Detection rules › Kusto
TI map Domain entity to Dns Events (ASIM DNS Schema)
Identifies a match in DNS events from any Domain IOC from TI This analytic rule uses ASIM and supports any built-in or custom source that supports the ASIM DNS schema'
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Command & Control | T1071 Application Layer Protocol |
Rule body kusto
id: 7c1ea2e6-6210-412c-92e4-180803a741b4
name: TI map Domain entity to Dns Events (ASIM DNS Schema)
description: |
Identifies a match in DNS events from any Domain IOC from TI
This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema'
severity: Medium
requiredDataConnectors:
- connectorId: ThreatIntelligence
dataTypes:
- ThreatIntelIndicators
- connectorId: ThreatIntelligenceTaxii
dataTypes:
- ThreatIntelIndicators
- connectorId: DNS
dataTypes:
- DnsEvents
- connectorId: AzureFirewall
dataTypes:
- AzureDiagnostics
- connectorId: Zscaler
dataTypes:
- CommonSecurityLog
- connectorId: InfobloxNIOS
dataTypes:
- Syslog
- connectorId: GCPDNSDataConnector
dataTypes:
- GCP_DNS_CL
- connectorId: NXLogDnsLogs
dataTypes:
- NXLog_DNS_Server_CL
- connectorId: MicrosoftDefenderThreatIntelligence
dataTypes:
- ThreatIntelIndicators
- connectorId: CiscoUmbrellaDataConnector
dataTypes:
- Cisco_Umbrella_dns_CL
- connectorId: Corelight
dataTypes:
- Corelight_CL
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandAndControl
relevantTechniques:
- T1071
tags:
- Id: 85aca4d1-5d15-4001-abd9-acb86ca1786a
version: 1.0.0
- Schema: ASIMDns
SchemaVersion: 0.1.1
query: |
let HAS_ANY_MAX = 10000;
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
let DomainTIs= ThreatIntelIndicators
// Picking up only IOC's that contain the entities we want
//extract key part of kv pair
| extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0)))
| extend IndicatorId = tostring(split(Id, "--")[2])
| where IndicatorType == "domain-name"
| extend DomainName = ObservableValue
| extend Url = iff(ObservableKey == "url:value", ObservableValue, "")
| extend TrafficLightProtocolLevel = tostring(parse_json(AdditionalFields).TLPLevel)
| extend ThreatList = tostring(parse_json(Data).indicator_types[0])
| where TimeGenerated >= ago(ioc_lookBack)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId, ObservableValue
| where IsActive and (ValidUntil > now() or isempty(ValidUntil));
let Domains = DomainTIs |summarize NDomains=dcount(DomainName), DomainsList=make_set(DomainName)
| project DomainList = iff(NDomains > HAS_ANY_MAX, dynamic([]), DomainsList);
DomainTIs
| project-reorder *, ThreatList, IsActive, Tags, TrafficLightProtocolLevel, DomainName, Type
| join (
_Im_Dns(starttime=ago(dt_lookBack), domain_has_any=toscalar(Domains))
| extend DNS_TimeGenerated = TimeGenerated
) on $left.DomainName==$right.DnsQuery
| where DNS_TimeGenerated < ValidUntil
| extend Description = tostring(parse_json(Data).description)
| extend ActivityGroupNames = extract(@"ActivityGroup:(\S+)", 1, tostring(parse_json(Data).labels))
| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ValidUntil, Confidence, DNS_TimeGenerated, Dvc, SrcIpAddr, Domain, DnsQuery, DnsQueryType, Url
| extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
entityMappings:
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: Dvc
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: HostNameDomain
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr
- entityType: URL
fieldMappings:
- identifier: Url
columnName: Url
- entityType: DNS
fieldMappings:
- identifier: DomainName
columnName: Domain
customDetails:
LatestIndicatorTime: LatestIndicatorTime
Description: Description
ActivityGroupNames: ActivityGroupNames
IndicatorId: IndicatorId
ExpirationDateTime: ValidUntil
ConfidenceScore: Confidence
DNSRequestTime: DNS_TimeGenerated
SourceIPAddress: SrcIpAddr
DnsQuery: DnsQuery
QueryType: DnsQueryType
version: 1.2.3
kind: Scheduled
Stages and Predicates
Parameters
let HAS_ANY_MAX = 10000;
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
Let binding: Domains
let Domains = DomainTIs |summarize NDomains=dcount(DomainName), DomainsList=make_set(DomainName)
| project DomainList = iff(NDomains > HAS_ANY_MAX, dynamic([]), DomainsList);
Derived from HAS_ANY_MAX, DomainTIs.
The stages below define let DomainTIs (the rule's main pipeline source).
Stage 1: source
ThreatIntelIndicators
Stage 2: extend
| extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0)))
Stage 3: extend
| extend IndicatorId = tostring(split(Id, "--")[2])
Stage 4: where
| where IndicatorType == "domain-name"
Stage 5: extend (4 consecutive steps)
| extend DomainName = ObservableValue
| extend Url = iff(ObservableKey == "url:value", ObservableValue, "")
| extend TrafficLightProtocolLevel = tostring(parse_json(AdditionalFields).TLPLevel)
| extend ThreatList = tostring(parse_json(Data).indicator_types[0])
Stage 6: where
| where TimeGenerated >= ago(ioc_lookBack)
Stage 7: summarize
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId, ObservableValue
Stage 8: where
| where IsActive and (ValidUntil > now() or isempty(ValidUntil))
The stages below run on DomainTIs (the outer pipeline).
Stage 9: project-reorder
DomainTIs
| project-reorder *, ThreatList, IsActive, Tags, TrafficLightProtocolLevel, DomainName, Type
Stage 10: join
| join (
_Im_Dns(starttime=ago(dt_lookBack), domain_has_any=toscalar(Domains))
| extend DNS_TimeGenerated = TimeGenerated
) on $left.DomainName==$right.DnsQuery
Stage 11: where
| where DNS_TimeGenerated < ValidUntil
Stage 12: extend
| extend Description = tostring(parse_json(Data).description)
Stage 13: extend
| extend ActivityGroupNames = extract(@"ActivityGroup:(\S+)", 1, tostring(parse_json(Data).labels))
Stage 14: project
| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ValidUntil, Confidence, DNS_TimeGenerated, Dvc, SrcIpAddr, Domain, DnsQuery, DnsQueryType, Url
Stage 15: extend
| extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
Stage 16: extend
| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
HostNameDomain =if
DomainIndex != -1substring(Dvc, (DomainIndex + 1))else
DvcIndicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
DNS_TimeGenerated | lt |
|
IndicatorType | eq |
|
ValidUntil | is_null |
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
ActivityGroupNames | project |
Confidence | project |
DNS_TimeGenerated | project |
Description | project |
DnsQuery | project |
DnsQueryType | project |
Domain | project |
Dvc | project |
IndicatorId | project |
LatestIndicatorTime | project |
SrcIpAddr | project |
Url | project |
ValidUntil | project |
DomainIndex | extend |
HostName | extend |
HostNameDomain | extend |