Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Lumen TI domain in DnsEvents

Lumen TI domain in DnsEvents

Back
Id29bf5bcd-6795-4c79-a91f-aaef5a618bab
RulenameLumen TI domain in DnsEvents
DescriptionThis query searches for matches between Lumen threat intelligence domain indicators and DnsEvents.
SeverityMedium
TacticsCommandAndControl
TechniquesT1071
Required data connectorsDNS
LumenThreatFeedConnector
ThreatIntelligenceUploadIndicatorsAPI
KindScheduled
Query frequency4h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lumen Defender Threat Feed/Analytic Rules/Lumen_DomainEntity_DNS.yaml
Version1.0.0
Arm template29bf5bcd-6795-4c79-a91f-aaef5a618bab.json
Deploy To Azure
let dt_lookBack = 1d; // Data lookback for DnsEvents
let ioc_lookBack = 14d; // TI lookback
// Latest, active, non-expired Lumen domain indicators
let Domain_Indicators = ThreatIntelIndicators
  | where TimeGenerated >= ago(ioc_lookBack)
  | where IsActive == true and ValidUntil > now()
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
  | where SourceSystem == 'Lumen'
  | where ObservableKey == 'domain-name:value' or ObservableValue contains '.'
  | extend TI_domainEntity = tostring(ObservableValue);
Domain_Indicators
| join kind=innerunique (
    DnsEvents
    | where TimeGenerated >= ago(dt_lookBack)
    | extend DNS_domainEntity = Name
    | extend DnsEvents_TimeGenerated = TimeGenerated
  ) on $left.TI_domainEntity == $right.DNS_domainEntity
| where DnsEvents_TimeGenerated < ValidUntil
| summarize arg_max(DnsEvents_TimeGenerated, *), StartTime = min(DnsEvents_TimeGenerated), EndTime = max(DnsEvents_TimeGenerated) by Id, DNS_domainEntity
| project timestamp = EndTime, StartTime, EndTime, Name, QueryType, Computer, Id, Tags, ValidUntil, Confidence, TI_domainEntity, DNS_domainEntity, Type

kind: Scheduled
suppressionDuration: 5h
entityMappings:
- entityType: DNS
  fieldMappings:
  - columnName: DNS_domainEntity
    identifier: DomainName
description: |
    This query searches for matches between Lumen threat intelligence domain indicators and DnsEvents.
severity: Medium
queryFrequency: 4h
triggerThreshold: 0
relevantTechniques:
- T1071
suppressionEnabled: true
displayName: Lumen TI domain in DnsEvents
tactics:
- CommandAndControl
name: Lumen TI domain in DnsEvents
id: 29bf5bcd-6795-4c79-a91f-aaef5a618bab
query: |
  let dt_lookBack = 1d; // Data lookback for DnsEvents
  let ioc_lookBack = 14d; // TI lookback
  // Latest, active, non-expired Lumen domain indicators
  let Domain_Indicators = ThreatIntelIndicators
    | where TimeGenerated >= ago(ioc_lookBack)
    | where IsActive == true and ValidUntil > now()
    | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
    | where SourceSystem == 'Lumen'
    | where ObservableKey == 'domain-name:value' or ObservableValue contains '.'
    | extend TI_domainEntity = tostring(ObservableValue);
  Domain_Indicators
  | join kind=innerunique (
      DnsEvents
      | where TimeGenerated >= ago(dt_lookBack)
      | extend DNS_domainEntity = Name
      | extend DnsEvents_TimeGenerated = TimeGenerated
    ) on $left.TI_domainEntity == $right.DNS_domainEntity
  | where DnsEvents_TimeGenerated < ValidUntil
  | summarize arg_max(DnsEvents_TimeGenerated, *), StartTime = min(DnsEvents_TimeGenerated), EndTime = max(DnsEvents_TimeGenerated) by Id, DNS_domainEntity
  | project timestamp = EndTime, StartTime, EndTime, Name, QueryType, Computer, Id, Tags, ValidUntil, Confidence, TI_domainEntity, DNS_domainEntity, Type  
requiredDataConnectors:
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: LumenThreatFeedConnector
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligenceUploadIndicatorsAPI
- dataTypes:
  - DnsEvents
  connectorId: DNS
version: 1.0.0
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lumen Defender Threat Feed/Analytic Rules/Lumen_DomainEntity_DNS.yaml
queryPeriod: 14d

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/29bf5bcd-6795-4c79-a91f-aaef5a618bab')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/29bf5bcd-6795-4c79-a91f-aaef5a618bab')]",
      "properties": {
        "alertRuleTemplateName": "29bf5bcd-6795-4c79-a91f-aaef5a618bab",
        "customDetails": null,
        "description": "This query searches for matches between Lumen threat intelligence domain indicators and DnsEvents.\n",
        "displayName": "Lumen TI domain in DnsEvents",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "DNS",
            "fieldMappings": [
              {
                "columnName": "DNS_domainEntity",
                "identifier": "DomainName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lumen Defender Threat Feed/Analytic Rules/Lumen_DomainEntity_DNS.yaml",
        "query": "let dt_lookBack = 1d; // Data lookback for DnsEvents\nlet ioc_lookBack = 14d; // TI lookback\n// Latest, active, non-expired Lumen domain indicators\nlet Domain_Indicators = ThreatIntelIndicators\n  | where TimeGenerated >= ago(ioc_lookBack)\n  | where IsActive == true and ValidUntil > now()\n  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id\n  | where SourceSystem == 'Lumen'\n  | where ObservableKey == 'domain-name:value' or ObservableValue contains '.'\n  | extend TI_domainEntity = tostring(ObservableValue);\nDomain_Indicators\n| join kind=innerunique (\n    DnsEvents\n    | where TimeGenerated >= ago(dt_lookBack)\n    | extend DNS_domainEntity = Name\n    | extend DnsEvents_TimeGenerated = TimeGenerated\n  ) on $left.TI_domainEntity == $right.DNS_domainEntity\n| where DnsEvents_TimeGenerated < ValidUntil\n| summarize arg_max(DnsEvents_TimeGenerated, *), StartTime = min(DnsEvents_TimeGenerated), EndTime = max(DnsEvents_TimeGenerated) by Id, DNS_domainEntity\n| project timestamp = EndTime, StartTime, EndTime, Name, QueryType, Computer, Id, Tags, ValidUntil, Confidence, TI_domainEntity, DNS_domainEntity, Type\n",
        "queryFrequency": "PT4H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": true,
        "tactics": [
          "CommandAndControl"
        ],
        "techniques": [
          "T1071"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}