The ThreatFox: Tsunami IOCs rule detects potential adversary activity linked to the Tsunami threat group, leveraging known malicious indicators to identify compromised environments. SOC teams should proactively hunt for this behavior in Azure Sentinel to mitigate advanced persistent threats and prevent lateral movement within their network.
IOC Summary
Malware Family: Tsunami Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 87[.]249[.]134[.]3:22 | payload_delivery | 2026-06-21 | 80% |
| ip:port | 194[.]238[.]26[.]34:8880 | botnet_cc | 2026-06-21 | 80% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Tsunami
let malicious_ips = dynamic(["194.238.26.34", "87.249.134.3"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["194.238.26.34", "87.249.134.3"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: System backup process using Veeam Backup & Replication
Filter/Exclusion: Exclude processes initiated by the veeam user or those with paths containing C:\Program Files\Veeam\ or /opt/veeam/
Scenario: Scheduled system maintenance using Windows Task Scheduler to run PowerShell scripts for log cleanup
Filter/Exclusion: Exclude processes with powershell.exe launched by the Task Scheduler service or with command lines containing Cleanup-Log or Get-EventLog
Scenario: Regularly scheduled Ansible playbook execution for configuration management
Filter/Exclusion: Exclude processes with ansible-playbook executed by a known admin user (e.g., admin) or with playbooks located in /etc/ansible/playbooks/
Scenario: Automated Logstash job for data ingestion and processing
Filter/Exclusion: Exclude processes with logstash running under the logstash user or with configurations in /etc/logstash/conf.d/
Scenario: Docker container lifecycle management using docker CLI for image pulls and container restarts
Filter/Exclusion: Exclude processes with docker commands executed by the root user or with image names containing library/ or official tags