WHOIS DNS Query To Typesquatting Domain

/*
 * Copyright 2023 Google LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

rule whois_dns_query_to_typosquatting_domain {

  meta:
    author = "Google Cloud Security"
    description = "Provides example usage of WHOIS data, detecting a DNS query for a domain that contains a specific string and is not registered with the defined domain registrar."
    rule_id = "mr_32cd8835-d328-4a89-8265-f19cffe89346"
    rule_name = "WHOIS DNS Query To Typesquatting Domain"
    // This rule must be customized to alert on DNS queries for possible typosquatting domains that contain your organization's domain name(s) that are not registered with your approved domain registrar.
    type = "hunt"
    tags = "whois"
    data_source = "microsoft sysmon"
    severity = "low"
    priority = "low"

  events:
    // Match on DNS queries for domains that contain a specific string or company name(s).
    $dns.metadata.event_type = "NETWORK_DNS"
    // Customize the value for $dns.network.dns.questions.name to fit your environment.
    $dns.network.dns.questions.name = /threatpunter/ nocase
    $dns.network.dns.questions.name = $dns_query_name

    // Join DNS query events with WHOIS data.
    $whois.graph.entity.hostname = $dns_query_name
    $whois.graph.metadata.entity_type = "DOMAIN_NAME"
    $whois.graph.metadata.vendor_name = "WHOIS"
    $whois.graph.metadata.product_name = "WHOISXMLAPI Simple Whois"
    $whois.graph.metadata.source_type = "GLOBAL_CONTEXT"

    // Check if the domain is registered with a registrar other than Mark Monitor.
    // Customize the values for $whois.graph.entity.domain.registrar based on the approved/expected registrar(s) used by your organization.
    $whois.graph.entity.domain.registrar != "MarkMonitor Inc."

    // Check if the domain was first seen in our environment within the last 30 days (2592000 seconds).
    $seen.graph.entity.domain.name = $dns_query_name
    $seen.graph.entity.domain.first_seen_time.seconds > 0
    2592000 > timestamp.current_seconds() - $seen.graph.entity.domain.first_seen_time.seconds

  match:
    // Return the DNS query name when the rule finds a match within a 1 hour time window.
    $dns_query_name over 1h

  outcome:
    $event_count = count_distinct($dns.metadata.id)
    $principal_hostname = array_distinct($dns.principal.hostname)
    $network_dns_questions_name = array_distinct($dns.network.dns.questions.name)
    $network_dns_answers_data = array_distinct($dns.network.dns.answers.data)
    $principal_ip = array_distinct($dns.principal.ip)
    $target_ip = array_distinct($dns.target.ip)
    $principal_process_pid = array_distinct($dns.principal.process.pid)
    $principal_process_file_full_path = array_distinct($dns.principal.process.file.full_path)
    $principal_process_product_specific_process_id = array_distinct($dns.principal.process.product_specific_process_id)
    $principal_process_command_line = array_distinct($dns.principal.process.command_line)
    $principal_process_file_sha256 = array_distinct($dns.principal.process.file.sha256)
    $principal_process_parent_process_product_specific_process_id = array_distinct($dns.principal.process.parent_process.product_specific_process_id)
    $principal_user_userid = array_distinct($dns.principal.user.userid)

  condition:
    // Trigger rule if a match is found for the following events.
    $dns and $whois and $seen
}