Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Lumen TI domain in DnsEvents

Lumen TI domain in DnsEvents

Back
Id29bf5bcd-6795-4c79-a91f-aaef5a618bab
RulenameLumen TI domain in DnsEvents
DescriptionThis query searches for matches between Lumen threat intelligence domain indicators and DnsEvents.
SeverityMedium
TacticsCommandAndControl
TechniquesT1071
Required data connectorsDNS
LumenThreatFeedConnector
ThreatIntelligenceUploadIndicatorsAPI
KindScheduled
Query frequency4h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lumen Defender Threat Feed/Analytic Rules/Lumen_DomainEntity_DNS.yaml
Version1.0.0
Arm template29bf5bcd-6795-4c79-a91f-aaef5a618bab.json
Deploy To Azure
let dt_lookBack = 1d; // Data lookback for DnsEvents
let ioc_lookBack = 14d; // TI lookback
// Latest, active, non-expired Lumen domain indicators
let Domain_Indicators = ThreatIntelIndicators
  | where TimeGenerated >= ago(ioc_lookBack)
  | where IsActive == true and ValidUntil > now()
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
  | where SourceSystem == 'Lumen'
  | where ObservableKey == 'domain-name:value' or ObservableValue contains '.'
  | extend TI_domainEntity = tostring(ObservableValue);
Domain_Indicators
| join kind=innerunique (
    DnsEvents
    | where TimeGenerated >= ago(dt_lookBack)
    | extend DNS_domainEntity = Name
    | extend DnsEvents_TimeGenerated = TimeGenerated
  ) on $left.TI_domainEntity == $right.DNS_domainEntity
| where DnsEvents_TimeGenerated < ValidUntil
| summarize arg_max(DnsEvents_TimeGenerated, *), StartTime = min(DnsEvents_TimeGenerated), EndTime = max(DnsEvents_TimeGenerated) by Id, DNS_domainEntity
| project timestamp = EndTime, StartTime, EndTime, Name, QueryType, Computer, Id, Tags, ValidUntil, Confidence, TI_domainEntity, DNS_domainEntity, Type

queryFrequency: 4h
description: |
    This query searches for matches between Lumen threat intelligence domain indicators and DnsEvents.
queryPeriod: 14d
name: Lumen TI domain in DnsEvents
severity: Medium
tactics:
- CommandAndControl
query: |
  let dt_lookBack = 1d; // Data lookback for DnsEvents
  let ioc_lookBack = 14d; // TI lookback
  // Latest, active, non-expired Lumen domain indicators
  let Domain_Indicators = ThreatIntelIndicators
    | where TimeGenerated >= ago(ioc_lookBack)
    | where IsActive == true and ValidUntil > now()
    | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
    | where SourceSystem == 'Lumen'
    | where ObservableKey == 'domain-name:value' or ObservableValue contains '.'
    | extend TI_domainEntity = tostring(ObservableValue);
  Domain_Indicators
  | join kind=innerunique (
      DnsEvents
      | where TimeGenerated >= ago(dt_lookBack)
      | extend DNS_domainEntity = Name
      | extend DnsEvents_TimeGenerated = TimeGenerated
    ) on $left.TI_domainEntity == $right.DNS_domainEntity
  | where DnsEvents_TimeGenerated < ValidUntil
  | summarize arg_max(DnsEvents_TimeGenerated, *), StartTime = min(DnsEvents_TimeGenerated), EndTime = max(DnsEvents_TimeGenerated) by Id, DNS_domainEntity
  | project timestamp = EndTime, StartTime, EndTime, Name, QueryType, Computer, Id, Tags, ValidUntil, Confidence, TI_domainEntity, DNS_domainEntity, Type  
id: 29bf5bcd-6795-4c79-a91f-aaef5a618bab
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lumen Defender Threat Feed/Analytic Rules/Lumen_DomainEntity_DNS.yaml
entityMappings:
- entityType: DNS
  fieldMappings:
  - identifier: DomainName
    columnName: DNS_domainEntity
suppressionDuration: 5h
triggerThreshold: 0
requiredDataConnectors:
- connectorId: LumenThreatFeedConnector
  dataTypes:
  - ThreatIntelligenceIndicator
- connectorId: ThreatIntelligenceUploadIndicatorsAPI
  dataTypes:
  - ThreatIntelligenceIndicator
- connectorId: DNS
  dataTypes:
  - DnsEvents
version: 1.0.0
suppressionEnabled: true
triggerOperator: gt
displayName: Lumen TI domain in DnsEvents
kind: Scheduled
relevantTechniques:
- T1071

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/29bf5bcd-6795-4c79-a91f-aaef5a618bab')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/29bf5bcd-6795-4c79-a91f-aaef5a618bab')]",
      "properties": {
        "alertRuleTemplateName": "29bf5bcd-6795-4c79-a91f-aaef5a618bab",
        "customDetails": null,
        "description": "This query searches for matches between Lumen threat intelligence domain indicators and DnsEvents.\n",
        "displayName": "Lumen TI domain in DnsEvents",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "DNS",
            "fieldMappings": [
              {
                "columnName": "DNS_domainEntity",
                "identifier": "DomainName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lumen Defender Threat Feed/Analytic Rules/Lumen_DomainEntity_DNS.yaml",
        "query": "let dt_lookBack = 1d; // Data lookback for DnsEvents\nlet ioc_lookBack = 14d; // TI lookback\n// Latest, active, non-expired Lumen domain indicators\nlet Domain_Indicators = ThreatIntelIndicators\n  | where TimeGenerated >= ago(ioc_lookBack)\n  | where IsActive == true and ValidUntil > now()\n  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id\n  | where SourceSystem == 'Lumen'\n  | where ObservableKey == 'domain-name:value' or ObservableValue contains '.'\n  | extend TI_domainEntity = tostring(ObservableValue);\nDomain_Indicators\n| join kind=innerunique (\n    DnsEvents\n    | where TimeGenerated >= ago(dt_lookBack)\n    | extend DNS_domainEntity = Name\n    | extend DnsEvents_TimeGenerated = TimeGenerated\n  ) on $left.TI_domainEntity == $right.DNS_domainEntity\n| where DnsEvents_TimeGenerated < ValidUntil\n| summarize arg_max(DnsEvents_TimeGenerated, *), StartTime = min(DnsEvents_TimeGenerated), EndTime = max(DnsEvents_TimeGenerated) by Id, DNS_domainEntity\n| project timestamp = EndTime, StartTime, EndTime, Name, QueryType, Computer, Id, Tags, ValidUntil, Confidence, TI_domainEntity, DNS_domainEntity, Type\n",
        "queryFrequency": "PT4H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": true,
        "tactics": [
          "CommandAndControl"
        ],
        "techniques": [
          "T1071"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}