Anyone have got this analytics rule template up and running?
Connected Data sources:
TI platform
Dns Analytics
These are working properly and tested. I have matched dns domain translations for domain IOCs with timestamps in the specified time range but these are not matched by the analytics rule.
I am struggling with the kusto rule query. It's not returning any results whereas I have confirmed to have valid dnsevent logs and threat intelligence logs that match. It's just that the query can't match them. I'm trying to deconstruct the rule query and certain parts execute fine when isolating certain parts of the query.
Anyone can help me how to troubleshoot this further?
let dt_lookBack = 8h;
let ioc_lookBack = 15d;
//Create a list of TLDs in our threat feed for later validation
let list_tlds = ThreatIntelligenceIndicator
| where TimeGenerated > ago(ioc_lookBack)
| where isnotempty(DomainName)
| extend parts = split(DomainName, '.')
| extend tld = parts[(array_length(parts) - 1)]
| summarize count() by tostring(tld)
| summarize make_list(tld);
ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
| where Active == true
// Picking up only IOC's that contain the entities we want
| where isnotempty(DomainName)
| join (
DnsEvents
| where TimeGenerated > ago(dt_lookBack)
//Extract domain patterns from syslog message
| where isnotempty(Name)
| extend parts = split(Name, '.')
//Split out the TLD
| extend tld = parts[(array_length(parts) - 1)]
//Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed
| where tld in~ (list_tlds)
| extend DNS_TimeGenerated = TimeGenerated
)
on $left.DomainName == $right.Name
| where DNS_TimeGenerated >= TimeGenerated and DNS_TimeGenerated < ExpirationDateTime
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Computer, ClientIP, Name, QueryType
| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url