AWS DNS Crypto Domain

Severity: high
Group by: source_ip
Log types: AWS.VPCDns, OCSF.DnsActivity
Reference: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html
Source: github.com/panther-labs/panther-analysis

Identifies clients that may be performing DNS lookups associated with common currency mining pools.

MITRE ATT&CK coverage

Tactic	Techniques
Impact	`T1496` Resource Hijacking

Rule body yaml

AnalysisType: rule
Description: Identifies clients that may be performing DNS lookups associated with common currency mining pools.
DisplayName: "AWS DNS Crypto Domain"
Enabled: true
Filename: aws_dns_crypto_domain.py
Reports:
  MITRE ATT&CK:
    - TA0040:T1496
Reference: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html
Severity: High
Tests:
  - Name: Non Crypto Query
    ExpectedResult: false
    Log:
      {
        "account_id": "0123456789",
        "answers": { "Class": "IN", "Rdata": "1.2.3.4", "Type": "A" },
        "query_class": "IN",
        "query_name": "dynamodb.us-west-2.amazonaws.com",
        "query_timestamp": "2022-06-25 00:27:53",
        "query_type": "A",
        "rcode": "NOERROR",
        "region": "us-west-2",
        "srcaddr": "5.6.7.8",
        "srcids": { instance: "i-0abc234" },
        "srcport": "8888",
        "transport": "UDP",
        "version": "1.100000",
        "vpc_id": "vpc-abc123",
        "p_log_type": "AWS.VPCDns",
      }
  - Name: Non Crypto Query Trailing Period
    ExpectedResult: false
    Log:
      {
        "account_id": "0123456789",
        "answers": { "Class": "IN", "Rdata": "1.2.3.4", "Type": "A" },
        "query_class": "IN",
        "query_name": "dynamodb.us-west-2.amazonaws.com.",
        "query_timestamp": "2022-06-25 00:27:53",
        "query_type": "A",
        "rcode": "NOERROR",
        "region": "us-west-2",
        "srcaddr": "5.6.7.8",
        "srcids": { "instance": "i-0abc234" },
        "srcport": "8888",
        "transport": "UDP",
        "version": "1.100000",
        "vpc_id": "vpc-abc123",
        "p_log_type": "AWS.VPCDns",
      }
  - Name: Crypto Query
    ExpectedResult: true
    Log:
      {
        "account_id": "0123456789",
        "answers": { "Class": "IN", "Rdata": "1.2.3.4", "Type": "A" },
        "query_class": "IN",
        "query_name": "moneropool.ru",
        "query_timestamp": "2022-06-25 00:27:53",
        "query_type": "A",
        "rcode": "NOERROR",
        "region": "us-west-2",
        "srcaddr": "5.6.7.8",
        "srcids": { "instance": "i-0abc234" },
        "srcport": "8888",
        "transport": "UDP",
        "version": "1.100000",
        "vpc_id": "vpc-abc123",
        "p_log_type": "AWS.VPCDns",
      }
  - Name: Crypto Query Subdomain
    ExpectedResult: true
    Log:
      {
        "account_id": "0123456789",
        "answers": { "Class": "IN", "Rdata": "1.2.3.4", "Type": "A" },
        "query_class": "IN",
        "query_name": "abc.abc.moneropool.ru",
        "query_timestamp": "2022-06-25 00:27:53",
        "query_type": "A",
        "rcode": "NOERROR",
        "region": "us-west-2",
        "srcaddr": "5.6.7.8",
        "srcids": { "instance": "i-0abc234" },
        "srcport": "8888",
        "transport": "UDP",
        "version": "1.100000",
        "vpc_id": "vpc-abc123",
        "p_log_type": "AWS.VPCDns",
      }
  - Name: Crypto Query Trailing Period
    ExpectedResult: true
    Log:
      {
        "account_id": "0123456789",
        "answers": { "Class": "IN", "Rdata": "1.2.3.4", "Type": "A" },
        "query_class": "IN",
        "query_name": "moneropool.ru.",
        "query_timestamp": "2022-06-25 00:27:53",
        "query_type": "A",
        "rcode": "NOERROR",
        "region": "us-west-2",
        "srcaddr": "5.6.7.8",
        "srcids": { "instance": "i-0abc234" },
        "srcport": "8888",
        "transport": "UDP",
        "version": "1.100000",
        "vpc_id": "vpc-abc123",
        "p_log_type": "AWS.VPCDns",
      }
  - Name: Crypto Query Subdomain Trailing Period
    ExpectedResult: true
    Log:
      {
        "account_id": "0123456789",
        "answers": { "Class": "IN", "Rdata": "1.2.3.4", "Type": "A" },
        "query_class": "IN",
        "query_name": "abc.abc.moneropool.ru.",
        "query_timestamp": "2022-06-25 00:27:53",
        "query_type": "A",
        "rcode": "NOERROR",
        "region": "us-west-2",
        "srcaddr": "5.6.7.8",
        "srcids": { "instance": "i-0abc234" },
        "srcport": "8888",
        "transport": "UDP",
        "version": "1.100000",
        "vpc_id": "vpc-abc123",
        "p_log_type": "AWS.VPCDns",
      }
  - Name: Checking Against Subdomain IOC
    ExpectedResult: true
    Log:
      {
        "account_id": "0123456789",
        "answers": { "Class": "IN", "Rdata": "1.2.3.4", "Type": "A" },
        "query_class": "IN",
        "query_name": "webservicepag.webhop.net",
        "query_timestamp": "2022-06-25 00:27:53",
        "query_type": "A",
        "rcode": "NOERROR",
        "region": "us-west-2",
        "srcaddr": "5.6.7.8",
        "srcids": { "instance": "i-0abc234" },
        "srcport": "8888",
        "transport": "UDP",
        "version": "1.100000",
        "vpc_id": "vpc-abc123",
        "p_log_type": "AWS.VPCDns",
      }
  - Name: Checking Against Subdomain IOC Trailing Period
    ExpectedResult: true
    Log:
      {
        "account_id": "0123456789",
        "answers": { "Class": "IN", "Rdata": "1.2.3.4", "Type": "A" },
        "query_class": "IN",
        "query_name": "webservicepag.webhop.net.",
        "query_timestamp": "2022-06-25 00:27:53",
        "query_type": "A",
        "rcode": "NOERROR",
        "region": "us-west-2",
        "srcaddr": "5.6.7.8",
        "srcids": { "instance": "i-0abc234" },
        "srcport": "8888",
        "transport": "UDP",
        "version": "1.100000",
        "vpc_id": "vpc-abc123",
        "p_log_type": "AWS.VPCDns",
      }
  - Name: Non Crypto Query Trailing Period - OCSF
    ExpectedResult: false
    Log:
      {
        "activity_id": 2,
        "activity_name": "Response",
        "answers": [{ "class": "IN", "rdata": "1.2.3.4", "type": "AAAA" }],
        "category_name": "Network Activity",
        "category_uid": 4,
        "class_name": "DNS Activity",
        "class_uid": 4003,
        "cloud": { "provider": "AWS", "region": "us-west-2" },
        "connection_info":
          { "direction": "Unknown", "direction_id": 0, "protocol_name": "UDP" },
        "disposition": "Unknown",
        "disposition_id": 0,
        "metadata":
          {
            "product":
              {
                "feature": { "name": "Resolver Query Logs" },
                "name": "Route 53",
                "vendor_name": "AWS",
                "version": "1.100000",
              },
            "profiles": ["cloud", "security_control"],
            "version": "1.100000",
          },
        "query":
          {
            "class": "IN",
            "hostname": "dynamodb.us-west-2.amazonaws.com.",
            "type": "AAAA",
          },
        "rcode": "NoError",
        "rcode_id": 0,
        "severity": "Informational",
        "severity_id": 1,
        "src_endpoint":
          {
            "instance_uid": "i-0abc234",
            "ip": "5.6.7.8",
            "port": "8888",
            "vpc_uid": "vpc-abc123",
          },
        "time": "2022-06-25 00:27:53",
        "type_name": "DNS Activity: Response",
        "type_uid": 400302,
        "p_log_type": "OCSF.DnsActivity",
      }
  - Name: Crypto Query - OCSF
    ExpectedResult: true
    Log:
      {
        "activity_id": 2,
        "activity_name": "Response",
        "answers": [{ "class": "IN", "rdata": "1.2.3.4", "type": "AAAA" }],
        "category_name": "Network Activity",
        "category_uid": 4,
        "class_name": "DNS Activity",
        "class_uid": 4003,
        "cloud": { "provider": "AWS", "region": "us-west-2" },
        "connection_info":
          { "direction": "Unknown", "direction_id": 0, "protocol_name": "UDP" },
        "disposition": "Unknown",
        "disposition_id": 0,
        "metadata":
          {
            "product":
              {
                "feature": { "name": "Resolver Query Logs" },
                "name": "Route 53",
                "vendor_name": "AWS",
                "version": "1.100000",
              },
            "profiles": ["cloud", "security_control"],
            "version": "1.100000",
          },
        "query": { "class": "IN", "hostname": "moneropool.ru", "type": "AAAA" },
        "rcode": "NoError",
        "rcode_id": 0,
        "severity": "Informational",
        "severity_id": 1,
        "src_endpoint":
          {
            "instance_uid": "i-0abc234",
            "ip": "5.6.7.8",
            "port": "8888",
            "vpc_uid": "vpc-abc123",
          },
        "time": "2022-06-25 00:27:53",
        "type_name": "DNS Activity: Response",
        "type_uid": 400302,
        "p_log_type": "OCSF.DnsActivity",
      }
DedupPeriodMinutes: 60
LogTypes:
  - AWS.VPCDns
  - OCSF.DnsActivity
RuleID: "AWS.DNS.Crypto.Domain"
Threshold: 1

Detection logic

Condition

dns_query is_not_null
dns_query ends_with "1gh.com" or dns_query ends_with "abcxyz.stream" or dns_query ends_with "alimabi.cn" or dns_query ends_with "ap.luckpool.net" or dns_query ends_with "asiapool.io" or dns_query ends_with "backup-pool.com" or dns_query ends_with "baikalmine.com" or dns_query ends_with "bcn.pool.minergate.com" or dns_query ends_with "bcn.vip.pool.minergate.com" or dns_query ends_with "bohemianpool.com" or dns_query ends_with "ca.minexmr.com" or dns_query ends_with "ca.monero.herominers.com" or dns_query ends_with "cbd.monerpool.org" or dns_query ends_with "cbdv2.monerpool.org" or dns_query ends_with "coinfoundry.org" or dns_query ends_with "coinpoolit.webhop.me" or dns_query ends_with "coolmining.club" or dns_query ends_with "cryptmonero.com" or dns_query ends_with "crypto-pool.fr" or dns_query ends_with "crypto-pool.info" or dns_query ends_with "crypto-pools.org" or dns_query ends_with "cryptoescrow.eu" or dns_query ends_with "cryptoknight.cc" or dns_query ends_with "cryptonight-hub.miningpoolhub.com" or dns_query ends_with "cryptonight.net" or dns_query ends_with "cryptonotepool.org.uk" or dns_query ends_with "cryptonotepool.org" or dns_query ends_with "d1pool.ddns.net" or dns_query ends_with "d5pool.us" or dns_query ends_with "daili01.monerpool.org" or dns_query ends_with "de.minexmr.com" or dns_query ends_with "dl.nbminer.com" or dns_query ends_with "do-dear.com" or dns_query ends_with "donate.graef.in" or dns_query ends_with "donate.ssl.xmrig.com" or dns_query ends_with "donate.v2.xmrig.com" or dns_query ends_with "donate.xmrig.com" or dns_query ends_with "donate2.graef.in" or dns_query ends_with "drill.moneroworld.com" or dns_query ends_with "dwarfpool.com" or dns_query ends_with "emercoin.com" or dns_query ends_with "emercoin.net" or dns_query ends_with "emergate.net" or dns_query ends_with "ethereumpool.co" or dns_query ends_with "eu.luckpool.net" or dns_query ends_with "eu.minerpool.pw" or dns_query ends_with "extremehash.com" or dns_query ends_with "extremepool.org" or dns_query ends_with "extrmepool.org" or dns_query ends_with "fairhash.org" or dns_query ends_with "fairpool.cloud" or dns_query ends_with "fairpool.xyz" or dns_query ends_with "fcn-xmr.pool.minergate.com" or dns_query ends_with "fee.xmrig.com" or dns_query ends_with "fr.minexmr.com" or dns_query ends_with "freeyy.me" or dns_query ends_with "gntl.co.uk" or dns_query ends_with "hash-to-coins.com" or dns_query ends_with "hashanywhere.com" or dns_query ends_with "hashfor.cash" or dns_query ends_with "hashinvest.net" or dns_query ends_with "hashinvest.ws" or dns_query ends_with "hashvault.pro" or dns_query ends_with "hellominer.com" or dns_query ends_with "herominers.com" or dns_query ends_with "huadong1-aeon.ppxxmr.com" or dns_query ends_with "iwanttoearn.money" or dns_query ends_with "jw-js1.ppxxmr.com" or dns_query ends_with "kippo.eu" or dns_query ends_with "koto-pool.work" or dns_query ends_with "lhr.nbminer.com" or dns_query ends_with "lhr3.nbminer.com" or dns_query ends_with "linux-repository-updates.com" or dns_query ends_with "linux.monerpool.org" or dns_query ends_with "litecoinpool.org" or dns_query ends_with "lokiturtle.herominers.com" or dns_query ends_with "luckpool.net" or dns_query ends_with "masari.miner.rocks" or dns_query ends_with "mine.c3pool.com" or dns_query ends_with "mine.moneropool.com" or dns_query ends_with "mine.ppxxmr.com" or dns_query ends_with "mine.zpool.ca" or dns_query ends_with "mine1.ppxxmr.com" or dns_query ends_with "minemonero.gq" or dns_query ends_with "miner.center" or dns_query ends_with "miner.ppxxmr.com" or dns_query ends_with "miner.rocks" or dns_query ends_with "minercircle.com" or dns_query ends_with "minergate.com" or dns_query ends_with "minerpool.pw" or dns_query ends_with "minerrocks.com" or dns_query ends_with "miners.pro" or dns_query ends_with "minerxmr.ru" or dns_query ends_with "mineshaft.ml" or dns_query ends_with "minexmr.cn" or dns_query ends_with "minexmr.com" or dns_query ends_with "minexmr.org" or dns_query ends_with "mining-help.ru" or dns_query ends_with "mininglottery.eu" or dns_query ends_with "miningpoolhub.com" or dns_query ends_with "mixpools.org" or dns_query ends_with "moner.monerpool.org" or dns_query ends_with "moner1min.monerpool.org" or dns_query ends_with "monero-master.crypto-pool.fr" or dns_query ends_with "monero.crypto-pool.fr" or dns_query ends_with "monero.farm" or dns_query ends_with "monero.hashvault.pro" or dns_query ends_with "monero.herominers.com" or dns_query ends_with "monero.lindon-pool.win" or dns_query ends_with "monero.miners.pro" or dns_query ends_with "monero.net" or dns_query ends_with "monero.riefly.id" or dns_query ends_with "monero.us.to" or dns_query ends_with "monerocean.stream" or dns_query ends_with "monerogb.com" or dns_query ends_with "monerohash.com" or dns_query ends_with "monerominers.net" or dns_query ends_with "moneroocean.stream" or dns_query ends_with "moneropool.com" or dns_query ends_with "moneropool.nl" or dns_query ends_with "moneropool.ru" or dns_query ends_with "moneropools.com" or dns_query ends_with "monerorx.com" or dns_query ends_with "monerpool.org" or dns_query ends_with "mooo.com" or dns_query ends_with "moriaxmr.com" or dns_query ends_with "mro.pool.minergate.com" or dns_query ends_with "multipool.us" or dns_query ends_with "multipooler.com" or dns_query ends_with "myxmr.pw" or dns_query ends_with "na.luckpool.net" or dns_query ends_with "nanopool.org" or dns_query ends_with "nbminer.com" or dns_query ends_with "node3.luckpool.net" or dns_query ends_with "noobxmr.com" or dns_query ends_with "pangolinminer.comgandalph3000.com" or dns_query ends_with "pool-proxy.com" or dns_query ends_with "pool.4i7i.com" or dns_query ends_with "pool.armornetwork.org" or dns_query ends_with "pool.cortins.tk" or dns_query ends_with "pool.gntl.co.uk" or dns_query ends_with "pool.hashvault.pro" or dns_query ends_with "pool.minergate.com" or dns_query ends_with "pool.minexmr.com" or dns_query ends_with "pool.monero.hashvault.pro" or dns_query ends_with "pool.ppxxmr.com" or dns_query ends_with "pool.somec.cc" or dns_query ends_with "pool.support" or dns_query ends_with "pool.supportxmr.com" or dns_query ends_with "pool.usa-138.com" or dns_query ends_with "pool.xmr.pt" or dns_query ends_with "pool.xmrfast.com" or dns_query ends_with "pool2.armornetwork.org" or dns_query ends_with "poolchange.ppxxmr.com" or dns_query ends_with "pooldd.com" or dns_query ends_with "poolmining.org" or dns_query ends_with "poolto.be" or dns_query ends_with "ppxvip1.ppxxmr.com" or dns_query ends_with "ppxxmr.com" or dns_query ends_with "prohash.net" or dns_query ends_with "r.twotouchauthentication.online" or dns_query ends_with "randomx.xmrig.com" or dns_query ends_with "ratchetmining.com" or dns_query ends_with "secumine.net" or dns_query ends_with "seed.emercoin.com" or dns_query ends_with "seed.emercoin.net" or dns_query ends_with "seed.emergate.net" or dns_query ends_with "seed1.joulecoin.org" or dns_query ends_with "seed2.joulecoin.org" or dns_query ends_with "seed3.joulecoin.org" or dns_query ends_with "seed4.joulecoin.org" or dns_query ends_with "seed5.joulecoin.org" or dns_query ends_with "seed6.joulecoin.org" or dns_query ends_with "seed7.joulecoin.org" or dns_query ends_with "seed8.joulecoin.org" or dns_query ends_with "semipool.com" or dns_query ends_with "sg.minexmr.com" or dns_query ends_with "sheepman.mine.bz" or dns_query ends_with "shscrypto.net" or dns_query ends_with "siamining.com" or dns_query ends_with "sumokoin.minerrocks.com" or dns_query ends_with "supportxmr.com" or dns_query ends_with "suprnova.cc" or dns_query ends_with "teracycle.net" or dns_query ends_with "trtl.cnpool.cc" or dns_query ends_with "trtl.pool.mine2gether.com" or dns_query ends_with "tubepool.xyz" or dns_query ends_with "turtle.miner.rocks" or dns_query ends_with "unipool.pro" or dns_query ends_with "us-west.minexmr.com" or dns_query ends_with "usxmrpool.com" or dns_query ends_with "viaxmr.com" or dns_query ends_with "walpool.com" or dns_query ends_with "webcoin.me" or dns_query ends_with "webservicepag.webhop.net" or dns_query ends_with "xiazai.monerpool.org" or dns_query ends_with "xiazai1.monerpool.org" or dns_query ends_with "xmc.pool.minergate.com" or dns_query ends_with "xmo.pool.minergate.com" or dns_query ends_with "xmr-asia1.nanopool.org" or dns_query ends_with "xmr-au1.nanopool.org" or dns_query ends_with "xmr-eu1.nanopool.org" or dns_query ends_with "xmr-eu2.nanopool.org" or dns_query ends_with "xmr-jp1.nanopool.org" or dns_query ends_with "xmr-us-east1.nanopool.org" or dns_query ends_with "xmr-us-west1.nanopool.org" or dns_query ends_with "xmr-us.suprnova.cc" or dns_query ends_with "xmr-usa.dwarfpool.com" or dns_query ends_with "xmr.2miners.com" or dns_query ends_with "xmr.5b6b7b.ru" or dns_query ends_with "xmr.alimabi.cn" or dns_query ends_with "xmr.bohemianpool.com" or dns_query ends_with "xmr.crypto-pool.fr" or dns_query ends_with "xmr.crypto-pool.info" or dns_query ends_with "xmr.f2pool.com" or dns_query ends_with "xmr.hashcity.org" or dns_query ends_with "xmr.hex7e4.ru" or dns_query ends_with "xmr.ip28.net" or dns_query ends_with "xmr.monerpool.org" or dns_query ends_with "xmr.mypool.online" or dns_query ends_with "xmr.nanopool.org" or dns_query ends_with "xmr.pool.gntl.co.uk" or dns_query ends_with "xmr.pool.minergate.com" or dns_query ends_with "xmr.poolto.be" or dns_query ends_with "xmr.ppxxmr.com" or dns_query ends_with "xmr.prohash.net" or dns_query ends_with "xmr.pt" or dns_query ends_with "xmr.simka.pw" or dns_query ends_with "xmr.somec.cc" or dns_query ends_with "xmr.suprnova.cc" or dns_query ends_with "xmr.usa-138.com" or dns_query ends_with "xmr.vip.pool.minergate.com" or dns_query ends_with "xmr1min.monerpool.org" or dns_query ends_with "xmrf.520fjh.org" or dns_query ends_with "xmrf.fjhan.club" or dns_query ends_with "xmrfast.com" or dns_query ends_with "xmrget.com" or dns_query ends_with "xmrigcc.graef.in" or dns_query ends_with "xmrminer.cc" or dns_query ends_with "xmrminerpro.com" or dns_query ends_with "xmrpool.com" or dns_query ends_with "xmrpool.de" or dns_query ends_with "xmrpool.eu" or dns_query ends_with "xmrpool.me" or dns_query ends_with "xmrpool.net" or dns_query ends_with "xmrpool.xyz" or dns_query ends_with "xx11m.monerpool.org" or dns_query ends_with "xx11mv2.monerpool.org" or dns_query ends_with "xxx.hex7e4.ru" or dns_query ends_with "zarabotaibitok.ru" or dns_query ends_with "zer0day.ru"

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`dns_query`	ends_with	`1gh.com` `abcxyz.stream` `alimabi.cn` `ap.luckpool.net` `asiapool.io` `backup-pool.com` `baikalmine.com` `bcn.pool.minergate.com` `bcn.vip.pool.minergate.com` `bohemianpool.com` `ca.minexmr.com` `ca.monero.herominers.com` `cbd.monerpool.org` `cbdv2.monerpool.org` `coinfoundry.org` `coinpoolit.webhop.me` `coolmining.club` `cryptmonero.com` `crypto-pool.fr` `crypto-pool.info` `crypto-pools.org` `cryptoescrow.eu` `cryptoknight.cc` `cryptonight-hub.miningpoolhub.com` `cryptonight.net` `cryptonotepool.org` `cryptonotepool.org.uk` `d1pool.ddns.net` `d5pool.us` `daili01.monerpool.org` `de.minexmr.com` `dl.nbminer.com` `do-dear.com` `donate.graef.in` `donate.ssl.xmrig.com` `donate.v2.xmrig.com` `donate.xmrig.com` `donate2.graef.in` `drill.moneroworld.com` `dwarfpool.com` `emercoin.com` `emercoin.net` `emergate.net` `ethereumpool.co` `eu.luckpool.net` `eu.minerpool.pw` `extremehash.com` `extremepool.org` `extrmepool.org` `fairhash.org` `fairpool.cloud` `fairpool.xyz` `fcn-xmr.pool.minergate.com` `fee.xmrig.com` `fr.minexmr.com` `freeyy.me` `gntl.co.uk` `hash-to-coins.com` `hashanywhere.com` `hashfor.cash` `hashinvest.net` `hashinvest.ws` `hashvault.pro` `hellominer.com` `herominers.com` `huadong1-aeon.ppxxmr.com` `iwanttoearn.money` `jw-js1.ppxxmr.com` `kippo.eu` `koto-pool.work` `lhr.nbminer.com` `lhr3.nbminer.com` `linux-repository-updates.com` `linux.monerpool.org` `litecoinpool.org` `lokiturtle.herominers.com` `luckpool.net` `masari.miner.rocks` `mine.c3pool.com` `mine.moneropool.com` `mine.ppxxmr.com` `mine.zpool.ca` `mine1.ppxxmr.com` `minemonero.gq` `miner.center` `miner.ppxxmr.com` `miner.rocks` `minercircle.com` `minergate.com` `minerpool.pw` `minerrocks.com` `miners.pro` `minerxmr.ru` `mineshaft.ml` `minexmr.cn` `minexmr.com` `minexmr.org` `mining-help.ru` `mininglottery.eu` `miningpoolhub.com` `mixpools.org` `moner.monerpool.org` `moner1min.monerpool.org` `monero-master.crypto-pool.fr` `monero.crypto-pool.fr` `monero.farm` `monero.hashvault.pro` `monero.herominers.com` `monero.lindon-pool.win` `monero.miners.pro` `monero.net` `monero.riefly.id` `monero.us.to` `monerocean.stream` `monerogb.com` `monerohash.com` `monerominers.net` `moneroocean.stream` `moneropool.com` `moneropool.nl` `moneropool.ru` `moneropools.com` `monerorx.com` `monerpool.org` `mooo.com` `moriaxmr.com` `mro.pool.minergate.com` `multipool.us` `multipooler.com` `myxmr.pw` `na.luckpool.net` `nanopool.org` `nbminer.com` `node3.luckpool.net` `noobxmr.com` `pangolinminer.comgandalph3000.com` `pool-proxy.com` `pool.4i7i.com` `pool.armornetwork.org` `pool.cortins.tk` `pool.gntl.co.uk` `pool.hashvault.pro` `pool.minergate.com` `pool.minexmr.com` `pool.monero.hashvault.pro` `pool.ppxxmr.com` `pool.somec.cc` `pool.support` `pool.supportxmr.com` `pool.usa-138.com` `pool.xmr.pt` `pool.xmrfast.com` `pool2.armornetwork.org` `poolchange.ppxxmr.com` `pooldd.com` `poolmining.org` `poolto.be` `ppxvip1.ppxxmr.com` `ppxxmr.com` `prohash.net` `r.twotouchauthentication.online` `randomx.xmrig.com` `ratchetmining.com` `secumine.net` `seed.emercoin.com` `seed.emercoin.net` `seed.emergate.net` `seed1.joulecoin.org` `seed2.joulecoin.org` `seed3.joulecoin.org` `seed4.joulecoin.org` `seed5.joulecoin.org` `seed6.joulecoin.org` `seed7.joulecoin.org` `seed8.joulecoin.org` `semipool.com` `sg.minexmr.com` `sheepman.mine.bz` `shscrypto.net` `siamining.com` `sumokoin.minerrocks.com` `supportxmr.com` `suprnova.cc` `teracycle.net` `trtl.cnpool.cc` `trtl.pool.mine2gether.com` `tubepool.xyz` `turtle.miner.rocks` `unipool.pro` `us-west.minexmr.com` `usxmrpool.com` `viaxmr.com` `walpool.com` `webcoin.me` `webservicepag.webhop.net` `xiazai.monerpool.org` `xiazai1.monerpool.org` `xmc.pool.minergate.com` `xmo.pool.minergate.com` `xmr-asia1.nanopool.org` `xmr-au1.nanopool.org` `xmr-eu1.nanopool.org` `xmr-eu2.nanopool.org` `xmr-jp1.nanopool.org` `xmr-us-east1.nanopool.org` `xmr-us-west1.nanopool.org` `xmr-us.suprnova.cc` `xmr-usa.dwarfpool.com` `xmr.2miners.com` `xmr.5b6b7b.ru` `xmr.alimabi.cn` `xmr.bohemianpool.com` `xmr.crypto-pool.fr` `xmr.crypto-pool.info` `xmr.f2pool.com` `xmr.hashcity.org` `xmr.hex7e4.ru` `xmr.ip28.net` `xmr.monerpool.org` `xmr.mypool.online` `xmr.nanopool.org` `xmr.pool.gntl.co.uk` `xmr.pool.minergate.com` `xmr.poolto.be` `xmr.ppxxmr.com` `xmr.prohash.net` `xmr.pt` `xmr.simka.pw` `xmr.somec.cc` `xmr.suprnova.cc` `xmr.usa-138.com` `xmr.vip.pool.minergate.com` `xmr1min.monerpool.org` `xmrf.520fjh.org` `xmrf.fjhan.club` `xmrfast.com` `xmrget.com` `xmrigcc.graef.in` `xmrminer.cc` `xmrminerpro.com` `xmrpool.com` `xmrpool.de` `xmrpool.eu` `xmrpool.me` `xmrpool.net` `xmrpool.xyz` `xx11m.monerpool.org` `xx11mv2.monerpool.org` `xxx.hex7e4.ru` `zarabotaibitok.ru` `zer0day.ru`
`dns_query`	is_not_null	(no value, null check)

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

Field
`source_ip`
`source_port`
`dns_query`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)