Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Infoblox - Many High Threat Level Single Query Detected

Infoblox - Many High Threat Level Single Query Detected

Back
Id99278700-79ca-4b0f-b416-bf57ec699e1a
RulenameInfoblox - Many High Threat Level Single Query Detected
DescriptionSingle high threat level domain queried at least 200 times in 1 hour regardless of source. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called **InfobloxCDC**.
SeverityMedium
TacticsImpact
TechniquesT1498
T1565
Required data connectorsCefAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-ManyHighThreatLevelSingleQueryDetected.yaml
Version1.0.4
Arm template99278700-79ca-4b0f-b416-bf57ec699e1a.json
Deploy To Azure
let threshold = 200;
InfobloxCDC
| where DeviceEventClassID has_cs "RPZ"
| where ThreatLevel_Score >= 80
| summarize count() by DestinationDnsDomain
| where count_ > threshold
| join kind=inner (InfobloxCDC
  | where DeviceEventClassID has_cs "RPZ"
  | where ThreatLevel_Score >= 80
  ) on DestinationDnsDomain

version: 1.0.4
status: Available
queryPeriod: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-ManyHighThreatLevelSingleQueryDetected.yaml
relevantTechniques:
- T1498
- T1565
description: |
    'Single high threat level domain queried at least 200 times in 1 hour regardless of source. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).'
eventGroupingSettings:
  aggregationKind: SingleAlert
name: Infoblox - Many High Threat Level Single Query Detected
queryFrequency: 1h
incidentConfiguration:
  createIncident: true
id: 99278700-79ca-4b0f-b416-bf57ec699e1a
requiredDataConnectors:
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
kind: Scheduled
tactics:
- Impact
triggerThreshold: 0
severity: Medium
query: |
  let threshold = 200;
  InfobloxCDC
  | where DeviceEventClassID has_cs "RPZ"
  | where ThreatLevel_Score >= 80
  | summarize count() by DestinationDnsDomain
  | where count_ > threshold
  | join kind=inner (InfobloxCDC
    | where DeviceEventClassID has_cs "RPZ"
    | where ThreatLevel_Score >= 80
    ) on DestinationDnsDomain  
customDetails:
  InfobloxB1PolicyName: InfobloxB1PolicyName
  InfobloxB1FeedName: InfobloxB1FeedName
  InfobloxB1Network: InfobloxB1Network
entityMappings:
- entityType: DNS
  fieldMappings:
  - columnName: DestinationDnsDomain
    identifier: DomainName
- entityType: Malware
  fieldMappings:
  - columnName: ThreatProperty
    identifier: Name
  - columnName: ThreatClass
    identifier: Category
triggerOperator: gt