Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema)

Back
Id999e9f5d-db4a-4b07-a206-29c4e667b7e8
Rulename(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema)
DescriptionIdentifies a match in DNS events from any Domain IOC from TI

This analytic rule uses ASIM and supports any built-in or custom source that supports the ASIM DNS schema
SeverityMedium
TacticsImpact
Required data connectorsAzureFirewall
CiscoUmbrellaDataConnector
Corelight
DNS
GCPDNSDataConnector
InfobloxNIOS
NXLogDnsLogs
ThreatIntelligence
ThreatIntelligenceTaxii
Zscaler
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml
Version1.1.2
Arm template999e9f5d-db4a-4b07-a206-29c4e667b7e8.json
Deploy To Azure
let HAS_ANY_MAX = 10000;
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
let DomainTIs= ThreatIntelligenceIndicator
  | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
  // Picking up only IOC's that contain the entities we want
  | where isnotempty(DomainName)
  | where Active == true
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId;
let Domains = DomainTIs | where isnotempty(DomainName) |summarize NDomains=dcount(DomainName), DomainsList=make_set(DomainName) 
  | project DomainList = iff(NDomains > HAS_ANY_MAX, dynamic([]), DomainsList) ;
DomainTIs
  | join (
      _Im_Dns(starttime=ago(dt_lookBack), domain_has_any=toscalar(Domains))
      | extend DNS_TimeGenerated = TimeGenerated
) on $left.DomainName==$right.DnsQuery
| where DNS_TimeGenerated < ExpirationDateTime
| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType
| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url
triggerOperator: gt
id: 999e9f5d-db4a-4b07-a206-29c4e667b7e8
queryFrequency: 1h
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: HostCustomEntity
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
- entityType: URL
  fieldMappings:
  - columnName: URLCustomEntity
    identifier: Url
requiredDataConnectors:
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligence
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligenceTaxii
- dataTypes:
  - DnsEvents
  connectorId: DNS
- dataTypes:
  - AzureDiagnostics
  connectorId: AzureFirewall
- dataTypes:
  - CommonSecurityLog
  connectorId: Zscaler
- dataTypes:
  - Syslog
  connectorId: InfobloxNIOS
- dataTypes:
  - GCP_DNS_CL
  connectorId: GCPDNSDataConnector
- dataTypes:
  - NXLog_DNS_Server_CL
  connectorId: NXLogDnsLogs
- dataTypes:
  - Cisco_Umbrella_dns_CL
  connectorId: CiscoUmbrellaDataConnector
- dataTypes:
  - Corelight_CL
  connectorId: Corelight
severity: Medium
triggerThreshold: 0
kind: Scheduled
version: 1.1.2
queryPeriod: 14d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml
query: |
  let HAS_ANY_MAX = 10000;
  let dt_lookBack = 1h;
  let ioc_lookBack = 14d;
  let DomainTIs= ThreatIntelligenceIndicator
    | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
    // Picking up only IOC's that contain the entities we want
    | where isnotempty(DomainName)
    | where Active == true
    | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId;
  let Domains = DomainTIs | where isnotempty(DomainName) |summarize NDomains=dcount(DomainName), DomainsList=make_set(DomainName) 
    | project DomainList = iff(NDomains > HAS_ANY_MAX, dynamic([]), DomainsList) ;
  DomainTIs
    | join (
        _Im_Dns(starttime=ago(dt_lookBack), domain_has_any=toscalar(Domains))
        | extend DNS_TimeGenerated = TimeGenerated
  ) on $left.DomainName==$right.DnsQuery
  | where DNS_TimeGenerated < ExpirationDateTime
  | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType
  | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url  
description: |
  Identifies a match in DNS events from any Domain IOC from TI
  This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema'  
name: (Preview) TI map Domain entity to Dns Events (ASIM DNS Schema)
tactics:
- Impact
customDetails:
  ConfidenceScore: ConfidenceScore
  IndicatorId: IndicatorId
  DNSRequestTime: DNS_TimeGenerated
  ExpirationDateTime: ExpirationDateTime
  ActivityGroupNames: ActivityGroupNames
  ThreatType: ThreatType
  LatestIndicatorTime: LatestIndicatorTime
  DnsQuery: DnsQuery
  QueryType: DnsQueryType
  Description: Description
  SourceIPAddress: SrcIpAddr
tags:
- version: 1.0.0
  Id: 85aca4d1-5d15-4001-abd9-acb86ca1786a
- Schema: ASIMDns
  SchemaVersion: 0.1.1
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/999e9f5d-db4a-4b07-a206-29c4e667b7e8')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/999e9f5d-db4a-4b07-a206-29c4e667b7e8')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema)",
        "description": "Identifies a match in DNS events from any Domain IOC from TI\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let HAS_ANY_MAX = 10000;\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet DomainTIs= ThreatIntelligenceIndicator\n  | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n  // Picking up only IOC's that contain the entities we want\n  | where isnotempty(DomainName)\n  | where Active == true\n  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId;\nlet Domains = DomainTIs | where isnotempty(DomainName) |summarize NDomains=dcount(DomainName), DomainsList=make_set(DomainName) \n  | project DomainList = iff(NDomains > HAS_ANY_MAX, dynamic([]), DomainsList) ;\nDomainTIs\n  | join (\n      _Im_Dns(starttime=ago(dt_lookBack), domain_has_any=toscalar(Domains))\n      | extend DNS_TimeGenerated = TimeGenerated\n) on $left.DomainName==$right.DnsQuery\n| where DNS_TimeGenerated < ExpirationDateTime\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "alertRuleTemplateName": "999e9f5d-db4a-4b07-a206-29c4e667b7e8",
        "customDetails": {
          "ConfidenceScore": "ConfidenceScore",
          "IndicatorId": "IndicatorId",
          "DNSRequestTime": "DNS_TimeGenerated",
          "ExpirationDateTime": "ExpirationDateTime",
          "ThreatType": "ThreatType",
          "ActivityGroupNames": "ActivityGroupNames",
          "QueryType": "DnsQueryType",
          "SourceIPAddress": "SrcIpAddr",
          "Description": "Description",
          "DnsQuery": "DnsQuery",
          "LatestIndicatorTime": "LatestIndicatorTime"
        },
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "HostCustomEntity"
              }
            ],
            "entityType": "Host"
          },
          {
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IPCustomEntity"
              }
            ],
            "entityType": "IP"
          },
          {
            "fieldMappings": [
              {
                "identifier": "Url",
                "columnName": "URLCustomEntity"
              }
            ],
            "entityType": "URL"
          }
        ],
        "templateVersion": "1.1.2",
        "tags": [
          {
            "Id": "85aca4d1-5d15-4001-abd9-acb86ca1786a",
            "version": "1.0.0"
          },
          {
            "Schema": "ASIMDns",
            "SchemaVersion": "0.1.1"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml"
      }
    }
  ]
}