Back
Id999e9f5d-db4a-4b07-a206-29c4e667b7e8
RulenameTI map Domain entity to Dns Events (ASIM DNS Schema)
DescriptionIdentifies a match in DNS events from any Domain IOC from TI

This analytic rule uses ASIM and supports any built-in or custom source that supports the ASIM DNS schema
SeverityMedium
TacticsCommandAndControl
TechniquesT1071
Required data connectorsAzureFirewall
CiscoUmbrellaDataConnector
Corelight
DNS
GCPDNSDataConnector
InfobloxNIOS
MicrosoftDefenderThreatIntelligence
NXLogDnsLogs
ThreatIntelligence
ThreatIntelligenceTaxii
Zscaler
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat%20Intelligence/Analytic%20Rules/imDns_DomainEntity_DnsEvents.yaml
Version1.1.8
Arm template999e9f5d-db4a-4b07-a206-29c4e667b7e8.json
Deploy To Azure
let HAS_ANY_MAX = 10000;
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
let DomainTIs= ThreatIntelligenceIndicator
  // Picking up only IOC's that contain the entities we want
  | where isnotempty(DomainName)
  | where TimeGenerated >= ago(ioc_lookBack)
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
  | where Active == true and ExpirationDateTime > now();
let Domains = DomainTIs | where isnotempty(DomainName) |summarize NDomains=dcount(DomainName), DomainsList=make_set(DomainName) 
  | project DomainList = iff(NDomains > HAS_ANY_MAX, dynamic([]), DomainsList) ;
DomainTIs
  | join (
      _Im_Dns(starttime=ago(dt_lookBack), domain_has_any=toscalar(Domains))
      | extend DNS_TimeGenerated = TimeGenerated
) on $left.DomainName==$right.DnsQuery
| where DNS_TimeGenerated < ExpirationDateTime
| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, Domain, DnsQuery, DnsQueryType
| extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
query: |
  let HAS_ANY_MAX = 10000;
  let dt_lookBack = 1h;
  let ioc_lookBack = 14d;
  let DomainTIs= ThreatIntelligenceIndicator
    // Picking up only IOC's that contain the entities we want
    | where isnotempty(DomainName)
    | where TimeGenerated >= ago(ioc_lookBack)
    | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
    | where Active == true and ExpirationDateTime > now();
  let Domains = DomainTIs | where isnotempty(DomainName) |summarize NDomains=dcount(DomainName), DomainsList=make_set(DomainName) 
    | project DomainList = iff(NDomains > HAS_ANY_MAX, dynamic([]), DomainsList) ;
  DomainTIs
    | join (
        _Im_Dns(starttime=ago(dt_lookBack), domain_has_any=toscalar(Domains))
        | extend DNS_TimeGenerated = TimeGenerated
  ) on $left.DomainName==$right.DnsQuery
  | where DNS_TimeGenerated < ExpirationDateTime
  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, Domain, DnsQuery, DnsQueryType
  | extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
tags:
- Id: 85aca4d1-5d15-4001-abd9-acb86ca1786a
  version: 1.0.0
- SchemaVersion: 0.1.1
  Schema: ASIMDns
version: 1.1.8
id: 999e9f5d-db4a-4b07-a206-29c4e667b7e8
name: TI map Domain entity to Dns Events (ASIM DNS Schema)
tactics:
- CommandAndControl
description: |
  Identifies a match in DNS events from any Domain IOC from TI
  This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema'
triggerThreshold: 0
severity: Medium
kind: Scheduled
queryFrequency: 1h
queryPeriod: 14d
requiredDataConnectors:
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligence
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligenceTaxii
- dataTypes:
  - DnsEvents
  connectorId: DNS
- dataTypes:
  - AzureDiagnostics
  connectorId: AzureFirewall
- dataTypes:
  - CommonSecurityLog
  connectorId: Zscaler
- dataTypes:
  - Syslog
  connectorId: InfobloxNIOS
- dataTypes:
  - GCP_DNS_CL
  connectorId: GCPDNSDataConnector
- dataTypes:
  - NXLog_DNS_Server_CL
  connectorId: NXLogDnsLogs
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: MicrosoftDefenderThreatIntelligence
- dataTypes:
  - Cisco_Umbrella_dns_CL
  connectorId: CiscoUmbrellaDataConnector
- dataTypes:
  - Corelight_CL
  connectorId: Corelight
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat%20Intelligence/Analytic%20Rules/imDns_DomainEntity_DnsEvents.yaml
entityMappings:
- fieldMappings:
  - columnName: Dvc
    identifier: FullName
  - columnName: HostName
    identifier: HostName
  - columnName: HostNameDomain
    identifier: DnsDomain
  entityType: Host
- fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: Url
    identifier: Url
  entityType: URL
- fieldMappings:
  - columnName: Domain
    identifier: DomainName
  entityType: DNS
customDetails:
  QueryType: DnsQueryType
  SourceIPAddress: SrcIpAddr
  ConfidenceScore: ConfidenceScore
  ThreatType: ThreatType
  ActivityGroupNames: ActivityGroupNames
  DNSRequestTime: DNS_TimeGenerated
  Description: Description
  ExpirationDateTime: ExpirationDateTime
  DnsQuery: DnsQuery
  LatestIndicatorTime: LatestIndicatorTime
  IndicatorId: IndicatorId
relevantTechniques:
- T1071
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/999e9f5d-db4a-4b07-a206-29c4e667b7e8')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/999e9f5d-db4a-4b07-a206-29c4e667b7e8')]",
      "properties": {
        "alertRuleTemplateName": "999e9f5d-db4a-4b07-a206-29c4e667b7e8",
        "customDetails": {
          "ActivityGroupNames": "ActivityGroupNames",
          "ConfidenceScore": "ConfidenceScore",
          "Description": "Description",
          "DnsQuery": "DnsQuery",
          "DNSRequestTime": "DNS_TimeGenerated",
          "ExpirationDateTime": "ExpirationDateTime",
          "IndicatorId": "IndicatorId",
          "LatestIndicatorTime": "LatestIndicatorTime",
          "QueryType": "DnsQueryType",
          "SourceIPAddress": "SrcIpAddr",
          "ThreatType": "ThreatType"
        },
        "description": "Identifies a match in DNS events from any Domain IOC from TI\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema'\n",
        "displayName": "TI map Domain entity to Dns Events (ASIM DNS Schema)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Dvc",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "HostNameDomain",
                "identifier": "DnsDomain"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "Url",
                "identifier": "Url"
              }
            ]
          },
          {
            "entityType": "DNS",
            "fieldMappings": [
              {
                "columnName": "Domain",
                "identifier": "DomainName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat%20Intelligence/Analytic%20Rules/imDns_DomainEntity_DnsEvents.yaml",
        "query": "let HAS_ANY_MAX = 10000;\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet DomainTIs= ThreatIntelligenceIndicator\n  // Picking up only IOC's that contain the entities we want\n  | where isnotempty(DomainName)\n  | where TimeGenerated >= ago(ioc_lookBack)\n  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n  | where Active == true and ExpirationDateTime > now();\nlet Domains = DomainTIs | where isnotempty(DomainName) |summarize NDomains=dcount(DomainName), DomainsList=make_set(DomainName) \n  | project DomainList = iff(NDomains > HAS_ANY_MAX, dynamic([]), DomainsList) ;\nDomainTIs\n  | join (\n      _Im_Dns(starttime=ago(dt_lookBack), domain_has_any=toscalar(Domains))\n      | extend DNS_TimeGenerated = TimeGenerated\n) on $left.DomainName==$right.DnsQuery\n| where DNS_TimeGenerated < ExpirationDateTime\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, Domain, DnsQuery, DnsQueryType\n| extend HostName = tostring(split(Dvc, \".\")[0]), DomainIndex = toint(indexof(Dvc, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "tags": [
          {
            "Id": "85aca4d1-5d15-4001-abd9-acb86ca1786a",
            "version": "1.0.0"
          },
          {
            "Schema": "ASIMDns",
            "SchemaVersion": "0.1.1"
          }
        ],
        "techniques": [
          "T1071"
        ],
        "templateVersion": "1.1.8",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}