KQL Search

Query Details

HomeAI ToolsDevice Query

Potential Malicous Domain Registration

Query

id: 91302a05-c2ca-414d-8341-c82658ea3c1f
name: Potential malicous domain registration
version: 1.0.0
kind: Scheduled
description: This rule checks the custom log RegisteredDomains and alerts when new entries are added. The custom log is created using a logic app, checking for newly created domains that contain a certain keyword
severity: Low
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - ResourceDevelopment
relevantTechniques:
  - T1583
query: |
  RegisteredDomains_CL
  | where QueryType_s == "domainsearch"
  | summarize arg_max(TimeGenerated,*) by DomainName_s
  | project TimeGenerated, DomainName=DomainName_s, IsActive=Active_s, SearchTerm=SearchTerm_s
  | extend DetonateHTTPUrl = strcat("http://",DomainName)
  | extend DetonateHTTPSUrl = strcat("https://",DomainName)
suppressionDuration: 5h
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AllEntities
    reopenClosedIncident: false
    groupByCustomDetails: []
    groupByEntities: []
    groupByAlertDetails: []
    lookbackDuration: 5h
    enabled: false
eventGroupingSettings:
  aggregationKind: AlertPerResult
alertDetailsOverride:
  alertDynamicProperties: []
  alertDisplaynameFormat: "New domain registered: {{DomainName}}"
  alertDescriptionFormat: "A new domain was registered that contains the keyword \"{{SearchTerm}}\"\n\nThis could be a first step in setting up malicious infrastructure for e.g. phishing or email fraud attempts.\n\nCheck if this domain was registered by your company, otherwise block this URL for incoming emails and add it as custom block indicator for Microsoft Defender for Endpoint and Microsoft Sentinel "
customDetails:
  DomainIsActive: IsActive
  SearchTerm: SearchTerm
entityMappings:
  - entityType: URL
    fieldMappings:
      - columnName: DetonateHTTPSUrl
        identifier: Url
  - entityType: URL
    fieldMappings:
      - columnName: DetonateHTTPUrl
        identifier: Url
  - entityType: DNS
    fieldMappings:
      - columnName: DomainName
        identifier: DomainName
suppressionEnabled: false

Explanation

This query is designed to check for potential malicious domain registrations. It looks at a custom log called "RegisteredDomains" and alerts when new entries are added. The log is created using a logic app that checks for newly created domains containing a specific keyword. The query filters the log for entries with a QueryType of "domainsearch" and then groups the results by DomainName. It also creates two additional columns, DetonateHTTPUrl and DetonateHTTPSUrl, which are URLs constructed using the DomainName. The query has a low severity level and runs once a day. If a new domain is detected, it creates an incident and provides details about the domain and the potential risks associated with it. The incident grouping configuration is set to group all related entities together. The query does not have any suppression or event grouping settings enabled.

Details

Fabian Bader profile picture

Fabian Bader

Released: July 25, 2023

Tables

RegisteredDomains_CL

Keywords

RegisteredDomains_CL,QueryType_s,DomainName_s,TimeGenerated,IsActive,Active_s,SearchTerm_s,DetonateHTTPUrl,DetonateHTTPSUrl,DomainName,DetonateHTTPSUrl,DetonateHTTPUrl

Operators

|==wheresummarizearg_maxbyprojectextendstrcat

Actions