rem;\n width: 100%;\n zoom: 1;\n &:first-child {\n padding-left: 0;\n @media only screen and (max-width: 1083px) {\n padding-left: 0.75rem;\n }\n }\n @media only screen and (min-width: 540px) and (max-width: 1082px) {\n width: 33.33333%;\n }\n @media only screen and (min-width: 1083px) {\n width: 16.6666666667%;\n }\n ul.custom_widget_MicrosoftFooter_c-list_f95yq_78.custom_widget_MicrosoftFooter_f-bare_f95yq_78 {\n font-size: 0.6875rem;\n line-height: 1rem;\n margin-top: 0;\n margin-bottom: 0;\n padding-left: 0;\n list-style-type: none;\n li {\n word-break: break-word;\n padding: 0.5rem 0;\n margin: 0;\n }\n }\n }\n }\n}\n.custom_widget_MicrosoftFooter_c-uhff-base_f95yq_94 {\n background: #f2f2f2;\n margin: 0 auto;\n max-width: calc(100rem + 10%);\n padding: 1.875rem 5% 1rem;\n &:before,\n &:after {\n content: ' ';\n display: table;\n }\n &:after {\n clear: both;\n }\n a.custom_widget_MicrosoftFooter_c-uhff-ccpa_f95yq_107 {\n font-size: 0.6875rem;\n line-height: 1rem;\n float: left;\n margin: 0.1875rem 0;\n }\n a.custom_widget_MicrosoftFooter_c-uhff-ccpa_f95yq_107:hover {\n text-decoration: underline;\n }\n ul.custom_widget_MicrosoftFooter_c-list_f95yq_78 {\n font-size: 0.6875rem;\n line-height: 1rem;\n float: right;\n margin: 0.1875rem 0;\n color: #616161;\n li {\n padding: 0 1.5rem 0.25rem 0;\n display: inline-block;\n }\n }\n .custom_widget_MicrosoftFooter_c-list_f95yq_78.custom_widget_MicrosoftFooter_f-bare_f95yq_78 {\n padding-left: 0;\n list-style-type: none;\n }\n @media only screen and (max-width: 1083px) {\n display: flex;\n flex-wrap: wrap;\n padding: 1.875rem 1.5rem 1rem;\n }\n}\n","tokens":{"context-uhf":"custom_widget_MicrosoftFooter_context-uhf_f95yq_1","c-uhff-link":"custom_widget_MicrosoftFooter_c-uhff-link_f95yq_12","c-uhff":"custom_widget_MicrosoftFooter_c-uhff_f95yq_12","c-uhff-nav":"custom_widget_MicrosoftFooter_c-uhff-nav_f95yq_35","c-heading-4":"custom_widget_MicrosoftFooter_c-heading-4_f95yq_49","c-uhff-nav-row":"custom_widget_MicrosoftFooter_c-uhff-nav-row_f95yq_57","c-uhff-nav-group":"custom_widget_MicrosoftFooter_c-uhff-nav-group_f95yq_58","c-list":"custom_widget_MicrosoftFooter_c-list_f95yq_78","f-bare":"custom_widget_MicrosoftFooter_f-bare_f95yq_78","c-uhff-base":"custom_widget_MicrosoftFooter_c-uhff-base_f95yq_94","c-uhff-ccpa":"custom_widget_MicrosoftFooter_c-uhff-ccpa_f95yq_107"}},"form":null},"localOverride":false},"CachedAsset:text:en_US-components/community/Breadcrumb-1737571274000":{"__typename":"CachedAsset","id":"text:en_US-components/community/Breadcrumb-1737571274000","value":{"navLabel":"Breadcrumbs","dropdown":"Additional parent page navigation"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageBanner-1737571274000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageBanner-1737571274000","value":{"messageMarkedAsSpam":"This post has been marked as spam","messageMarkedAsSpam@board:TKB":"This article has been marked as spam","messageMarkedAsSpam@board:BLOG":"This post has been marked as spam","messageMarkedAsSpam@board:FORUM":"This discussion has been marked as spam","messageMarkedAsSpam@board:OCCASION":"This event has been marked as spam","messageMarkedAsSpam@board:IDEA":"This idea has been marked as spam","manageSpam":"Manage Spam","messageMarkedAsAbuse":"This post has been marked as abuse","messageMarkedAsAbuse@board:TKB":"This article has been marked as abuse","messageMarkedAsAbuse@board:BLOG":"This post has been marked as abuse","messageMarkedAsAbuse@board:FORUM":"This discussion has been marked as abuse","messageMarkedAsAbuse@board:OCCASION":"This event has been marked as abuse","messageMarkedAsAbuse@board:IDEA":"This idea has been marked as abuse","preModCommentAuthorText":"This comment will be published as soon as it is approved","preModCommentModeratorText":"This comment is awaiting moderation","messageMarkedAsOther":"This post has been rejected due to other reasons","messageMarkedAsOther@board:TKB":"This article has been rejected due to other reasons","messageMarkedAsOther@board:BLOG":"This post has been rejected due to other reasons","messageMarkedAsOther@board:FORUM":"This discussion has been rejected due to other reasons","messageMarkedAsOther@board:OCCASION":"This event has been rejected due to other reasons","messageMarkedAsOther@board:IDEA":"This idea has been rejected due to other reasons","messageArchived":"This post was archived on {date}","relatedUrl":"View Related Content","relatedContentText":"Showing related content","archivedContentLink":"View Archived Content"},"localOverride":false},"Category:category:Exchange":{"__typename":"Category","id":"category:Exchange","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Planner":{"__typename":"Category","id":"category:Planner","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Outlook":{"__typename":"Category","id":"category:Outlook","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Community-Info-Center":{"__typename":"Category","id":"category:Community-Info-Center","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:EducationSector":{"__typename":"Category","id":"category:EducationSector","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:DrivingAdoption":{"__typename":"Category","id":"category:DrivingAdoption","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Azure":{"__typename":"Category","id":"category:Azure","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Windows-Server":{"__typename":"Category","id":"category:Windows-Server","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:SQL-Server":{"__typename":"Category","id":"category:SQL-Server","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:MicrosoftTeams":{"__typename":"Category","id":"category:MicrosoftTeams","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:PublicSector":{"__typename":"Category","id":"category:PublicSector","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:microsoft365":{"__typename":"Category","id":"category:microsoft365","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:IoT":{"__typename":"Category","id":"category:IoT","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:HealthcareAndLifeSciences":{"__typename":"Category","id":"category:HealthcareAndLifeSciences","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:SMB":{"__typename":"Category","id":"category:SMB","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:ITOpsTalk":{"__typename":"Category","id":"category:ITOpsTalk","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:microsoft-endpoint-manager":{"__typename":"Category","id":"category:microsoft-endpoint-manager","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:MicrosoftLearn":{"__typename":"Category","id":"category:MicrosoftLearn","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Blog:board:MicrosoftLearnBlog":{"__typename":"Blog","id":"board:MicrosoftLearnBlog","blogPolicies":{"__typename":"BlogPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}},"boardPolicies":{"__typename":"BoardPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:AI":{"__typename":"Category","id":"category:AI","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:MicrosoftMechanics":{"__typename":"Category","id":"category:MicrosoftMechanics","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:StartupsatMicrosoft":{"__typename":"Category","id":"category:StartupsatMicrosoft","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:PartnerCommunity":{"__typename":"Category","id":"category:PartnerCommunity","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Windows":{"__typename":"Category","id":"category:Windows","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"QueryVariables:TopicReplyList:message:1875913:9":{"__typename":"QueryVariables","id":"TopicReplyList:message:1875913:9","value":{"id":"message:1875913","first":10,"sorts":{"postTime":{"direction":"DESC"}},"repliesFirst":3,"repliesFirstDepthThree":1,"repliesSorts":{"postTime":{"direction":"DESC"}},"useAvatar":true,"useAuthorLogin":true,"useAuthorRank":true,"useBody":true,"useKudosCount":true,"useTimeToRead":false,"useMedia":false,"useReadOnlyIcon":false,"useRepliesCount":true,"useSearchSnippet":false,"useAcceptedSolutionButton":false,"useSolvedBadge":false,"useAttachments":false,"attachmentsFirst":5,"useTags":true,"useNodeAncestors":false,"useUserHoverCard":false,"useNodeHoverCard":false,"useModerationStatus":true,"usePreviewSubjectModal":false,"useMessageStatus":true}},"ROOT_MUTATION":{"__typename":"Mutation"},"CachedAsset:text:en_US-components/community/Navbar-1737571274000":{"__typename":"CachedAsset","id":"text:en_US-components/community/Navbar-1737571274000","value":{"community":"Community Home","inbox":"Inbox","manageContent":"Manage Content","tos":"Terms of Service","forgotPassword":"Forgot Password","themeEditor":"Theme Editor","edit":"Edit Navigation Bar","skipContent":"Skip to content","gxcuf89792":"Tech Community","external-1":"Events","s-m-b":"Small and Medium Businesses","windows-server":"Windows Server","education-sector":"Education Sector","driving-adoption":"Driving Adoption","microsoft-learn":"Microsoft Learn","s-q-l-server":"SQL Server","partner-community":"Microsoft Partner Community","microsoft365":"Microsoft 365","external-9":".NET","external-8":"Teams","external-7":"Github","products-services":"Products","external-6":"Power Platform","communities-1":"Topics","external-5":"Microsoft Security","planner":"Planner","external-4":"Microsoft 365","external-3":"Dynamics 365","azure":"Azure","healthcare-and-life-sciences":"Healthcare and Life Sciences","external-2":"Azure","microsoft-mechanics":"Microsoft Mechanics","microsoft-learn-1":"Community","external-10":"Learning Room Directory","microsoft-learn-blog":"Blog","windows":"Windows","i-t-ops-talk":"ITOps Talk","external-link-1":"View All","microsoft-securityand-compliance":"Microsoft Security","public-sector":"Public Sector","community-info-center":"Lounge","external-link-2":"View All","microsoft-teams":"Microsoft Teams","external":"Blogs","microsoft-endpoint-manager":"Microsoft Intune and Configuration Manager","startupsat-microsoft":"Startups at Microsoft","exchange":"Exchange","a-i":"AI and Machine Learning","io-t":"Internet of Things (IoT)","outlook":"Outlook","external-link":"Community Hubs","communities":"Products"},"localOverride":false},"CachedAsset:text:en_US-components/community/NavbarHamburgerDropdown-1737571274000":{"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarHamburgerDropdown-1737571274000","value":{"hamburgerLabel":"Side Menu"},"localOverride":false},"CachedAsset:text:en_US-components/community/BrandLogo-1737571274000":{"__typename":"CachedAsset","id":"text:en_US-components/community/BrandLogo-1737571274000","value":{"logoAlt":"Khoros","themeLogoAlt":"Brand Logo"},"localOverride":false},"CachedAsset:text:en_US-components/community/NavbarTextLinks-1737571274000":{"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarTextLinks-1737571274000","value":{"more":"More"},"localOverride":false},"CachedAsset:text:en_US-components/authentication/AuthenticationLink-1737571274000":{"__typename":"CachedAsset","id":"text:en_US-components/authentication/AuthenticationLink-1737571274000","value":{"title.login":"Sign In","title.registration":"Register","title.forgotPassword":"Forgot Password","title.multiAuthLogin":"Sign In"},"localOverride":false},"CachedAsset:text:en_US-components/nodes/NodeLink-1737571274000":{"__typename":"CachedAsset","id":"text:en_US-components/nodes/NodeLink-1737571274000","value":{"place":"Place {name}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageView/MessageViewStandard-1737571274000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageView/MessageViewStandard-1737571274000","value":{"anonymous":"Anonymous","author":"{messageAuthorLogin}","authorBy":"{messageAuthorLogin}","board":"{messageBoardTitle}","replyToUser":" to {parentAuthor}","showMoreReplies":"Show More","replyText":"Reply","repliesText":"Replies","markedAsSolved":"Marked as Solved","movedMessagePlaceholder.BLOG":"{count, plural, =0 {This comment has been} other {These comments have been} }","movedMessagePlaceholder.TKB":"{count, plural, =0 {This comment has been} other {These comments have been} }","movedMessagePlaceholder.FORUM":"{count, plural, =0 {This reply has been} other {These replies have been} }","movedMessagePlaceholder.IDEA":"{count, plural, =0 {This comment has been} other {These comments have been} }","movedMessagePlaceholder.OCCASION":"{count, plural, =0 {This comment has been} other {These comments have been} }","movedMessagePlaceholderUrlText":"moved.","messageStatus":"Status: ","statusChanged":"Status changed: {previousStatus} to {currentStatus}","statusAdded":"Status added: {status}","statusRemoved":"Status removed: {status}","labelExpand":"expand replies","labelCollapse":"collapse replies","unhelpfulReason.reason1":"Content is outdated","unhelpfulReason.reason2":"Article is missing information","unhelpfulReason.reason3":"Content is for a different Product","unhelpfulReason.reason4":"Doesn't match what I was searching for"},"localOverride":false},"CachedAsset:text:en_US-components/messages/ThreadedReplyList-1737571274000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/ThreadedReplyList-1737571274000","value":{"title":"{count, plural, one{# Reply} other{# Replies}}","title@board:BLOG":"{count, plural, one{# Comment} other{# Comments}}","title@board:TKB":"{count, plural, one{# Comment} other{# Comments}}","title@board:IDEA":"{count, plural, one{# Comment} other{# Comments}}","title@board:OCCASION":"{count, plural, one{# Comment} other{# Comments}}","noRepliesTitle":"No Replies","noRepliesTitle@board:BLOG":"No Comments","noRepliesTitle@board:TKB":"No Comments","noRepliesTitle@board:IDEA":"No Comments","noRepliesTitle@board:OCCASION":"No Comments","noRepliesDescription":"Be the first to reply","noRepliesDescription@board:BLOG":"Be the first to comment","noRepliesDescription@board:TKB":"Be the first to comment","noRepliesDescription@board:IDEA":"Be the first to comment","noRepliesDescription@board:OCCASION":"Be the first to comment","messageReadOnlyAlert:BLOG":"Comments have been turned off for this post","messageReadOnlyAlert:TKB":"Comments have been turned off for this article","messageReadOnlyAlert:IDEA":"Comments have been turned off for this idea","messageReadOnlyAlert:FORUM":"Replies have been turned off for this discussion","messageReadOnlyAlert:OCCASION":"Comments have been turned off for this event"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageReplyCallToAction-1737571274000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageReplyCallToAction-1737571274000","value":{"leaveReply":"Leave a reply...","leaveReply@board:BLOG@message:root":"Leave a comment...","leaveReply@board:TKB@message:root":"Leave a comment...","leaveReply@board:IDEA@message:root":"Leave a comment...","leaveReply@board:OCCASION@message:root":"Leave a comment...","repliesTurnedOff.FORUM":"Replies are turned off for this topic","repliesTurnedOff.BLOG":"Comments are turned off for this topic","repliesTurnedOff.TKB":"Comments are turned off for this topic","repliesTurnedOff.IDEA":"Comments are turned off for this topic","repliesTurnedOff.OCCASION":"Comments are turned off for this topic","infoText":"Stop poking me!"},"localOverride":false},"CachedAsset:text:en_US-components/community/NavbarDropdownToggle-1737571274000":{"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarDropdownToggle-1737571274000","value":{"ariaLabelClosed":"Press the down arrow to open the menu"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/QueryHandler-1737571274000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/QueryHandler-1737571274000","value":{"title":"Query Handler"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageCoverImage-1737571274000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageCoverImage-1737571274000","value":{"coverImageTitle":"Cover Image"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/nodes/NodeTitle-1737571274000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/nodes/NodeTitle-1737571274000","value":{"nodeTitle":"{nodeTitle, select, community {Community} other {{nodeTitle}}} "},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageTimeToRead-1737571274000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageTimeToRead-1737571274000","value":{"minReadText":"{min} MIN READ"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageSubject-1737571274000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageSubject-1737571274000","value":{"noSubject":"(no subject)"},"localOverride":false},"CachedAsset:text:en_US-components/users/UserLink-1737571274000":{"__typename":"CachedAsset","id":"text:en_US-components/users/UserLink-1737571274000","value":{"authorName":"View Profile: {author}","anonymous":"Anonymous"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/users/UserRank-1737571274000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/users/UserRank-1737571274000","value":{"rankName":"{rankName}","userRank":"Author rank {rankName}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageTime-1737571274000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageTime-1737571274000","value":{"postTime":"Published: {time}","lastPublishTime":"Last Update: {time}","conversation.lastPostingActivityTime":"Last posting activity time: {time}","conversation.lastPostTime":"Last post time: {time}","moderationData.rejectTime":"Rejected time: {time}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageBody-1737571274000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageBody-1737571274000","value":{"showMessageBody":"Show More","mentionsErrorTitle":"{mentionsType, select, board {Board} user {User} message {Message} other {}} No Longer Available","mentionsErrorMessage":"The {mentionsType} you are trying to view has been removed from the community.","videoProcessing":"Video is being processed. Please try again in a few minutes.","bannerTitle":"Video provider requires cookies to play the video. Accept to continue or {url} it directly on the provider's site.","buttonTitle":"Accept","urlText":"watch"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageCustomFields-1737571274000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageCustomFields-1737571274000","value":{"CustomField.default.label":"Value of {name}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageRevision-1737571274000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageRevision-1737571274000","value":{"lastUpdatedDatePublished":"{publishCount, plural, one{Published} other{Updated}} {date}","lastUpdatedDateDraft":"Created {date}","version":"Version {major}.{minor}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageReplyButton-1737571274000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageReplyButton-1737571274000","value":{"repliesCount":"{count}","title":"Reply","title@board:BLOG@message:root":"Comment","title@board:TKB@message:root":"Comment","title@board:IDEA@message:root":"Comment","title@board:OCCASION@message:root":"Comment"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageAuthorBio-1737571274000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageAuthorBio-1737571274000","value":{"sendMessage":"Send Message","actionMessage":"Follow this blog board to get notified when there's new activity","coAuthor":"CO-PUBLISHER","contributor":"CONTRIBUTOR","userProfile":"View Profile","iconlink":"Go to {name} {type}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/users/UserAvatar-1737571274000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/users/UserAvatar-1737571274000","value":{"altText":"{login}'s avatar","altTextGeneric":"User's avatar"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/ranks/UserRankLabel-1737571274000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/ranks/UserRankLabel-1737571274000","value":{"altTitle":"Icon for {rankName} rank"},"localOverride":false},"CachedAsset:text:en_US-components/users/UserRegistrationDate-1737571274000":{"__typename":"CachedAsset","id":"text:en_US-components/users/UserRegistrationDate-1737571274000","value":{"noPrefix":"{date}","withPrefix":"Joined {date}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/nodes/NodeAvatar-1737571274000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/nodes/NodeAvatar-1737571274000","value":{"altTitle":"Node avatar for {nodeTitle}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/nodes/NodeDescription-1737571274000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/nodes/NodeDescription-1737571274000","value":{"description":"{description}"},"localOverride":false},"CachedAsset:text:en_US-components/tags/TagView/TagViewChip-1737571274000":{"__typename":"CachedAsset","id":"text:en_US-components/tags/TagView/TagViewChip-1737571274000","value":{"tagLabelName":"Tag name {tagName}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/nodes/NodeIcon-1737571274000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/nodes/NodeIcon-1737571274000","value":{"contentType":"Content Type {style, select, FORUM {Forum} BLOG {Blog} TKB {Knowledge Base} IDEA {Ideas} OCCASION {Events} other {}} icon"},"localOverride":false}}}},"page":"/blogs/BlogMessagePage/BlogMessagePage","query":{"boardId":"microsoftsentinelblog","messageSubject":"hunting-for-barium-using-azure-sentinel","messageId":"1875913"},"buildId":"HEhyUrv5OXNBIbfCLaOrw","runtimeConfig":{"buildInformationVisible":false,"logLevelApp":"info","logLevelMetrics":"info","openTelemetryClientEnabled":false,"openTelemetryConfigName":"o365","openTelemetryServiceVersion":"25.1.0","openTelemetryUniverse":"prod","openTelemetryCollector":"http://localhost:4318","openTelemetryRouteChangeAllowedTime":"5000","apolloDevToolsEnabled":false,"inboxMuteWipFeatureEnabled":false},"isFallback":false,"isExperimentalCompile":false,"dynamicIds":["./components/community/Navbar/NavbarWidget.tsx","./components/community/Breadcrumb/BreadcrumbWidget.tsx","./components/customComponent/CustomComponent/CustomComponent.tsx","./components/blogs/BlogArticleWidget/BlogArticleWidget.tsx","./components/external/components/ExternalComponent.tsx","./components/messages/MessageView/MessageViewStandard/MessageViewStandard.tsx","./components/messages/ThreadedReplyList/ThreadedReplyList.tsx","../shared/client/components/common/List/UnwrappedList/UnwrappedList.tsx","./components/tags/TagView/TagView.tsx","./components/tags/TagView/TagViewChip/TagViewChip.tsx"],"appGip":true,"scriptLoader":[{"id":"analytics","src":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/pagescripts/1730819800000/analytics.js?page.id=BlogMessagePage&entity.id=board%3Amicrosoftsentinelblog&entity.id=message%3A1875913","strategy":"afterInteractive"}]}