TI map IP entity to DNS Events ASIM DNS schema

Back


Id	67775878-7f8b-4380-ac54-115e1e828901
Rulename	TI map IP entity to DNS Events (ASIM DNS schema)
Description	This rule identifies DNS requests for which response IP address is a known IoC. This analytic rule uses ASIM and supports any built-in or custom source that supports the ASIM DNS schema.
Severity	Medium
Tactics	CommandAndControl
Techniques	T1071
Required data connectors	AzureFirewall CiscoUmbrellaDataConnector Corelight DNS GCPDNSDataConnector InfobloxNIOS MicrosoftDefenderThreatIntelligence NXLogDnsLogs ThreatIntelligence ThreatIntelligenceTaxii Zscaler
Kind	Scheduled
Query frequency	1h
Query period	14d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/imDns_IPEntity_DnsEvents.yaml
Version	1.2.4
Arm template	67775878-7f8b-4380-ac54-115e1e828901.json

KQL

let dt_lookBack = 1h;
let ioc_lookBack = 14d;
let IP_TI = 
ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack)
| extend IoC = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,"NO_IP")
| where IoC != "NO_IP"
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| where Active == true and ExpirationDateTime > now();
IP_TI
| join kind=innerunique // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
(
_Im_Dns(starttime=ago(dt_lookBack))
| where isnotempty(DnsResponseName)
| summarize imDns_mintime=min(TimeGenerated), imDns_maxtime=max(TimeGenerated) by SrcIpAddr, DnsQuery, DnsResponseName, Dvc, EventProduct, EventVendor
| extend addresses = extract_all (@'(\d+\.\d+\.\d+\.\d+)', DnsResponseName)
| mv-expand IoC = addresses to typeof(string)
)
on IoC
| where imDns_mintime < ExpirationDateTime
| project imDns_mintime, imDns_maxtime, Description, ActivityGroupNames, IndicatorId, ThreatType, LatestIndicatorTime, ExpirationDateTime, ConfidenceScore, SrcIpAddr, IoC, Dvc, EventVendor, EventProduct, DnsQuery, DnsResponseName

YAML

triggerOperator: gt
tags:
- version: 1.0.0
  ParentAlert: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml
- SchemaVersion: 0.1.1
  Schema: ASIMDns
requiredDataConnectors:
- connectorId: ThreatIntelligence
  dataTypes:
  - ThreatIntelligenceIndicator
- connectorId: ThreatIntelligenceTaxii
  dataTypes:
  - ThreatIntelligenceIndicator
- connectorId: DNS
  dataTypes:
  - DnsEvents
- connectorId: AzureFirewall
  dataTypes:
  - AzureDiagnostics
- connectorId: Zscaler
  dataTypes:
  - CommonSecurityLog
- connectorId: InfobloxNIOS
  dataTypes:
  - Syslog
- connectorId: GCPDNSDataConnector
  dataTypes:
  - GCP_DNS_CL
- connectorId: NXLogDnsLogs
  dataTypes:
  - NXLog_DNS_Server_CL
- connectorId: CiscoUmbrellaDataConnector
  dataTypes:
  - Cisco_Umbrella_dns_CL
- connectorId: MicrosoftDefenderThreatIntelligence
  dataTypes:
  - ThreatIntelligenceIndicator
- connectorId: Corelight
  dataTypes:
  - Corelight_CL
relevantTechniques:
- T1071
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: Dvc
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IoC
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
query: |
  let dt_lookBack = 1h;
  let ioc_lookBack = 14d;
  let IP_TI = 
  ThreatIntelligenceIndicator
  | where TimeGenerated >= ago(ioc_lookBack)
  | extend IoC = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,"NO_IP")
  | where IoC != "NO_IP"
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
  | where Active == true and ExpirationDateTime > now();
  IP_TI
  | join kind=innerunique // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
  (
  _Im_Dns(starttime=ago(dt_lookBack))
  | where isnotempty(DnsResponseName)
  | summarize imDns_mintime=min(TimeGenerated), imDns_maxtime=max(TimeGenerated) by SrcIpAddr, DnsQuery, DnsResponseName, Dvc, EventProduct, EventVendor
  | extend addresses = extract_all (@'(\d+\.\d+\.\d+\.\d+)', DnsResponseName)
  | mv-expand IoC = addresses to typeof(string)
  )
  on IoC
  | where imDns_mintime < ExpirationDateTime
  | project imDns_mintime, imDns_maxtime, Description, ActivityGroupNames, IndicatorId, ThreatType, LatestIndicatorTime, ExpirationDateTime, ConfidenceScore, SrcIpAddr, IoC, Dvc, EventVendor, EventProduct, DnsQuery, DnsResponseName  
triggerThreshold: 0
customDetails:
  ExpirationDateTime: ExpirationDateTime
  DNSRequestTime: imDns_mintime
  IndicatorId: IndicatorId
  DnsQuery: DnsQuery
  ThreatType: ThreatType
  SourceIPAddress: SrcIpAddr
  Description: Description
  ActivityGroupNames: ActivityGroupNames
  ConfidenceScore: ConfidenceScore
  LatestIndicatorTime: LatestIndicatorTime
alertDetailsOverride:
  alertDisplayNameFormat: The response {{IoC}} to DNS query matched an IoC
  alertDescriptionFormat: The response address {{IoC}} to a DNS query matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator.
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence/Analytic Rules/imDns_IPEntity_DnsEvents.yaml
queryPeriod: 14d
tactics:
- CommandAndControl
name: TI map IP entity to DNS Events (ASIM DNS schema)
kind: Scheduled
description: |
    'This rule identifies DNS requests for which response IP address is a known IoC. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema.'
id: 67775878-7f8b-4380-ac54-115e1e828901
version: 1.2.4
queryFrequency: 1h
severity: Medium

ARM