(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema)

Back


Id	999e9f5d-db4a-4b07-a206-29c4e667b7e8
Rulename	(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema)
Description	Identifies a match in DNS events from any Domain IOC from TI This analytic rule uses ASIM and supports any built-in or custom source that supports the ASIM DNS schema
Severity	Medium
Tactics	Impact
Required data connectors	AzureFirewall CiscoUmbrellaDataConnector Corelight DNS GCPDNSDataConnector InfobloxNIOS NXLogDnsLogs ThreatIntelligence ThreatIntelligenceTaxii Zscaler
Kind	Scheduled
Query frequency	1h
Query period	14d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml
Version	1.1.2
Arm template	999e9f5d-db4a-4b07-a206-29c4e667b7e8.json

KQL

let HAS_ANY_MAX = 10000;
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
let DomainTIs= ThreatIntelligenceIndicator
  | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
  // Picking up only IOC's that contain the entities we want
  | where isnotempty(DomainName)
  | where Active == true
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId;
let Domains = DomainTIs | where isnotempty(DomainName) |summarize NDomains=dcount(DomainName), DomainsList=make_set(DomainName) 
  | project DomainList = iff(NDomains > HAS_ANY_MAX, dynamic([]), DomainsList) ;
DomainTIs
  | join (
      _Im_Dns(starttime=ago(dt_lookBack), domain_has_any=toscalar(Domains))
      | extend DNS_TimeGenerated = TimeGenerated
) on $left.DomainName==$right.DnsQuery
| where DNS_TimeGenerated < ExpirationDateTime
| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType
| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url

YAML

triggerOperator: gt
id: 999e9f5d-db4a-4b07-a206-29c4e667b7e8
queryFrequency: 1h
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: HostCustomEntity
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
- entityType: URL
  fieldMappings:
  - columnName: URLCustomEntity
    identifier: Url
requiredDataConnectors:
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligence
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligenceTaxii
- dataTypes:
  - DnsEvents
  connectorId: DNS
- dataTypes:
  - AzureDiagnostics
  connectorId: AzureFirewall
- dataTypes:
  - CommonSecurityLog
  connectorId: Zscaler
- dataTypes:
  - Syslog
  connectorId: InfobloxNIOS
- dataTypes:
  - GCP_DNS_CL
  connectorId: GCPDNSDataConnector
- dataTypes:
  - NXLog_DNS_Server_CL
  connectorId: NXLogDnsLogs
- dataTypes:
  - Cisco_Umbrella_dns_CL
  connectorId: CiscoUmbrellaDataConnector
- dataTypes:
  - Corelight_CL
  connectorId: Corelight
severity: Medium
triggerThreshold: 0
kind: Scheduled
version: 1.1.2
queryPeriod: 14d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml
query: |
  let HAS_ANY_MAX = 10000;
  let dt_lookBack = 1h;
  let ioc_lookBack = 14d;
  let DomainTIs= ThreatIntelligenceIndicator
    | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
    // Picking up only IOC's that contain the entities we want
    | where isnotempty(DomainName)
    | where Active == true
    | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId;
  let Domains = DomainTIs | where isnotempty(DomainName) |summarize NDomains=dcount(DomainName), DomainsList=make_set(DomainName) 
    | project DomainList = iff(NDomains > HAS_ANY_MAX, dynamic([]), DomainsList) ;
  DomainTIs
    | join (
        _Im_Dns(starttime=ago(dt_lookBack), domain_has_any=toscalar(Domains))
        | extend DNS_TimeGenerated = TimeGenerated
  ) on $left.DomainName==$right.DnsQuery
  | where DNS_TimeGenerated < ExpirationDateTime
  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType
  | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url  
description: |
  Identifies a match in DNS events from any Domain IOC from TI
  This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema'  
name: (Preview) TI map Domain entity to Dns Events (ASIM DNS Schema)
tactics:
- Impact
customDetails:
  ConfidenceScore: ConfidenceScore
  IndicatorId: IndicatorId
  DNSRequestTime: DNS_TimeGenerated
  ExpirationDateTime: ExpirationDateTime
  ActivityGroupNames: ActivityGroupNames
  ThreatType: ThreatType
  LatestIndicatorTime: LatestIndicatorTime
  DnsQuery: DnsQuery
  QueryType: DnsQueryType
  Description: Description
  SourceIPAddress: SrcIpAddr
tags:
- version: 1.0.0
  Id: 85aca4d1-5d15-4001-abd9-acb86ca1786a
- Schema: ASIMDns
  SchemaVersion: 0.1.1

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/999e9f5d-db4a-4b07-a206-29c4e667b7e8')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/999e9f5d-db4a-4b07-a206-29c4e667b7e8')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema)",
        "description": "Identifies a match in DNS events from any Domain IOC from TI\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let HAS_ANY_MAX = 10000;\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet DomainTIs= ThreatIntelligenceIndicator\n  | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n  // Picking up only IOC's that contain the entities we want\n  | where isnotempty(DomainName)\n  | where Active == true\n  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId;\nlet Domains = DomainTIs | where isnotempty(DomainName) |summarize NDomains=dcount(DomainName), DomainsList=make_set(DomainName) \n  | project DomainList = iff(NDomains > HAS_ANY_MAX, dynamic([]), DomainsList) ;\nDomainTIs\n  | join (\n      _Im_Dns(starttime=ago(dt_lookBack), domain_has_any=toscalar(Domains))\n      | extend DNS_TimeGenerated = TimeGenerated\n) on $left.DomainName==$right.DnsQuery\n| where DNS_TimeGenerated < ExpirationDateTime\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "alertRuleTemplateName": "999e9f5d-db4a-4b07-a206-29c4e667b7e8",
        "customDetails": {
          "ConfidenceScore": "ConfidenceScore",
          "IndicatorId": "IndicatorId",
          "DNSRequestTime": "DNS_TimeGenerated",
          "ExpirationDateTime": "ExpirationDateTime",
          "ThreatType": "ThreatType",
          "ActivityGroupNames": "ActivityGroupNames",
          "QueryType": "DnsQueryType",
          "SourceIPAddress": "SrcIpAddr",
          "Description": "Description",
          "DnsQuery": "DnsQuery",
          "LatestIndicatorTime": "LatestIndicatorTime"
        },
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "HostCustomEntity"
              }
            ],
            "entityType": "Host"
          },
          {
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IPCustomEntity"
              }
            ],
            "entityType": "IP"
          },
          {
            "fieldMappings": [
              {
                "identifier": "Url",
                "columnName": "URLCustomEntity"
              }
            ],
            "entityType": "URL"
          }
        ],
        "templateVersion": "1.1.2",
        "tags": [
          {
            "Id": "85aca4d1-5d15-4001-abd9-acb86ca1786a",
            "version": "1.0.0"
          },
          {
            "Schema": "ASIMDns",
            "SchemaVersion": "0.1.1"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml"
      }
    }
  ]
}