Infoblox - TI - InfobloxCDC Match Found - Lookalike Domains
| Id | 568730be-b39d-45e3-a392-941e00837d52 |
| Rulename | Infoblox - TI - InfobloxCDC Match Found - Lookalike Domains |
| Description | InfobloxCDC Lookalike Domain match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired. This rule depends on a parser based on a Kusto Function to work as expected called **InfobloxCDC**. |
| Severity | Medium |
| Tactics | Impact |
| Techniques | T1498 T1565 |
| Required data connectors | CefAma ThreatIntelligence |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 14d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-TI-InfobloxCDCMatchFound-LookalikeDomains.yaml |
| Version | 1.0.4 |
| Arm template | 568730be-b39d-45e3-a392-941e00837d52.json |
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
let TI = ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| where Active == true and ExpirationDateTime > now()
| where Description == "Infoblox - HOST - Policy"
| where Tags has_cs "Property: Policy_LookalikeDomains"
| where isnotempty(DomainName)
;
let Data = InfobloxCDC
| extend HitTime = TimeGenerated
| where TimeGenerated >= ago(dt_lookBack)
| where isnotempty(DestinationDnsDomain)
//Remove trailing period at end of domain
| extend DestinationDnsDomain = trim_end(@"\.$", DestinationDnsDomain)
;
TI | join kind=innerunique Data on $left.DomainName == $right.DestinationDnsDomain
| where HitTime >= TimeGenerated and HitTime < ExpirationDateTime
| project LatestIndicatorTime, HitTime, DeviceEventClassID, ThreatLevel, ThreatLevel_Score, ThreatConfidence, DestinationDnsDomain, InfobloxB1FeedName, ThreatClass, ThreatProperty, InfobloxB1PolicyAction, DeviceAction, InfobloxB1PolicyName, SourceIP, DeviceName, SourceMACAddress, SourceUserName, InfobloxB1SrcOSVersion, InfobloxB1ConnectionType, InfobloxB1Network, AdditionalExtensionsParsedNested,
AdditionalInformation, Description, ThreatType, TrafficLightProtocolLevel, Type, ConfidenceScore, ExpirationDateTime, SourceSystem, Action, IndicatorId, ExternalIndicatorId, Tags
status: Available
triggerOperator: gt
triggerThreshold: 0
name: Infoblox - TI - InfobloxCDC Match Found - Lookalike Domains
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-TI-InfobloxCDCMatchFound-LookalikeDomains.yaml
queryPeriod: 14d
severity: Medium
eventGroupingSettings:
aggregationKind: SingleAlert
entityMappings:
- entityType: IP
fieldMappings:
- columnName: SourceIP
identifier: Address
- entityType: Host
fieldMappings:
- columnName: DeviceName
identifier: HostName
- columnName: InfobloxB1SrcOSVersion
identifier: OSVersion
- columnName: SourceUserName
identifier: FullName
- entityType: DNS
fieldMappings:
- columnName: DestinationDnsDomain
identifier: DomainName
- entityType: Malware
fieldMappings:
- columnName: ThreatProperty
identifier: Name
- columnName: ThreatClass
identifier: Category
queryFrequency: 1h
relevantTechniques:
- T1498
- T1565
requiredDataConnectors:
- dataTypes:
- ThreatIntelligenceIndicator
connectorId: ThreatIntelligence
- dataTypes:
- CommonSecurityLog
connectorId: CefAma
kind: Scheduled
customDetails:
InfobloxB1PolicyName: InfobloxB1PolicyName
InfobloxB1FeedName: InfobloxB1FeedName
InfobloxB1Action: InfobloxB1PolicyAction
InfobloxB1Network: InfobloxB1Network
SourceMACAddress: SourceMACAddress
incidentConfiguration:
createIncident: true
description: |
'InfobloxCDC Lookalike Domain match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).'
tactics:
- Impact
query: |
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
let TI = ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| where Active == true and ExpirationDateTime > now()
| where Description == "Infoblox - HOST - Policy"
| where Tags has_cs "Property: Policy_LookalikeDomains"
| where isnotempty(DomainName)
;
let Data = InfobloxCDC
| extend HitTime = TimeGenerated
| where TimeGenerated >= ago(dt_lookBack)
| where isnotempty(DestinationDnsDomain)
//Remove trailing period at end of domain
| extend DestinationDnsDomain = trim_end(@"\.$", DestinationDnsDomain)
;
TI | join kind=innerunique Data on $left.DomainName == $right.DestinationDnsDomain
| where HitTime >= TimeGenerated and HitTime < ExpirationDateTime
| project LatestIndicatorTime, HitTime, DeviceEventClassID, ThreatLevel, ThreatLevel_Score, ThreatConfidence, DestinationDnsDomain, InfobloxB1FeedName, ThreatClass, ThreatProperty, InfobloxB1PolicyAction, DeviceAction, InfobloxB1PolicyName, SourceIP, DeviceName, SourceMACAddress, SourceUserName, InfobloxB1SrcOSVersion, InfobloxB1ConnectionType, InfobloxB1Network, AdditionalExtensionsParsedNested,
AdditionalInformation, Description, ThreatType, TrafficLightProtocolLevel, Type, ConfidenceScore, ExpirationDateTime, SourceSystem, Action, IndicatorId, ExternalIndicatorId, Tags
id: 568730be-b39d-45e3-a392-941e00837d52
version: 1.0.4
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/568730be-b39d-45e3-a392-941e00837d52')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/568730be-b39d-45e3-a392-941e00837d52')]",
"properties": {
"alertRuleTemplateName": "568730be-b39d-45e3-a392-941e00837d52",
"customDetails": {
"InfobloxB1Action": "InfobloxB1PolicyAction",
"InfobloxB1FeedName": "InfobloxB1FeedName",
"InfobloxB1Network": "InfobloxB1Network",
"InfobloxB1PolicyName": "InfobloxB1PolicyName",
"SourceMACAddress": "SourceMACAddress"
},
"description": "'InfobloxCDC Lookalike Domain match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).'\n",
"displayName": "Infoblox - TI - InfobloxCDC Match Found - Lookalike Domains",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIP",
"identifier": "Address"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DeviceName",
"identifier": "HostName"
},
{
"columnName": "InfobloxB1SrcOSVersion",
"identifier": "OSVersion"
},
{
"columnName": "SourceUserName",
"identifier": "FullName"
}
]
},
{
"entityType": "DNS",
"fieldMappings": [
{
"columnName": "DestinationDnsDomain",
"identifier": "DomainName"
}
]
},
{
"entityType": "Malware",
"fieldMappings": [
{
"columnName": "ThreatProperty",
"identifier": "Name"
},
{
"columnName": "ThreatClass",
"identifier": "Category"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"incidentConfiguration": {
"createIncident": true
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-TI-InfobloxCDCMatchFound-LookalikeDomains.yaml",
"query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet TI = ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now() \n| where Description == \"Infoblox - HOST - Policy\"\n| where Tags has_cs \"Property: Policy_LookalikeDomains\" \n| where isnotempty(DomainName)\n;\nlet Data = InfobloxCDC\n| extend HitTime = TimeGenerated\n| where TimeGenerated >= ago(dt_lookBack)\n| where isnotempty(DestinationDnsDomain)\n//Remove trailing period at end of domain\n| extend DestinationDnsDomain = trim_end(@\"\\.$\", DestinationDnsDomain)\n;\nTI | join kind=innerunique Data on $left.DomainName == $right.DestinationDnsDomain\n| where HitTime >= TimeGenerated and HitTime < ExpirationDateTime\n| project LatestIndicatorTime, HitTime, DeviceEventClassID, ThreatLevel, ThreatLevel_Score, ThreatConfidence, DestinationDnsDomain, InfobloxB1FeedName, ThreatClass, ThreatProperty, InfobloxB1PolicyAction, DeviceAction, InfobloxB1PolicyName, SourceIP, DeviceName, SourceMACAddress, SourceUserName, InfobloxB1SrcOSVersion, InfobloxB1ConnectionType, InfobloxB1Network, AdditionalExtensionsParsedNested, \nAdditionalInformation, Description, ThreatType, TrafficLightProtocolLevel, Type, ConfidenceScore, ExpirationDateTime, SourceSystem, Action, IndicatorId, ExternalIndicatorId, Tags\n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Impact"
],
"techniques": [
"T1498",
"T1565"
],
"templateVersion": "1.0.4",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}