Lumen TI domain in DnsEvents
| Id | 29bf5bcd-6795-4c79-a91f-aaef5a618bab |
| Rulename | Lumen TI domain in DnsEvents |
| Description | This query searches for matches between Lumen threat intelligence domain indicators and DnsEvents. |
| Severity | Medium |
| Tactics | CommandAndControl |
| Techniques | T1071 |
| Required data connectors | DNS LumenThreatFeedConnector ThreatIntelligenceUploadIndicatorsAPI |
| Kind | Scheduled |
| Query frequency | 4h |
| Query period | 14d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lumen Defender Threat Feed/Analytic Rules/Lumen_DomainEntity_DNS.yaml |
| Version | 1.0.0 |
| Arm template | 29bf5bcd-6795-4c79-a91f-aaef5a618bab.json |
let dt_lookBack = 1d; // Data lookback for DnsEvents
let ioc_lookBack = 14d; // TI lookback
// Latest, active, non-expired Lumen domain indicators
let Domain_Indicators = ThreatIntelIndicators
| where TimeGenerated >= ago(ioc_lookBack)
| where IsActive == true and ValidUntil > now()
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
| where SourceSystem == 'Lumen'
| where ObservableKey == 'domain-name:value' or ObservableValue contains '.'
| extend TI_domainEntity = tostring(ObservableValue);
Domain_Indicators
| join kind=innerunique (
DnsEvents
| where TimeGenerated >= ago(dt_lookBack)
| extend DNS_domainEntity = Name
| extend DnsEvents_TimeGenerated = TimeGenerated
) on $left.TI_domainEntity == $right.DNS_domainEntity
| where DnsEvents_TimeGenerated < ValidUntil
| summarize arg_max(DnsEvents_TimeGenerated, *), StartTime = min(DnsEvents_TimeGenerated), EndTime = max(DnsEvents_TimeGenerated) by Id, DNS_domainEntity
| project timestamp = EndTime, StartTime, EndTime, Name, QueryType, Computer, Id, Tags, ValidUntil, Confidence, TI_domainEntity, DNS_domainEntity, Type
triggerThreshold: 0
entityMappings:
- entityType: DNS
fieldMappings:
- identifier: DomainName
columnName: DNS_domainEntity
requiredDataConnectors:
- dataTypes:
- ThreatIntelligenceIndicator
connectorId: LumenThreatFeedConnector
- dataTypes:
- ThreatIntelligenceIndicator
connectorId: ThreatIntelligenceUploadIndicatorsAPI
- dataTypes:
- DnsEvents
connectorId: DNS
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lumen Defender Threat Feed/Analytic Rules/Lumen_DomainEntity_DNS.yaml
version: 1.0.0
name: Lumen TI domain in DnsEvents
relevantTechniques:
- T1071
queryPeriod: 14d
suppressionEnabled: true
severity: Medium
kind: Scheduled
displayName: Lumen TI domain in DnsEvents
id: 29bf5bcd-6795-4c79-a91f-aaef5a618bab
query: |
let dt_lookBack = 1d; // Data lookback for DnsEvents
let ioc_lookBack = 14d; // TI lookback
// Latest, active, non-expired Lumen domain indicators
let Domain_Indicators = ThreatIntelIndicators
| where TimeGenerated >= ago(ioc_lookBack)
| where IsActive == true and ValidUntil > now()
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
| where SourceSystem == 'Lumen'
| where ObservableKey == 'domain-name:value' or ObservableValue contains '.'
| extend TI_domainEntity = tostring(ObservableValue);
Domain_Indicators
| join kind=innerunique (
DnsEvents
| where TimeGenerated >= ago(dt_lookBack)
| extend DNS_domainEntity = Name
| extend DnsEvents_TimeGenerated = TimeGenerated
) on $left.TI_domainEntity == $right.DNS_domainEntity
| where DnsEvents_TimeGenerated < ValidUntil
| summarize arg_max(DnsEvents_TimeGenerated, *), StartTime = min(DnsEvents_TimeGenerated), EndTime = max(DnsEvents_TimeGenerated) by Id, DNS_domainEntity
| project timestamp = EndTime, StartTime, EndTime, Name, QueryType, Computer, Id, Tags, ValidUntil, Confidence, TI_domainEntity, DNS_domainEntity, Type
description: |
This query searches for matches between Lumen threat intelligence domain indicators and DnsEvents.
queryFrequency: 4h
suppressionDuration: 5h
triggerOperator: gt
tactics:
- CommandAndControl