Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Lumen TI domain in DnsEvents

Lumen TI domain in DnsEvents

Back
Id29bf5bcd-6795-4c79-a91f-aaef5a618bab
RulenameLumen TI domain in DnsEvents
DescriptionThis query searches for matches between Lumen threat intelligence domain indicators and DnsEvents.
SeverityMedium
TacticsCommandAndControl
TechniquesT1071
Required data connectorsDNS
LumenThreatFeedConnector
ThreatIntelligenceUploadIndicatorsAPI
KindScheduled
Query frequency4h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lumen Defender Threat Feed/Analytic Rules/Lumen_DomainEntity_DNS.yaml
Version1.0.0
Arm template29bf5bcd-6795-4c79-a91f-aaef5a618bab.json
Deploy To Azure
let dt_lookBack = 1d; // Data lookback for DnsEvents
let ioc_lookBack = 14d; // TI lookback
// Latest, active, non-expired Lumen domain indicators
let Domain_Indicators = ThreatIntelIndicators
  | where TimeGenerated >= ago(ioc_lookBack)
  | where IsActive == true and ValidUntil > now()
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
  | where SourceSystem == 'Lumen'
  | where ObservableKey == 'domain-name:value' or ObservableValue contains '.'
  | extend TI_domainEntity = tostring(ObservableValue);
Domain_Indicators
| join kind=innerunique (
    DnsEvents
    | where TimeGenerated >= ago(dt_lookBack)
    | extend DNS_domainEntity = Name
    | extend DnsEvents_TimeGenerated = TimeGenerated
  ) on $left.TI_domainEntity == $right.DNS_domainEntity
| where DnsEvents_TimeGenerated < ValidUntil
| summarize arg_max(DnsEvents_TimeGenerated, *), StartTime = min(DnsEvents_TimeGenerated), EndTime = max(DnsEvents_TimeGenerated) by Id, DNS_domainEntity
| project timestamp = EndTime, StartTime, EndTime, Name, QueryType, Computer, Id, Tags, ValidUntil, Confidence, TI_domainEntity, DNS_domainEntity, Type

requiredDataConnectors:
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: LumenThreatFeedConnector
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligenceUploadIndicatorsAPI
- dataTypes:
  - DnsEvents
  connectorId: DNS
severity: Medium
kind: Scheduled
name: Lumen TI domain in DnsEvents
id: 29bf5bcd-6795-4c79-a91f-aaef5a618bab
query: |
  let dt_lookBack = 1d; // Data lookback for DnsEvents
  let ioc_lookBack = 14d; // TI lookback
  // Latest, active, non-expired Lumen domain indicators
  let Domain_Indicators = ThreatIntelIndicators
    | where TimeGenerated >= ago(ioc_lookBack)
    | where IsActive == true and ValidUntil > now()
    | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
    | where SourceSystem == 'Lumen'
    | where ObservableKey == 'domain-name:value' or ObservableValue contains '.'
    | extend TI_domainEntity = tostring(ObservableValue);
  Domain_Indicators
  | join kind=innerunique (
      DnsEvents
      | where TimeGenerated >= ago(dt_lookBack)
      | extend DNS_domainEntity = Name
      | extend DnsEvents_TimeGenerated = TimeGenerated
    ) on $left.TI_domainEntity == $right.DNS_domainEntity
  | where DnsEvents_TimeGenerated < ValidUntil
  | summarize arg_max(DnsEvents_TimeGenerated, *), StartTime = min(DnsEvents_TimeGenerated), EndTime = max(DnsEvents_TimeGenerated) by Id, DNS_domainEntity
  | project timestamp = EndTime, StartTime, EndTime, Name, QueryType, Computer, Id, Tags, ValidUntil, Confidence, TI_domainEntity, DNS_domainEntity, Type  
queryPeriod: 14d
displayName: Lumen TI domain in DnsEvents
relevantTechniques:
- T1071
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lumen Defender Threat Feed/Analytic Rules/Lumen_DomainEntity_DNS.yaml
description: |
    This query searches for matches between Lumen threat intelligence domain indicators and DnsEvents.
version: 1.0.0
suppressionEnabled: true
entityMappings:
- fieldMappings:
  - columnName: DNS_domainEntity
    identifier: DomainName
  entityType: DNS
queryFrequency: 4h
triggerOperator: gt
tactics:
- CommandAndControl
triggerThreshold: 0
suppressionDuration: 5h

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/29bf5bcd-6795-4c79-a91f-aaef5a618bab')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/29bf5bcd-6795-4c79-a91f-aaef5a618bab')]",
      "properties": {
        "alertRuleTemplateName": "29bf5bcd-6795-4c79-a91f-aaef5a618bab",
        "customDetails": null,
        "description": "This query searches for matches between Lumen threat intelligence domain indicators and DnsEvents.\n",
        "displayName": "Lumen TI domain in DnsEvents",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "DNS",
            "fieldMappings": [
              {
                "columnName": "DNS_domainEntity",
                "identifier": "DomainName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lumen Defender Threat Feed/Analytic Rules/Lumen_DomainEntity_DNS.yaml",
        "query": "let dt_lookBack = 1d; // Data lookback for DnsEvents\nlet ioc_lookBack = 14d; // TI lookback\n// Latest, active, non-expired Lumen domain indicators\nlet Domain_Indicators = ThreatIntelIndicators\n  | where TimeGenerated >= ago(ioc_lookBack)\n  | where IsActive == true and ValidUntil > now()\n  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id\n  | where SourceSystem == 'Lumen'\n  | where ObservableKey == 'domain-name:value' or ObservableValue contains '.'\n  | extend TI_domainEntity = tostring(ObservableValue);\nDomain_Indicators\n| join kind=innerunique (\n    DnsEvents\n    | where TimeGenerated >= ago(dt_lookBack)\n    | extend DNS_domainEntity = Name\n    | extend DnsEvents_TimeGenerated = TimeGenerated\n  ) on $left.TI_domainEntity == $right.DNS_domainEntity\n| where DnsEvents_TimeGenerated < ValidUntil\n| summarize arg_max(DnsEvents_TimeGenerated, *), StartTime = min(DnsEvents_TimeGenerated), EndTime = max(DnsEvents_TimeGenerated) by Id, DNS_domainEntity\n| project timestamp = EndTime, StartTime, EndTime, Name, QueryType, Computer, Id, Tags, ValidUntil, Confidence, TI_domainEntity, DNS_domainEntity, Type\n",
        "queryFrequency": "PT4H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": true,
        "tactics": [
          "CommandAndControl"
        ],
        "techniques": [
          "T1071"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}