KQL Search

//The Anomaly rule "Domain generation algorithm (DGA) on DNS domains" should have excluded private TLD domains
let _RareBenignDomains = toscalar(
    _GetWatchlist("Domain-RareBenignDomains")
    | summarize make_list(Domain)
    );
Anomalies
| where (RuleName endswith "Domain generation algorithm (DGA) on DNS domains" or RuleName endswith "Potential domain generation algorithm (DGA) on next-level DNS Domains")
    and RuleStatus != "Flighting"
| extend
    Domain = AnomalyDetails["Observables"][iff(RuleName has "Potential", 2, 3)]["Value"],
    SourceIPAddress = tostring(Entities[0]["Address"])
| mv-expand Domain to typeof(string)
| summarize
    TimeGenerated = min(TimeGenerated),
    SourceIPAddresses = make_set(SourceIPAddress),
    SourceIPAddressesCount = dcount(SourceIPAddress),
    take_any(Tactics, Techniques)
    by Domain, RuleName
| extend
    SLD = extract(@"([^\.]+\.[^\.]+)$", 1, Domain),
    TLD = extract(@"[^\.]+\.([^\.]+)$", 1, Domain)
| where not(SLD in (_RareBenignDomains))
| project
    TimeGenerated,
    RuleName,
    Domain,
    SLD,
    TLD,
    SourceIPAddressesCount,
    SourceIPAddresses,
    Tactics,
    Techniques