Infoblox - TI - InfobloxCDC Match Found - Lookalike Domains
| Id | 568730be-b39d-45e3-a392-941e00837d52 |
| Rulename | Infoblox - TI - InfobloxCDC Match Found - Lookalike Domains |
| Description | InfobloxCDC Lookalike Domain match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired. This rule depends on a parser based on a Kusto Function to work as expected called **InfobloxCDC**. |
| Severity | Medium |
| Tactics | Impact |
| Techniques | T1498 T1565 |
| Required data connectors | CefAma InfobloxCloudDataConnector InfobloxCloudDataConnectorAma ThreatIntelligence |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 14d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-TI-InfobloxCDCMatchFound-LookalikeDomains.yaml |
| Version | 1.0.3 |
| Arm template | 568730be-b39d-45e3-a392-941e00837d52.json |
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
let TI = ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| where Active == true and ExpirationDateTime > now()
| where Description == "Infoblox - HOST - Policy"
| where Tags has_cs "Property: Policy_LookalikeDomains"
| where isnotempty(DomainName)
;
let Data = InfobloxCDC
| extend HitTime = TimeGenerated
| where TimeGenerated >= ago(dt_lookBack)
| where isnotempty(DestinationDnsDomain)
//Remove trailing period at end of domain
| extend DestinationDnsDomain = trim_end(@"\.$", DestinationDnsDomain)
;
TI | join kind=innerunique Data on $left.DomainName == $right.DestinationDnsDomain
| where HitTime >= TimeGenerated and HitTime < ExpirationDateTime
| project LatestIndicatorTime, HitTime, DeviceEventClassID, ThreatLevel, ThreatLevel_Score, ThreatConfidence, DestinationDnsDomain, InfobloxB1FeedName, ThreatClass, ThreatProperty, InfobloxB1PolicyAction, DeviceAction, InfobloxB1PolicyName, SourceIP, DeviceName, SourceMACAddress, SourceUserName, InfobloxB1SrcOSVersion, InfobloxB1ConnectionType, InfobloxB1Network, AdditionalExtensionsParsedNested,
AdditionalInformation, Description, ThreatType, TrafficLightProtocolLevel, Type, ConfidenceScore, ExpirationDateTime, SourceSystem, Action, IndicatorId, ExternalIndicatorId, Tags
entityMappings:
- entityType: IP
fieldMappings:
- columnName: SourceIP
identifier: Address
- entityType: Host
fieldMappings:
- columnName: DeviceName
identifier: HostName
- columnName: InfobloxB1SrcOSVersion
identifier: OSVersion
- columnName: SourceUserName
identifier: FullName
- entityType: DNS
fieldMappings:
- columnName: DestinationDnsDomain
identifier: DomainName
- entityType: Malware
fieldMappings:
- columnName: ThreatProperty
identifier: Name
- columnName: ThreatClass
identifier: Category
tactics:
- Impact
triggerOperator: gt
description: |
'InfobloxCDC Lookalike Domain match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).'
requiredDataConnectors:
- connectorId: InfobloxCloudDataConnector
dataTypes:
- CommonSecurityLog (InfobloxCDC)
- connectorId: ThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
- connectorId: InfobloxCloudDataConnectorAma
dataTypes:
- CommonSecurityLog (InfobloxCDC)
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
relevantTechniques:
- T1498
- T1565
version: 1.0.3
id: 568730be-b39d-45e3-a392-941e00837d52
customDetails:
InfobloxB1FeedName: InfobloxB1FeedName
InfobloxB1PolicyName: InfobloxB1PolicyName
SourceMACAddress: SourceMACAddress
InfobloxB1Network: InfobloxB1Network
InfobloxB1Action: InfobloxB1PolicyAction
kind: Scheduled
query: |
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
let TI = ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| where Active == true and ExpirationDateTime > now()
| where Description == "Infoblox - HOST - Policy"
| where Tags has_cs "Property: Policy_LookalikeDomains"
| where isnotempty(DomainName)
;
let Data = InfobloxCDC
| extend HitTime = TimeGenerated
| where TimeGenerated >= ago(dt_lookBack)
| where isnotempty(DestinationDnsDomain)
//Remove trailing period at end of domain
| extend DestinationDnsDomain = trim_end(@"\.$", DestinationDnsDomain)
;
TI | join kind=innerunique Data on $left.DomainName == $right.DestinationDnsDomain
| where HitTime >= TimeGenerated and HitTime < ExpirationDateTime
| project LatestIndicatorTime, HitTime, DeviceEventClassID, ThreatLevel, ThreatLevel_Score, ThreatConfidence, DestinationDnsDomain, InfobloxB1FeedName, ThreatClass, ThreatProperty, InfobloxB1PolicyAction, DeviceAction, InfobloxB1PolicyName, SourceIP, DeviceName, SourceMACAddress, SourceUserName, InfobloxB1SrcOSVersion, InfobloxB1ConnectionType, InfobloxB1Network, AdditionalExtensionsParsedNested,
AdditionalInformation, Description, ThreatType, TrafficLightProtocolLevel, Type, ConfidenceScore, ExpirationDateTime, SourceSystem, Action, IndicatorId, ExternalIndicatorId, Tags
status: Available
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-TI-InfobloxCDCMatchFound-LookalikeDomains.yaml
incidentConfiguration:
createIncident: true
eventGroupingSettings:
aggregationKind: SingleAlert
queryFrequency: 1h
severity: Medium
name: Infoblox - TI - InfobloxCDC Match Found - Lookalike Domains
queryPeriod: 14d
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/568730be-b39d-45e3-a392-941e00837d52')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/568730be-b39d-45e3-a392-941e00837d52')]",
"properties": {
"alertRuleTemplateName": "568730be-b39d-45e3-a392-941e00837d52",
"customDetails": {
"InfobloxB1Action": "InfobloxB1PolicyAction",
"InfobloxB1FeedName": "InfobloxB1FeedName",
"InfobloxB1Network": "InfobloxB1Network",
"InfobloxB1PolicyName": "InfobloxB1PolicyName",
"SourceMACAddress": "SourceMACAddress"
},
"description": "'InfobloxCDC Lookalike Domain match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).'\n",
"displayName": "Infoblox - TI - InfobloxCDC Match Found - Lookalike Domains",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIP",
"identifier": "Address"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DeviceName",
"identifier": "HostName"
},
{
"columnName": "InfobloxB1SrcOSVersion",
"identifier": "OSVersion"
},
{
"columnName": "SourceUserName",
"identifier": "FullName"
}
]
},
{
"entityType": "DNS",
"fieldMappings": [
{
"columnName": "DestinationDnsDomain",
"identifier": "DomainName"
}
]
},
{
"entityType": "Malware",
"fieldMappings": [
{
"columnName": "ThreatProperty",
"identifier": "Name"
},
{
"columnName": "ThreatClass",
"identifier": "Category"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"incidentConfiguration": {
"createIncident": true
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-TI-InfobloxCDCMatchFound-LookalikeDomains.yaml",
"query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet TI = ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now() \n| where Description == \"Infoblox - HOST - Policy\"\n| where Tags has_cs \"Property: Policy_LookalikeDomains\" \n| where isnotempty(DomainName)\n;\nlet Data = InfobloxCDC\n| extend HitTime = TimeGenerated\n| where TimeGenerated >= ago(dt_lookBack)\n| where isnotempty(DestinationDnsDomain)\n//Remove trailing period at end of domain\n| extend DestinationDnsDomain = trim_end(@\"\\.$\", DestinationDnsDomain)\n;\nTI | join kind=innerunique Data on $left.DomainName == $right.DestinationDnsDomain\n| where HitTime >= TimeGenerated and HitTime < ExpirationDateTime\n| project LatestIndicatorTime, HitTime, DeviceEventClassID, ThreatLevel, ThreatLevel_Score, ThreatConfidence, DestinationDnsDomain, InfobloxB1FeedName, ThreatClass, ThreatProperty, InfobloxB1PolicyAction, DeviceAction, InfobloxB1PolicyName, SourceIP, DeviceName, SourceMACAddress, SourceUserName, InfobloxB1SrcOSVersion, InfobloxB1ConnectionType, InfobloxB1Network, AdditionalExtensionsParsedNested, \nAdditionalInformation, Description, ThreatType, TrafficLightProtocolLevel, Type, ConfidenceScore, ExpirationDateTime, SourceSystem, Action, IndicatorId, ExternalIndicatorId, Tags\n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Impact"
],
"techniques": [
"T1498",
"T1565"
],
"templateVersion": "1.0.3",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}