Query Details

Potential Malicous Domain Registration

Query

RegisteredDomains_CL
| where QueryType_s == "domainsearch"
| summarize arg_max(TimeGenerated,*) by DomainName_s
| project TimeGenerated, DomainName=DomainName_s, IsActive=Active_s, SearchTerm=SearchTerm_s
| extend DetonateHTTPUrl = strcat("http://",DomainName)
| extend DetonateHTTPSUrl = strcat("https://",DomainName)

Explanation

This query is designed to check for potential malicious domain registrations. It looks at a custom log called "RegisteredDomains" and alerts when new entries are added. The log is created using a logic app that checks for newly created domains containing a specific keyword. The query filters the log for entries with a QueryType of "domainsearch" and then groups the results by DomainName. It also creates two additional columns, DetonateHTTPUrl and DetonateHTTPSUrl, which are URLs constructed using the DomainName. The query has a low severity level and runs once a day. If a new domain is detected, it creates an incident and provides details about the domain and the potential risks associated with it. The incident grouping configuration is set to group all related entities together. The query does not have any suppression or event grouping settings enabled.

Details

Fabian Bader profile picture

Fabian Bader

Released: July 25, 2023

Tables

RegisteredDomains_CL

Keywords

RegisteredDomains_CLQueryType_sDomainName_sTimeGeneratedIsActiveActive_sSearchTerm_sDetonateHTTPUrlDetonateHTTPSUrlDomainName

Operators

|==wheresummarizearg_maxbyprojectextendstrcat

Severity

Low

Tactics

ResourceDevelopment

MITRE Techniques

Frequency: 1d

Period: 1d

Actions

GitHub