Detection rules › Kusto
Infoblox - High Threat Level Query Not Blocked Detected
'At least 1 high threat level query generated by single host in 1 hour that is not blocked or redirected. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called InfobloxCDC.'
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Impact | T1498 Network Denial of Service, T1565 Data Manipulation |
Rule body kusto
id: dc7af829-d716-4774-9d6f-03d9aa7c27a4
name: Infoblox - High Threat Level Query Not Blocked Detected
description: |
'At least 1 high threat level query generated by single host in 1 hour that is not blocked or redirected. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).'
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Impact
relevantTechniques:
- T1498
- T1565
query: |
let threshold = 1;
InfobloxCDC
| where DeviceEventClassID has_cs "RPZ"
| where ThreatLevel_Score >=80
| where InfobloxB1PolicyAction == "Log" or SimplifiedDeviceAction == "PASSTHRU"
| summarize count() by SourceIP
| where count_ > threshold
| join kind=inner (InfobloxCDC
| where DeviceEventClassID has_cs "RPZ"
| where ThreatLevel_Score >=80
| where InfobloxB1PolicyAction == "Log" or SimplifiedDeviceAction == "PASSTHRU"
) on SourceIP
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIP
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: DeviceName
- identifier: OSVersion
columnName: InfobloxB1SrcOSVersion
- identifier: FullName
columnName: SourceUserName
- entityType: DNS
fieldMappings:
- identifier: DomainName
columnName: DestinationDnsDomain
- entityType: Malware
fieldMappings:
- identifier: Name
columnName: ThreatProperty
- identifier: Category
columnName: ThreatClass
customDetails:
SourceMACAddress: SourceMACAddress
InfobloxB1FeedName: InfobloxB1FeedName
InfobloxB1Network: InfobloxB1Network
InfobloxB1Action: InfobloxB1PolicyAction
InfobloxB1PolicyName: InfobloxB1PolicyName
eventGroupingSettings:
aggregationKind: SingleAlert
incidentConfiguration:
createIncident: true
version: 1.0.4
kind: Scheduled
Stages and Predicates
Parameters
let threshold = 1;
Stage 1: source
InfobloxCDC
Stage 2: where
| where DeviceEventClassID has_cs "RPZ"
Stage 3: where
| where ThreatLevel_Score >=80
Stage 4: where
| where InfobloxB1PolicyAction == "Log" or SimplifiedDeviceAction == "PASSTHRU"
Stage 5: summarize
| summarize count() by SourceIP
Stage 6: where
| where count_ > threshold
Stage 7: join
| join kind=inner (InfobloxCDC
| where DeviceEventClassID has_cs "RPZ"
| where ThreatLevel_Score >=80
| where InfobloxB1PolicyAction == "Log" or SimplifiedDeviceAction == "PASSTHRU"
) on SourceIP
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
DeviceEventClassID | match |
|
InfobloxB1PolicyAction | eq |
|
SimplifiedDeviceAction | eq |
|
ThreatLevel_Score | ge |
|
count_ | gt |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
SourceIP | summarize |