Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Detect DNS requests to known Domain IOCs (ASIM DNS Solution)

Detect DNS requests to known Domain IOCs (ASIM DNS Solution)

Back
Id8e4a010a-972c-4124-8c27-1efcd7e3125a
RulenameDetect DNS requests to known Domain IOCs (ASIM DNS Solution)
Description“This rule identifies DNS requests to known domain IOCs in the DNS query logs. It evaluates DNS logs against 100+ known IOCs from the available Watchlist, which helps detect an attempt to communicate with known compromised domains.\\n\\nIt utilizes ASIM normalization and is applied to any source that supports the ASIM DNS schema.”
SeverityMedium
TacticsImpact
CommandAndControl
Exfiltration
PrivilegeEscalation
InitialAccess
CredentialAccess
TechniquesT1496
T1048
T1568
T1095
T1567
T1068
T1566
T1187
T1195
Required data connectorsAIVectraStream
ASimDnsActivityLogs
AzureFirewall
CiscoUmbrellaDataConnector
Corelight
DNS
GCPDNSDataConnector
InfobloxNIOS
ISCBind
NXLogDnsLogs
WindowsForwardedEvents
Zscaler
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DNS Essentials/Analytic Rules/DNSRequestToKnownDomainIOCs.yaml
Version1.0.0
Arm template8e4a010a-972c-4124-8c27-1efcd7e3125a.json
Deploy To Azure
let lookback = 1h;
let DNS_IOCs = materialize(_GetWatchlist('DNS_Solution_Domain_IOCs')
  | where wl_Type == 'Detection' and wl_Enabled == 'TRUE'
  | project
      wl_DNSDomain,
      wl_Name,
      wl_Description,
      wl_Type,
      wl_ThresholdType,
      wl_Threshold,
      wl_Severity,
      wl_Tactic,
      wl_Enabled);
let Dynamic_DomainList=DNS_IOCs | summarize  make_set(wl_DNSDomain);
_Im_Dns(starttime=ago(lookback),domain_has_any=toscalar(Dynamic_DomainList))
| join kind=inner['DNS_IOCs'] where DnsQuery has wl_DNSDomain
| project
  SrcIpAddr,
  DnsQuery,
  EventResultDetails,
  Name=wl_Name,
  Description=wl_Description,
  TimeGenerated,
  Tactic=wl_Tactic,
  Severity=wl_Severity
| summarize Count=count(), EventStartTime=min(TimeGenerated), EventEndTime=max(TimeGenerated) by SrcIpAddr,DnsQuery, EventResultDetails, Name, Description, Tactic, Severity

query: |
  let lookback = 1h;
  let DNS_IOCs = materialize(_GetWatchlist('DNS_Solution_Domain_IOCs')
    | where wl_Type == 'Detection' and wl_Enabled == 'TRUE'
    | project
        wl_DNSDomain,
        wl_Name,
        wl_Description,
        wl_Type,
        wl_ThresholdType,
        wl_Threshold,
        wl_Severity,
        wl_Tactic,
        wl_Enabled);
  let Dynamic_DomainList=DNS_IOCs | summarize  make_set(wl_DNSDomain);
  _Im_Dns(starttime=ago(lookback),domain_has_any=toscalar(Dynamic_DomainList))
  | join kind=inner['DNS_IOCs'] where DnsQuery has wl_DNSDomain
  | project
    SrcIpAddr,
    DnsQuery,
    EventResultDetails,
    Name=wl_Name,
    Description=wl_Description,
    TimeGenerated,
    Tactic=wl_Tactic,
    Severity=wl_Severity
  | summarize Count=count(), EventStartTime=min(TimeGenerated), EventEndTime=max(TimeGenerated) by SrcIpAddr,DnsQuery, EventResultDetails, Name, Description, Tactic, Severity  
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerThreshold: 0
queryFrequency: 1h
requiredDataConnectors:
- connectorId: ASimDnsActivityLogs
  dataTypes:
  - ASimDnsActivityLogs
- connectorId: GCPDNSDataConnector
  dataTypes:
  - GCP_DNS_CL
- connectorId: AzureFirewall
  dataTypes:
  - AzureDiagnostics
- connectorId: CiscoUmbrellaDataConnector
  dataTypes:
  - Cisco_Umbrella_proxy_CL
- connectorId: Corelight
  dataTypes:
  - Corelight_CL
- connectorId: InfobloxNIOS
  dataTypes:
  - Syslog
- connectorId: NXLogDnsLogs
  dataTypes:
  - NXLog_DNS_Server_CL
- connectorId: DNS
  dataTypes:
  - DnsEvents
- connectorId: AIVectraStream
  dataTypes:
  - VectraStream_CL
- connectorId: WindowsForwardedEvents
  dataTypes:
  - WindowsEvents
- connectorId: Zscaler
  dataTypes:
  - CommonSecurityLog
- connectorId: ISCBind
  dataTypes:
  - Syslog
id: 8e4a010a-972c-4124-8c27-1efcd7e3125a
version: 1.0.0
name: Detect DNS requests to known Domain IOCs (ASIM DNS Solution)
kind: Scheduled
status: Available
relevantTechniques:
- T1496
- T1048
- T1568
- T1095
- T1567
- T1068
- T1566
- T1187
- T1195
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DNS Essentials/Analytic Rules/DNSRequestToKnownDomainIOCs.yaml
queryPeriod: 1h
alertDetailsOverride:
  alertDescriptionFormat: |-
    Alert Description: '{{Description}}'

    Client '{(SrcIpAddr)}' was detected as making request to '{(DnsQuery)}'    
  alertSeverityColumnName": Severity
  alertTacticsColumnName: Tactic
  alertDisplayNameFormat: "'{{Name}}' was detected. From client: '{{SrcIpAddr}}'"
severity: Medium
triggerOperator: gt
tactics:
- Impact
- CommandAndControl
- Exfiltration
- PrivilegeEscalation
- InitialAccess
- CredentialAccess
tags:
- Schema: ASimDns
  SchemaVersion: 0.1.6
description: |
    "This rule identifies DNS requests to known domain IOCs in the [DNS query](https://learn.microsoft.com/azure/sentinel/normalization-schema-dns#query) logs. It evaluates DNS logs against 100+ known IOCs from the available Watchlist, which helps detect an attempt to communicate with known compromised domains.\\n\\nIt utilizes [ASIM](https://aka.ms/AboutASIM) normalization and is applied to any source that supports the ASIM DNS schema."
entityMappings:
- entityType: DNS
  fieldMappings:
  - identifier: DomainName
    columnName: DnsQuery
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8e4a010a-972c-4124-8c27-1efcd7e3125a')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8e4a010a-972c-4124-8c27-1efcd7e3125a')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Detect DNS requests to known Domain IOCs (ASIM DNS Solution)",
        "description": "\"This rule identifies DNS requests to known domain IOCs in the [DNS query](https://learn.microsoft.com/azure/sentinel/normalization-schema-dns#query) logs. It evaluates DNS logs against 100+ known IOCs from the available Watchlist, which helps detect an attempt to communicate with known compromised domains.\\\\n\\\\nIt utilizes [ASIM](https://aka.ms/AboutASIM) normalization and is applied to any source that supports the ASIM DNS schema.\"\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let lookback = 1h;\nlet DNS_IOCs = materialize(_GetWatchlist('DNS_Solution_Domain_IOCs')\n  | where wl_Type == 'Detection' and wl_Enabled == 'TRUE'\n  | project\n      wl_DNSDomain,\n      wl_Name,\n      wl_Description,\n      wl_Type,\n      wl_ThresholdType,\n      wl_Threshold,\n      wl_Severity,\n      wl_Tactic,\n      wl_Enabled);\nlet Dynamic_DomainList=DNS_IOCs | summarize  make_set(wl_DNSDomain);\n_Im_Dns(starttime=ago(lookback),domain_has_any=toscalar(Dynamic_DomainList))\n| join kind=inner['DNS_IOCs'] where DnsQuery has wl_DNSDomain\n| project\n  SrcIpAddr,\n  DnsQuery,\n  EventResultDetails,\n  Name=wl_Name,\n  Description=wl_Description,\n  TimeGenerated,\n  Tactic=wl_Tactic,\n  Severity=wl_Severity\n| summarize Count=count(), EventStartTime=min(TimeGenerated), EventEndTime=max(TimeGenerated) by SrcIpAddr,DnsQuery, EventResultDetails, Name, Description, Tactic, Severity\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact",
          "CommandAndControl",
          "Exfiltration",
          "PrivilegeEscalation",
          "InitialAccess",
          "CredentialAccess"
        ],
        "techniques": [
          "T1496",
          "T1048",
          "T1568",
          "T1095",
          "T1567",
          "T1068",
          "T1566",
          "T1187",
          "T1195"
        ],
        "alertRuleTemplateName": "8e4a010a-972c-4124-8c27-1efcd7e3125a",
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "alertDetailsOverride": {
          "alertDisplayNameFormat": "'{{Name}}' was detected. From client: '{{SrcIpAddr}}'",
          "alertSeverityColumnName\"": "Severity",
          "alertTacticsColumnName": "Tactic",
          "alertDescriptionFormat": "Alert Description: '{{Description}}'\n\nClient '{(SrcIpAddr)}' was detected as making request to '{(DnsQuery)}'"
        },
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "DnsQuery",
                "identifier": "DomainName"
              }
            ],
            "entityType": "DNS"
          },
          {
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ],
            "entityType": "IP"
          }
        ],
        "tags": [
          {
            "Schema": "ASimDns",
            "SchemaVersion": "0.1.6"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DNS Essentials/Analytic Rules/DNSRequestToKnownDomainIOCs.yaml",
        "templateVersion": "1.0.0",
        "status": "Available"
      }
    }
  ]
}