RecordedFuture Threat Hunting Domain All Actors

let ioc_lookBack = 1d;
// The source table (_Im_Dns) is an ASIM parser table, but can be replaced by any infrastructure table containing domain/dns data.
// The following workbook: Recorded Future - Domain Correlation will help researching available data and selecting tables and columns
_Im_Dns
| where isnotempty(Domain)
| extend lowerDomain=tolower(Domain)
| join kind=inner (
ThreatIntelIndicators
// Only look at Domain IOCs
| where ObservableKey == 'domain-name:value'
| where isnotempty(ObservableValue)
// Only look at Recorded Future Threat Hunt Indicators.
| where Data.description startswith "Recorded Future - Threat Hunt"
// Only work with the latest indicators
| where TimeGenerated >= ago(ioc_lookBack)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
| where IsActive == true and ValidUntil > now()
| extend lowerDomain=tolower(ObservableValue)
) on lowerDomain
// select column from the source table to match with Recorded Future $left.Domain
| mv-expand RecordedFuturePortalLink=parse_json(tostring(parse_json(Tags)))['recordedfutureportallink']
| project Domain=ObservableValue, Description=Data.description, Type, TimeGenerated, RecordedFuturePortalLink

description: |
    'Recorded Future Threat Hunting domain correlation for all actors.'
query: |
  let ioc_lookBack = 1d;
  // The source table (_Im_Dns) is an ASIM parser table, but can be replaced by any infrastructure table containing domain/dns data.
  // The following workbook: Recorded Future - Domain Correlation will help researching available data and selecting tables and columns
  _Im_Dns
  | where isnotempty(Domain)
  | extend lowerDomain=tolower(Domain)
  | join kind=inner (
  ThreatIntelIndicators
  // Only look at Domain IOCs
  | where ObservableKey == 'domain-name:value'
  | where isnotempty(ObservableValue)
  // Only look at Recorded Future Threat Hunt Indicators.
  | where Data.description startswith "Recorded Future - Threat Hunt"
  // Only work with the latest indicators
  | where TimeGenerated >= ago(ioc_lookBack)
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id
  | where IsActive == true and ValidUntil > now()
  | extend lowerDomain=tolower(ObservableValue)
  ) on lowerDomain
  // select column from the source table to match with Recorded Future $left.Domain
  | mv-expand RecordedFuturePortalLink=parse_json(tostring(parse_json(Tags)))['recordedfutureportallink']
  | project Domain=ObservableValue, Description=Data.description, Type, TimeGenerated, RecordedFuturePortalLink  
requiredDataConnectors:
- connectorId: ThreatIntelligenceUploadIndicatorsAPI
  dataTypes:
  - ThreatIntelIndicators
entityMappings:
- entityType: DNS
  fieldMappings:
  - columnName: Domain
    identifier: DomainName
alertDetailsOverride:
  alertDescriptionFormat: '**{{Description}}**\n\nCorrelation found on {{Domain}} from the {{Type}} table.\n'
  alertDisplayNameFormat: '{{Description}}'
  alertDynamicProperties:
  - alertProperty: AlertLink
    value: RecordedFuturePortalLink
customDetails:
  ActorInformation: RecordedFuturePortalLink
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    matchingMethod: AllEntities
    enabled: true
    lookbackDuration: 1h
  createIncident: true
triggerThreshold: 0
tactics:
- InitialAccess
- CommandAndControl
queryPeriod: 1d
triggerOperator: gt
id: acbf7ef6-f964-44c3-9031-7834ec68175f
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1566
- T1568
severity: Medium
name: RecordedFuture Threat Hunting Domain All Actors
kind: Scheduled
queryFrequency: 15m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Recorded Future/Analytic Rules/ThreatHunting/RecordedFutureThreatHuntingDomainAllActors.yaml
version: 1.1.0