Lumen TI domain in DnsEvents

Back


Id	29bf5bcd-6795-4c79-a91f-aaef5a618bab
Rulename	Lumen TI domain in DnsEvents
Description	This query searches for matches between Lumen threat intelligence domain indicators and DnsEvents.
Severity	Medium
Tactics	CommandAndControl
Techniques	T1071
Required data connectors	DNS LumenThreatFeedConnector ThreatIntelligenceUploadIndicatorsAPI
Kind	Scheduled
Query frequency	4h
Query period	14d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lumen Defender Threat Feed/Analytic Rules/Lumen_DomainEntity_DNS.yaml
Version	1.0.0
Arm template	29bf5bcd-6795-4c79-a91f-aaef5a618bab.json

KQL

let dt_lookBack = 1d; // Data lookback for DnsEvents
let ioc_lookBack = 14d; // TI lookback
// Latest, active, non-expired Lumen domain indicators
let Domain_Indicators = ThreatIntelIndicators
  | where TimeGenerated >= ago(ioc_lookBack)
  | where IsActive == true and ValidUntil > now()
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
  | where SourceSystem == 'Lumen'
  | where ObservableKey == 'domain-name:value' or ObservableValue contains '.'
  | extend TI_domainEntity = tostring(ObservableValue);
Domain_Indicators
| join kind=innerunique (
    DnsEvents
    | where TimeGenerated >= ago(dt_lookBack)
    | extend DNS_domainEntity = Name
    | extend DnsEvents_TimeGenerated = TimeGenerated
  ) on $left.TI_domainEntity == $right.DNS_domainEntity
| where DnsEvents_TimeGenerated < ValidUntil
| summarize arg_max(DnsEvents_TimeGenerated, *), StartTime = min(DnsEvents_TimeGenerated), EndTime = max(DnsEvents_TimeGenerated) by Id, DNS_domainEntity
| project timestamp = EndTime, StartTime, EndTime, Name, QueryType, Computer, Id, Tags, ValidUntil, Confidence, TI_domainEntity, DNS_domainEntity, Type

YAML

id: 29bf5bcd-6795-4c79-a91f-aaef5a618bab
queryFrequency: 4h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lumen Defender Threat Feed/Analytic Rules/Lumen_DomainEntity_DNS.yaml
tactics:
- CommandAndControl
name: Lumen TI domain in DnsEvents
triggerThreshold: 0
relevantTechniques:
- T1071
kind: Scheduled
requiredDataConnectors:
- connectorId: LumenThreatFeedConnector
  dataTypes:
  - ThreatIntelligenceIndicator
- connectorId: ThreatIntelligenceUploadIndicatorsAPI
  dataTypes:
  - ThreatIntelligenceIndicator
- connectorId: DNS
  dataTypes:
  - DnsEvents
queryPeriod: 14d
triggerOperator: gt
query: |
  let dt_lookBack = 1d; // Data lookback for DnsEvents
  let ioc_lookBack = 14d; // TI lookback
  // Latest, active, non-expired Lumen domain indicators
  let Domain_Indicators = ThreatIntelIndicators
    | where TimeGenerated >= ago(ioc_lookBack)
    | where IsActive == true and ValidUntil > now()
    | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
    | where SourceSystem == 'Lumen'
    | where ObservableKey == 'domain-name:value' or ObservableValue contains '.'
    | extend TI_domainEntity = tostring(ObservableValue);
  Domain_Indicators
  | join kind=innerunique (
      DnsEvents
      | where TimeGenerated >= ago(dt_lookBack)
      | extend DNS_domainEntity = Name
      | extend DnsEvents_TimeGenerated = TimeGenerated
    ) on $left.TI_domainEntity == $right.DNS_domainEntity
  | where DnsEvents_TimeGenerated < ValidUntil
  | summarize arg_max(DnsEvents_TimeGenerated, *), StartTime = min(DnsEvents_TimeGenerated), EndTime = max(DnsEvents_TimeGenerated) by Id, DNS_domainEntity
  | project timestamp = EndTime, StartTime, EndTime, Name, QueryType, Computer, Id, Tags, ValidUntil, Confidence, TI_domainEntity, DNS_domainEntity, Type  
suppressionDuration: 5h
entityMappings:
- fieldMappings:
  - identifier: DomainName
    columnName: DNS_domainEntity
  entityType: DNS
version: 1.0.0
description: |
    This query searches for matches between Lumen threat intelligence domain indicators and DnsEvents.
severity: Medium
suppressionEnabled: true
displayName: Lumen TI domain in DnsEvents

ARM