Sentinel Analytics Rule Template: TI map Domain entity to DnsEvent

MasterControl007 1 Reputation point
2021-07-04T22:27:05.017+00:00

Anyone have got this analytics rule template up and running?

Connected Data sources:
TI platform
Dns Analytics

These are working properly and tested. I have matched dns domain translations for domain IOCs with timestamps in the specified time range but these are not matched by the analytics rule.

I am struggling with the kusto rule query. It's not returning any results whereas I have confirmed to have valid dnsevent logs and threat intelligence logs that match. It's just that the query can't match them. I'm trying to deconstruct the rule query and certain parts execute fine when isolating certain parts of the query.

Anyone can help me how to troubleshoot this further?

let dt_lookBack = 8h;
let ioc_lookBack = 15d;
//Create a list of TLDs in our threat feed for later validation
let list_tlds = ThreatIntelligenceIndicator
    | where TimeGenerated > ago(ioc_lookBack)
    | where isnotempty(DomainName)
    | extend parts = split(DomainName, '.')
    | extend tld = parts[(array_length(parts) - 1)]
    | summarize count() by tostring(tld)
    | summarize make_list(tld);
ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
| where Active == true
// Picking up only IOC's that contain the entities we want
| where isnotempty(DomainName)
| join (
    DnsEvents
    | where TimeGenerated > ago(dt_lookBack)
    //Extract domain patterns from syslog message
    | where isnotempty(Name)
    | extend parts = split(Name, '.')
    //Split out the TLD
    | extend tld = parts[(array_length(parts) - 1)]
    //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed
    | where tld in~ (list_tlds)
    | extend DNS_TimeGenerated = TimeGenerated
    )
    on $left.DomainName == $right.Name
| where DNS_TimeGenerated >= TimeGenerated and DNS_TimeGenerated < ExpirationDateTime
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Computer, ClientIP, Name, QueryType
| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
971 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. VipulSparsh-MSFT 16,231 Reputation points Microsoft Employee
    2021-07-06T15:47:28.593+00:00

    @MasterControl007 I do not have such data set available in my setup hence I cant run your query to understand which part works and which does not.

    Can you share more information about which query parts work for you and adding which statements returns void.
    Are you having issues after you join the tables ? and individual tables works fine like ThreatIntelligenceIndicator and DnsEvents

    This article talks about how to utilize join operator efficiently with Kusto : https://techcommunity.microsoft.com/t5/azure-sentinel/azure-sentinel-correlation-rules-the-join-kql-operator/ba-p/1041500

    Here are few examples for this and other Join flavors : https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/joinoperator?pivots=azuredataexplorer#example

    -----------------------------------------------------------------------------------------------------------------

    If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.

    0 comments No comments