Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Infoblox - TI - InfobloxCDC Match Found - Lookalike Domains

Infoblox - TI - InfobloxCDC Match Found - Lookalike Domains

Back
Id568730be-b39d-45e3-a392-941e00837d52
RulenameInfoblox - TI - InfobloxCDC Match Found - Lookalike Domains
DescriptionInfobloxCDC Lookalike Domain match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired. This rule depends on a parser based on a Kusto Function to work as expected called **InfobloxCDC**.
SeverityMedium
TacticsImpact
TechniquesT1498
T1565
Required data connectorsCefAma
ThreatIntelligence
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-TI-InfobloxCDCMatchFound-LookalikeDomains.yaml
Version1.0.4
Arm template568730be-b39d-45e3-a392-941e00837d52.json
Deploy To Azure
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
let TI = ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| where Active == true and ExpirationDateTime > now()  
| where Description == "Infoblox - HOST - Policy"
| where Tags has_cs "Property: Policy_LookalikeDomains" 
| where isnotempty(DomainName)
;
let Data = InfobloxCDC
| extend HitTime = TimeGenerated
| where TimeGenerated >= ago(dt_lookBack)
| where isnotempty(DestinationDnsDomain)
//Remove trailing period at end of domain
| extend DestinationDnsDomain = trim_end(@"\.$", DestinationDnsDomain)
;
TI | join kind=innerunique Data on $left.DomainName == $right.DestinationDnsDomain
| where HitTime >= TimeGenerated and HitTime < ExpirationDateTime
| project LatestIndicatorTime, HitTime, DeviceEventClassID, ThreatLevel, ThreatLevel_Score, ThreatConfidence, DestinationDnsDomain, InfobloxB1FeedName, ThreatClass, ThreatProperty, InfobloxB1PolicyAction, DeviceAction, InfobloxB1PolicyName, SourceIP, DeviceName, SourceMACAddress, SourceUserName, InfobloxB1SrcOSVersion, InfobloxB1ConnectionType, InfobloxB1Network, AdditionalExtensionsParsedNested, 
AdditionalInformation, Description, ThreatType, TrafficLightProtocolLevel, Type, ConfidenceScore, ExpirationDateTime, SourceSystem, Action, IndicatorId, ExternalIndicatorId, Tags

id: 568730be-b39d-45e3-a392-941e00837d52
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-TI-InfobloxCDCMatchFound-LookalikeDomains.yaml
description: |
    'InfobloxCDC Lookalike Domain match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).'
query: |
  let dt_lookBack = 1h;
  let ioc_lookBack = 14d;
  let TI = ThreatIntelligenceIndicator
  | where TimeGenerated >= ago(ioc_lookBack)
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
  | where Active == true and ExpirationDateTime > now()  
  | where Description == "Infoblox - HOST - Policy"
  | where Tags has_cs "Property: Policy_LookalikeDomains" 
  | where isnotempty(DomainName)
  ;
  let Data = InfobloxCDC
  | extend HitTime = TimeGenerated
  | where TimeGenerated >= ago(dt_lookBack)
  | where isnotempty(DestinationDnsDomain)
  //Remove trailing period at end of domain
  | extend DestinationDnsDomain = trim_end(@"\.$", DestinationDnsDomain)
  ;
  TI | join kind=innerunique Data on $left.DomainName == $right.DestinationDnsDomain
  | where HitTime >= TimeGenerated and HitTime < ExpirationDateTime
  | project LatestIndicatorTime, HitTime, DeviceEventClassID, ThreatLevel, ThreatLevel_Score, ThreatConfidence, DestinationDnsDomain, InfobloxB1FeedName, ThreatClass, ThreatProperty, InfobloxB1PolicyAction, DeviceAction, InfobloxB1PolicyName, SourceIP, DeviceName, SourceMACAddress, SourceUserName, InfobloxB1SrcOSVersion, InfobloxB1ConnectionType, InfobloxB1Network, AdditionalExtensionsParsedNested, 
  AdditionalInformation, Description, ThreatType, TrafficLightProtocolLevel, Type, ConfidenceScore, ExpirationDateTime, SourceSystem, Action, IndicatorId, ExternalIndicatorId, Tags  
requiredDataConnectors:
- connectorId: ThreatIntelligence
  dataTypes:
  - ThreatIntelligenceIndicator
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
incidentConfiguration:
  createIncident: true
eventGroupingSettings:
  aggregationKind: SingleAlert
relevantTechniques:
- T1498
- T1565
triggerThreshold: 0
severity: Medium
name: Infoblox - TI - InfobloxCDC Match Found - Lookalike Domains
status: Available
version: 1.0.4
queryPeriod: 14d
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: SourceIP
    identifier: Address
- entityType: Host
  fieldMappings:
  - columnName: DeviceName
    identifier: HostName
  - columnName: InfobloxB1SrcOSVersion
    identifier: OSVersion
  - columnName: SourceUserName
    identifier: FullName
- entityType: DNS
  fieldMappings:
  - columnName: DestinationDnsDomain
    identifier: DomainName
- entityType: Malware
  fieldMappings:
  - columnName: ThreatProperty
    identifier: Name
  - columnName: ThreatClass
    identifier: Category
triggerOperator: gt
queryFrequency: 1h
customDetails:
  SourceMACAddress: SourceMACAddress
  InfobloxB1Action: InfobloxB1PolicyAction
  InfobloxB1Network: InfobloxB1Network
  InfobloxB1FeedName: InfobloxB1FeedName
  InfobloxB1PolicyName: InfobloxB1PolicyName
tactics:
- Impact
kind: Scheduled