Query Details
Security Alert Find Network Connections Sinkholed Domain
Query
//When Defender for Cloud detects communication with a DNS sinkhole, find the devices and processes initiating the connection
//Data connector required for this query - Security Alert (free table that other Defender products send alert info to)
//Data connector required for this query - M365 Defender - Device* tables
let domain=
SecurityAlert
| where TimeGenerated > ago (1d)
| where AlertName startswith "Attempted communication with suspicious sinkholed domain"
| mv-expand todynamic(Entities)
| extend DomainName = tostring(Entities.DomainName)
| where isnotempty(DomainName)
| distinct DomainName;
DeviceNetworkEvents
| where TimeGenerated > ago (7d)
| where RemoteUrl in~ (domain)
| project
TimeGenerated,
ActionType,
DeviceName,
InitiatingProcessAccountName,
InitiatingProcessCommandLine,
LocalIP,
RemoteIP,
RemoteUrl,
RemotePortExplanation
This query is looking for devices and processes that are initiating communication with a suspicious sinkholed domain. It uses the Security Alert and DeviceNetworkEvents data connectors to gather the necessary information. The query filters alerts from the past day that are related to suspicious sinkholed domains and expands the entities to extract the domain names. It then searches for network events in the past week where the remote URL matches any of the extracted domain names. The query projects various fields such as the time generated, action type, device name, initiating process account name, initiating process command line, local IP, remote IP, remote URL, and remote port.
Details
Matt Zorich
Released: June 19, 2022
Tables
Keywords
Operators