Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

RecordedFuture Threat Hunting Domain All Actors

Back
Idacbf7ef6-f964-44c3-9031-7834ec68175f
RulenameRecordedFuture Threat Hunting Domain All Actors
DescriptionRecorded Future Threat Hunting domain correlation for all actors.
SeverityMedium
TacticsInitialAccess
CommandAndControl
TechniquesT1566
T1568
Required data connectorsThreatIntelligenceUploadIndicatorsAPI
KindScheduled
Query frequency15m
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Recorded Future/Analytic Rules/ThreatHunting/RecordedFutureThreatHuntingDomainAllActors.yaml
Version1.0.4
Arm templateacbf7ef6-f964-44c3-9031-7834ec68175f.json
Deploy To Azure
let ioc_lookBack = 1d;
// The source table (imDns) can be replaced by any infrastructure table containing domain/dns data.
// The following workbook: Recorded Future - Domain Correlation will help researching available data and selecting tables and columns  
imDns
| where isnotempty(Domain)
| extend lowerDomain=tolower(Domain)
| join kind=inner (
ThreatIntelligenceIndicator
// Only look at Domain IOCs
| where isnotempty(DomainName)
// Only look at Recorded Future Threat Hunt Indicators.
| where Description startswith "Recorded Future - Threat Hunt"
// Only work with the latest indicators  
| where TimeGenerated >= ago(ioc_lookBack)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| where Active == true and ExpirationDateTime > now()
| extend lowerDomain=tolower(DomainName)
) on lowerDomain 
// select column from the source table to match with Recorded Future $left.Domain
| mv-expand RecordedFuturePortalLink=parse_json(tostring(parse_json(Tags)[0]))['RecordedFuturePortalLink']
| project DomainName, Description, Type, TimeGenerated, RecordedFuturePortalLink
name: RecordedFuture Threat Hunting Domain All Actors
alertDetailsOverride:
  alertDisplayNameFormat: '{{Description}}'
  alertDescriptionFormat: '**{{Description}}**\n\nCorrelation found on {{DomainName}} from the {{Type}} table.\n'
  alertDynamicProperties:
  - alertProperty: AlertLink
    value: RecordedFuturePortalLink
severity: Medium
queryFrequency: 15m
triggerOperator: gt
customDetails:
  ActorInformation: RecordedFuturePortalLink
relevantTechniques:
- T1566
- T1568
version: 1.0.4
description: |
    'Recorded Future Threat Hunting domain correlation for all actors.'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Recorded Future/Analytic Rules/ThreatHunting/RecordedFutureThreatHuntingDomainAllActors.yaml
requiredDataConnectors:
- connectorId: ThreatIntelligenceUploadIndicatorsAPI
  dataTypes:
  - ThreatIntelligenceIndicator
entityMappings:
- fieldMappings:
  - identifier: DomainName
    columnName: Domain
  entityType: DNS
tactics:
- InitialAccess
- CommandAndControl
queryPeriod: 1d
query: |
  let ioc_lookBack = 1d;
  // The source table (imDns) can be replaced by any infrastructure table containing domain/dns data.
  // The following workbook: Recorded Future - Domain Correlation will help researching available data and selecting tables and columns  
  imDns
  | where isnotempty(Domain)
  | extend lowerDomain=tolower(Domain)
  | join kind=inner (
  ThreatIntelligenceIndicator
  // Only look at Domain IOCs
  | where isnotempty(DomainName)
  // Only look at Recorded Future Threat Hunt Indicators.
  | where Description startswith "Recorded Future - Threat Hunt"
  // Only work with the latest indicators  
  | where TimeGenerated >= ago(ioc_lookBack)
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
  | where Active == true and ExpirationDateTime > now()
  | extend lowerDomain=tolower(DomainName)
  ) on lowerDomain 
  // select column from the source table to match with Recorded Future $left.Domain
  | mv-expand RecordedFuturePortalLink=parse_json(tostring(parse_json(Tags)[0]))['RecordedFuturePortalLink']
  | project DomainName, Description, Type, TimeGenerated, RecordedFuturePortalLink  
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: 1h
    matchingMethod: AllEntities
    enabled: true
    reopenClosedIncident: false
kind: Scheduled
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerThreshold: 0
id: acbf7ef6-f964-44c3-9031-7834ec68175f
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/acbf7ef6-f964-44c3-9031-7834ec68175f')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/acbf7ef6-f964-44c3-9031-7834ec68175f')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "**{{Description}}**\\n\\nCorrelation found on {{DomainName}} from the {{Type}} table.\\n",
          "alertDisplayNameFormat": "{{Description}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "AlertLink",
              "value": "RecordedFuturePortalLink"
            }
          ]
        },
        "alertRuleTemplateName": "acbf7ef6-f964-44c3-9031-7834ec68175f",
        "customDetails": {
          "ActorInformation": "RecordedFuturePortalLink"
        },
        "description": "'Recorded Future Threat Hunting domain correlation for all actors.'\n",
        "displayName": "RecordedFuture Threat Hunting Domain All Actors",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "DNS",
            "fieldMappings": [
              {
                "columnName": "Domain",
                "identifier": "DomainName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "PT1H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Recorded Future/Analytic Rules/ThreatHunting/RecordedFutureThreatHuntingDomainAllActors.yaml",
        "query": "let ioc_lookBack = 1d;\n// The source table (imDns) can be replaced by any infrastructure table containing domain/dns data.\n// The following workbook: Recorded Future - Domain Correlation will help researching available data and selecting tables and columns  \nimDns\n| where isnotempty(Domain)\n| extend lowerDomain=tolower(Domain)\n| join kind=inner (\nThreatIntelligenceIndicator\n// Only look at Domain IOCs\n| where isnotempty(DomainName)\n// Only look at Recorded Future Threat Hunt Indicators.\n| where Description startswith \"Recorded Future - Threat Hunt\"\n// Only work with the latest indicators  \n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| extend lowerDomain=tolower(DomainName)\n) on lowerDomain \n// select column from the source table to match with Recorded Future $left.Domain\n| mv-expand RecordedFuturePortalLink=parse_json(tostring(parse_json(Tags)[0]))['RecordedFuturePortalLink']\n| project DomainName, Description, Type, TimeGenerated, RecordedFuturePortalLink\n",
        "queryFrequency": "PT15M",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "InitialAccess"
        ],
        "techniques": [
          "T1566",
          "T1568"
        ],
        "templateVersion": "1.0.4",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}