Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

TI map Domain entity to Dns Events ASIM DNS Schema

Back
Id7c1ea2e6-6210-412c-92e4-180803a741b4
RulenameTI map Domain entity to Dns Events (ASIM DNS Schema)
DescriptionIdentifies a match in DNS events from any Domain IOC from TI

This analytic rule uses ASIM and supports any built-in or custom source that supports the ASIM DNS schema
SeverityMedium
TacticsCommandAndControl
TechniquesT1071
Required data connectorsAzureFirewall
CiscoUmbrellaDataConnector
Corelight
DNS
GCPDNSDataConnector
InfobloxNIOS
MicrosoftDefenderThreatIntelligence
NXLogDnsLogs
ThreatIntelligence
ThreatIntelligenceTaxii
Zscaler
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence (NEW)/Analytic Rules/imDns_DomainEntity_DnsEvents.yaml
Version1.2.2
Arm template7c1ea2e6-6210-412c-92e4-180803a741b4.json
Deploy To Azure
let HAS_ANY_MAX = 10000;
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
let DomainTIs= ThreatIntelIndicators
  // Picking up only IOC's that contain the entities we want
  //extract key part of kv pair
  | extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0)))
  | extend IndicatorId = tostring(split(Id, "--")[2])
  | where IndicatorType == "domain-name"
  | extend DomainName = ObservableValue
  | extend Url = iff(ObservableKey == "url:value", ObservableValue, "")
  
  | extend TrafficLightProtocolLevel = tostring(parse_json(AdditionalFields).TLPLevel)
  | extend ThreatList = tostring(parse_json(Data).indicator_types[0])
  | where TimeGenerated >= ago(ioc_lookBack)
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId, ObservableValue
  | where IsActive and (ValidUntil > now() or isempty(ValidUntil));
let Domains = DomainTIs  |summarize NDomains=dcount(DomainName), DomainsList=make_set(DomainName) 
  | project DomainList = iff(NDomains > HAS_ANY_MAX, dynamic([]), DomainsList);
DomainTIs
| project-reorder *, ThreatList, IsActive, Tags, TrafficLightProtocolLevel, DomainName, Type
  | join (
      _Im_Dns(starttime=ago(dt_lookBack), domain_has_any=toscalar(Domains))
      | extend DNS_TimeGenerated = TimeGenerated
) on $left.DomainName==$right.DnsQuery
| where DNS_TimeGenerated < ValidUntil
| extend Description = tostring(parse_json(Data).description)
| extend ActivityGroupNames = extract(@"ActivityGroup:(\S+)", 1, tostring(parse_json(Data).labels))
| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ValidUntil, Confidence, DNS_TimeGenerated, Dvc, SrcIpAddr, Domain, DnsQuery, DnsQueryType, Url
| extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
id: 7c1ea2e6-6210-412c-92e4-180803a741b4
query: "let HAS_ANY_MAX = 10000;\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet DomainTIs= ThreatIntelIndicators\n  // Picking up only IOC's that contain the entities we want\n  //extract key part of kv pair\n  | extend IndicatorType = replace(@\"\\[|\\]|\\\"\"\", \"\", tostring(split(ObservableKey, \":\", 0)))\n  | extend IndicatorId = tostring(split(Id, \"--\")[2])\n  | where IndicatorType == \"domain-name\"\n  | extend DomainName = ObservableValue\n  | extend Url = iff(ObservableKey == \"url:value\", ObservableValue, \"\")\n  \n  | extend TrafficLightProtocolLevel = tostring(parse_json(AdditionalFields).TLPLevel)\n  | extend ThreatList = tostring(parse_json(Data).indicator_types[0])\n  | where TimeGenerated >= ago(ioc_lookBack)\n  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId, ObservableValue\n  | where IsActive and (ValidUntil > now() or isempty(ValidUntil));\nlet Domains = DomainTIs  |summarize NDomains=dcount(DomainName), DomainsList=make_set(DomainName) \n  | project DomainList = iff(NDomains > HAS_ANY_MAX, dynamic([]), DomainsList);\nDomainTIs\n| project-reorder *, ThreatList, IsActive, Tags, TrafficLightProtocolLevel, DomainName, Type\n  | join (\n      _Im_Dns(starttime=ago(dt_lookBack), domain_has_any=toscalar(Domains))\n      | extend DNS_TimeGenerated = TimeGenerated\n) on $left.DomainName==$right.DnsQuery\n| where DNS_TimeGenerated < ValidUntil\n| extend Description = tostring(parse_json(Data).description)\n| extend ActivityGroupNames = extract(@\"ActivityGroup:(\\S+)\", 1, tostring(parse_json(Data).labels))\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ValidUntil, Confidence, DNS_TimeGenerated, Dvc, SrcIpAddr, Domain, DnsQuery, DnsQueryType, Url\n| extend HostName = tostring(split(Dvc, \".\")[0]), DomainIndex = toint(indexof(Dvc, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\n"
kind: Scheduled
relevantTechniques:
- T1071
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: Dvc
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: HostNameDomain
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: Url
- entityType: DNS
  fieldMappings:
  - identifier: DomainName
    columnName: Domain
queryPeriod: 14d
queryFrequency: 1h
description: |
  Identifies a match in DNS events from any Domain IOC from TI
  This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema'  
name: TI map Domain entity to Dns Events (ASIM DNS Schema)
triggerThreshold: 0
tactics:
- CommandAndControl
version: 1.2.2
tags:
- Id: 85aca4d1-5d15-4001-abd9-acb86ca1786a
  version: 1.0.0
- SchemaVersion: 0.1.1
  Schema: ASIMDns
requiredDataConnectors:
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligence
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligenceTaxii
- dataTypes:
  - DnsEvents
  connectorId: DNS
- dataTypes:
  - AzureDiagnostics
  connectorId: AzureFirewall
- dataTypes:
  - CommonSecurityLog
  connectorId: Zscaler
- dataTypes:
  - Syslog
  connectorId: InfobloxNIOS
- dataTypes:
  - GCP_DNS_CL
  connectorId: GCPDNSDataConnector
- dataTypes:
  - NXLog_DNS_Server_CL
  connectorId: NXLogDnsLogs
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: MicrosoftDefenderThreatIntelligence
- dataTypes:
  - Cisco_Umbrella_dns_CL
  connectorId: CiscoUmbrellaDataConnector
- dataTypes:
  - Corelight_CL
  connectorId: Corelight
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence (NEW)/Analytic Rules/imDns_DomainEntity_DnsEvents.yaml
severity: Medium
triggerOperator: gt
customDetails:
  DNSRequestTime: DNS_TimeGenerated
  SourceIPAddress: SrcIpAddr
  QueryType: DnsQueryType
  ActivityGroupNames: ActivityGroupNames
  ConfidenceScore: Confidence
  DnsQuery: DnsQuery
  Description: Description
  ExpirationDateTime: ValidUntil
  IndicatorId: IndicatorId
  LatestIndicatorTime: LatestIndicatorTime
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7c1ea2e6-6210-412c-92e4-180803a741b4')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7c1ea2e6-6210-412c-92e4-180803a741b4')]",
      "properties": {
        "alertRuleTemplateName": "7c1ea2e6-6210-412c-92e4-180803a741b4",
        "customDetails": {
          "ActivityGroupNames": "ActivityGroupNames",
          "ConfidenceScore": "Confidence",
          "Description": "Description",
          "DnsQuery": "DnsQuery",
          "DNSRequestTime": "DNS_TimeGenerated",
          "ExpirationDateTime": "ValidUntil",
          "IndicatorId": "IndicatorId",
          "LatestIndicatorTime": "LatestIndicatorTime",
          "QueryType": "DnsQueryType",
          "SourceIPAddress": "SrcIpAddr"
        },
        "description": "Identifies a match in DNS events from any Domain IOC from TI\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema'\n",
        "displayName": "TI map Domain entity to Dns Events (ASIM DNS Schema)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Dvc",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "HostNameDomain",
                "identifier": "DnsDomain"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "Url",
                "identifier": "Url"
              }
            ]
          },
          {
            "entityType": "DNS",
            "fieldMappings": [
              {
                "columnName": "Domain",
                "identifier": "DomainName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence (NEW)/Analytic Rules/imDns_DomainEntity_DnsEvents.yaml",
        "query": "let HAS_ANY_MAX = 10000;\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet DomainTIs= ThreatIntelIndicators\n  // Picking up only IOC's that contain the entities we want\n  //extract key part of kv pair\n  | extend IndicatorType = replace(@\"\\[|\\]|\\\"\"\", \"\", tostring(split(ObservableKey, \":\", 0)))\n  | extend IndicatorId = tostring(split(Id, \"--\")[2])\n  | where IndicatorType == \"domain-name\"\n  | extend DomainName = ObservableValue\n  | extend Url = iff(ObservableKey == \"url:value\", ObservableValue, \"\")\n  \n  | extend TrafficLightProtocolLevel = tostring(parse_json(AdditionalFields).TLPLevel)\n  | extend ThreatList = tostring(parse_json(Data).indicator_types[0])\n  | where TimeGenerated >= ago(ioc_lookBack)\n  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId, ObservableValue\n  | where IsActive and (ValidUntil > now() or isempty(ValidUntil));\nlet Domains = DomainTIs  |summarize NDomains=dcount(DomainName), DomainsList=make_set(DomainName) \n  | project DomainList = iff(NDomains > HAS_ANY_MAX, dynamic([]), DomainsList);\nDomainTIs\n| project-reorder *, ThreatList, IsActive, Tags, TrafficLightProtocolLevel, DomainName, Type\n  | join (\n      _Im_Dns(starttime=ago(dt_lookBack), domain_has_any=toscalar(Domains))\n      | extend DNS_TimeGenerated = TimeGenerated\n) on $left.DomainName==$right.DnsQuery\n| where DNS_TimeGenerated < ValidUntil\n| extend Description = tostring(parse_json(Data).description)\n| extend ActivityGroupNames = extract(@\"ActivityGroup:(\\S+)\", 1, tostring(parse_json(Data).labels))\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ValidUntil, Confidence, DNS_TimeGenerated, Dvc, SrcIpAddr, Domain, DnsQuery, DnsQueryType, Url\n| extend HostName = tostring(split(Dvc, \".\")[0]), DomainIndex = toint(indexof(Dvc, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "tags": [
          {
            "Id": "85aca4d1-5d15-4001-abd9-acb86ca1786a",
            "version": "1.0.0"
          },
          {
            "Schema": "ASIMDns",
            "SchemaVersion": "0.1.1"
          }
        ],
        "techniques": [
          "T1071"
        ],
        "templateVersion": "1.2.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}