KQL Search

Query Details

HomeAI ToolsDevice Query

Uncovering Fast Flux With Sentinel Threat Intelligence

Query

// https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-093a

let FastFlux =
ThreatIntelIndicators
| where TimeGenerated > ago(365d)
| where now() between (ValidFrom .. ValidUntil)
| where isnotempty(Data.labels)
| mv-expand Data.labels
| where Data_labels has "mitre"
| extend MitreID = parse_json(tostring(Data_labels)).Alias
| where MitreID == "T1568.001"
| project ObservableValue;
DeviceNetworkEvents
| where TimeGenerated > ago(1h)
| where ActionType == "DnsConnectionInspected"
| where AdditionalFields.direction == "Out"
| where AdditionalFields.query has_any (FastFlux)

Explanation

This query is designed to identify potential cybersecurity threats related to a specific MITRE ATT&CK technique (T1568.001) known as "Fast Flux." Here's a simplified breakdown of what the query does:

  1. Threat Intelligence Indicators Extraction:

    • It looks at threat intelligence data from the past year (365 days).
    • It filters for indicators that are currently valid (now() is between ValidFrom and ValidUntil).
    • It checks for indicators that have associated labels.
    • It expands these labels and filters for those associated with "mitre."
    • It extracts the MITRE ID from these labels and checks if it matches "T1568.001" (Fast Flux).
    • It collects the observable values (e.g., domain names or IP addresses) related to this MITRE technique.

  2. Device Network Events Monitoring:

    • It examines network events from the last hour.
    • It focuses on events where the action type is "DnsConnectionInspected," meaning DNS queries are being monitored.
    • It filters for outgoing DNS queries.
    • It checks if any of these queries match the observable values identified as Fast Flux threats.

In summary, this query is used to detect outgoing DNS queries from devices that match known Fast Flux threat indicators, helping to identify potential malicious activity related to this technique.

Details

Steven Lim profile picture

Steven Lim

Released: April 28, 2025

Tables

ThreatIntelIndicatorsDeviceNetworkEvents

Keywords

ThreatIntelIndicatorsDeviceNetworkEventsDataLabelsAdditionalFieldsObservableValueTimeGeneratedActionTypeDirectionQuery

Operators

let|>ago()between()..isnotempty()mv-expandhasextendparse_json()tostring()==projecthas_any()

Actions