Potential Malicous Domain Registration
Query
RegisteredDomains_CL
| where QueryType_s == "domainsearch"
| summarize arg_max(TimeGenerated,*) by DomainName_s
| project TimeGenerated, DomainName=DomainName_s, IsActive=Active_s, SearchTerm=SearchTerm_s
| extend DetonateHTTPUrl = strcat("http://",DomainName)
| extend DetonateHTTPSUrl = strcat("https://",DomainName)Explanation
This query is designed to check for potential malicious domain registrations. It looks at a custom log called "RegisteredDomains" and alerts when new entries are added. The log is created using a logic app that checks for newly created domains containing a specific keyword. The query filters the log for entries with a QueryType of "domainsearch" and then groups the results by DomainName. It also creates two additional columns, DetonateHTTPUrl and DetonateHTTPSUrl, which are URLs constructed using the DomainName. The query has a low severity level and runs once a day. If a new domain is detected, it creates an incident and provides details about the domain and the potential risks associated with it. The incident grouping configuration is set to group all related entities together. The query does not have any suppression or event grouping settings enabled.
Details

Fabian Bader
Released: July 25, 2023
Tables
Keywords
Operators
Severity
LowTactics
MITRE Techniques
Frequency: 1d
Period: 1d