Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Infoblox - TI - InfobloxCDC Match Found - Lookalike Domains

Back
Id568730be-b39d-45e3-a392-941e00837d52
RulenameInfoblox - TI - InfobloxCDC Match Found - Lookalike Domains
DescriptionInfobloxCDC Lookalike Domain match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired. This rule depends on a parser based on a Kusto Function to work as expected called **InfobloxCDC**.
SeverityMedium
TacticsImpact
TechniquesT1498
T1565
Required data connectorsInfobloxCloudDataConnector
InfobloxCloudDataConnectorAma
ThreatIntelligence
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-TI-InfobloxCDCMatchFound-LookalikeDomains.yaml
Version1.0.2
Arm template568730be-b39d-45e3-a392-941e00837d52.json
Deploy To Azure
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
let TI = ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| where Active == true and ExpirationDateTime > now()  
| where Description == "Infoblox - HOST - Policy"
| where Tags has_cs "Property: Policy_LookalikeDomains" 
| where isnotempty(DomainName)
;
let Data = InfobloxCDC
| extend HitTime = TimeGenerated
| where TimeGenerated >= ago(dt_lookBack)
| where isnotempty(DestinationDnsDomain)
//Remove trailing period at end of domain
| extend DestinationDnsDomain = trim_end(@"\.$", DestinationDnsDomain)
;
TI | join kind=innerunique Data on $left.DomainName == $right.DestinationDnsDomain
| where HitTime >= TimeGenerated and HitTime < ExpirationDateTime
| project LatestIndicatorTime, HitTime, DeviceEventClassID, ThreatLevel, ThreatLevel_Score, ThreatConfidence, DestinationDnsDomain, InfobloxB1FeedName, ThreatClass, ThreatProperty, InfobloxB1PolicyAction, DeviceAction, InfobloxB1PolicyName, SourceIP, DeviceName, SourceMACAddress, SourceUserName, InfobloxB1SrcOSVersion, InfobloxB1ConnectionType, InfobloxB1Network, AdditionalExtensionsParsedNested, 
AdditionalInformation, Description, ThreatType, TrafficLightProtocolLevel, Type, ConfidenceScore, ExpirationDateTime, SourceSystem, Action, IndicatorId, ExternalIndicatorId, Tags
version: 1.0.2
name: Infoblox - TI - InfobloxCDC Match Found - Lookalike Domains
triggerOperator: gt
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-TI-InfobloxCDCMatchFound-LookalikeDomains.yaml
relevantTechniques:
- T1498
- T1565
query: |
  let dt_lookBack = 1h;
  let ioc_lookBack = 14d;
  let TI = ThreatIntelligenceIndicator
  | where TimeGenerated >= ago(ioc_lookBack)
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
  | where Active == true and ExpirationDateTime > now()  
  | where Description == "Infoblox - HOST - Policy"
  | where Tags has_cs "Property: Policy_LookalikeDomains" 
  | where isnotempty(DomainName)
  ;
  let Data = InfobloxCDC
  | extend HitTime = TimeGenerated
  | where TimeGenerated >= ago(dt_lookBack)
  | where isnotempty(DestinationDnsDomain)
  //Remove trailing period at end of domain
  | extend DestinationDnsDomain = trim_end(@"\.$", DestinationDnsDomain)
  ;
  TI | join kind=innerunique Data on $left.DomainName == $right.DestinationDnsDomain
  | where HitTime >= TimeGenerated and HitTime < ExpirationDateTime
  | project LatestIndicatorTime, HitTime, DeviceEventClassID, ThreatLevel, ThreatLevel_Score, ThreatConfidence, DestinationDnsDomain, InfobloxB1FeedName, ThreatClass, ThreatProperty, InfobloxB1PolicyAction, DeviceAction, InfobloxB1PolicyName, SourceIP, DeviceName, SourceMACAddress, SourceUserName, InfobloxB1SrcOSVersion, InfobloxB1ConnectionType, InfobloxB1Network, AdditionalExtensionsParsedNested, 
  AdditionalInformation, Description, ThreatType, TrafficLightProtocolLevel, Type, ConfidenceScore, ExpirationDateTime, SourceSystem, Action, IndicatorId, ExternalIndicatorId, Tags  
incidentConfiguration:
  createIncident: true
kind: Scheduled
description: |
    'InfobloxCDC Lookalike Domain match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).'
triggerThreshold: 0
id: 568730be-b39d-45e3-a392-941e00837d52
customDetails:
  InfobloxB1PolicyName: InfobloxB1PolicyName
  InfobloxB1Network: InfobloxB1Network
  InfobloxB1FeedName: InfobloxB1FeedName
  InfobloxB1Action: InfobloxB1PolicyAction
  SourceMACAddress: SourceMACAddress
severity: Medium
eventGroupingSettings:
  aggregationKind: SingleAlert
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: SourceIP
  entityType: IP
- fieldMappings:
  - identifier: HostName
    columnName: DeviceName
  - identifier: OSVersion
    columnName: InfobloxB1SrcOSVersion
  - identifier: FullName
    columnName: SourceUserName
  entityType: Host
- fieldMappings:
  - identifier: DomainName
    columnName: DestinationDnsDomain
  entityType: DNS
- fieldMappings:
  - identifier: Name
    columnName: ThreatProperty
  - identifier: Category
    columnName: ThreatClass
  entityType: Malware
queryFrequency: 1h
queryPeriod: 14d
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog (InfobloxCDC)
  connectorId: InfobloxCloudDataConnector
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligence
- dataTypes:
  - CommonSecurityLog (InfobloxCDC)
  connectorId: InfobloxCloudDataConnectorAma
tactics:
- Impact
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/568730be-b39d-45e3-a392-941e00837d52')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/568730be-b39d-45e3-a392-941e00837d52')]",
      "properties": {
        "alertRuleTemplateName": "568730be-b39d-45e3-a392-941e00837d52",
        "customDetails": {
          "InfobloxB1Action": "InfobloxB1PolicyAction",
          "InfobloxB1FeedName": "InfobloxB1FeedName",
          "InfobloxB1Network": "InfobloxB1Network",
          "InfobloxB1PolicyName": "InfobloxB1PolicyName",
          "SourceMACAddress": "SourceMACAddress"
        },
        "description": "'InfobloxCDC Lookalike Domain match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).'\n",
        "displayName": "Infoblox - TI - InfobloxCDC Match Found - Lookalike Domains",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "HostName"
              },
              {
                "columnName": "InfobloxB1SrcOSVersion",
                "identifier": "OSVersion"
              },
              {
                "columnName": "SourceUserName",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "DNS",
            "fieldMappings": [
              {
                "columnName": "DestinationDnsDomain",
                "identifier": "DomainName"
              }
            ]
          },
          {
            "entityType": "Malware",
            "fieldMappings": [
              {
                "columnName": "ThreatProperty",
                "identifier": "Name"
              },
              {
                "columnName": "ThreatClass",
                "identifier": "Category"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-TI-InfobloxCDCMatchFound-LookalikeDomains.yaml",
        "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet TI = ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()  \n| where Description == \"Infoblox - HOST - Policy\"\n| where Tags has_cs \"Property: Policy_LookalikeDomains\" \n| where isnotempty(DomainName)\n;\nlet Data = InfobloxCDC\n| extend HitTime = TimeGenerated\n| where TimeGenerated >= ago(dt_lookBack)\n| where isnotempty(DestinationDnsDomain)\n//Remove trailing period at end of domain\n| extend DestinationDnsDomain = trim_end(@\"\\.$\", DestinationDnsDomain)\n;\nTI | join kind=innerunique Data on $left.DomainName == $right.DestinationDnsDomain\n| where HitTime >= TimeGenerated and HitTime < ExpirationDateTime\n| project LatestIndicatorTime, HitTime, DeviceEventClassID, ThreatLevel, ThreatLevel_Score, ThreatConfidence, DestinationDnsDomain, InfobloxB1FeedName, ThreatClass, ThreatProperty, InfobloxB1PolicyAction, DeviceAction, InfobloxB1PolicyName, SourceIP, DeviceName, SourceMACAddress, SourceUserName, InfobloxB1SrcOSVersion, InfobloxB1ConnectionType, InfobloxB1Network, AdditionalExtensionsParsedNested, \nAdditionalInformation, Description, ThreatType, TrafficLightProtocolLevel, Type, ConfidenceScore, ExpirationDateTime, SourceSystem, Action, IndicatorId, ExternalIndicatorId, Tags\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": [
          "T1498",
          "T1565"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}