Uncovering Fast Flux With Sentinel Threat Intelligence
Query
// https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-093a
let FastFlux =
ThreatIntelIndicators
| where TimeGenerated > ago(365d)
| where now() between (ValidFrom .. ValidUntil)
| where isnotempty(Data.labels)
| mv-expand Data.labels
| where Data_labels has "mitre"
| extend MitreID = parse_json(tostring(Data_labels)).Alias
| where MitreID == "T1568.001"
| project ObservableValue;
DeviceNetworkEvents
| where TimeGenerated > ago(1h)
| where ActionType == "DnsConnectionInspected"
| where AdditionalFields.direction == "Out"
| where AdditionalFields.query has_any (FastFlux)Explanation
This query is designed to identify potential cybersecurity threats related to a specific MITRE ATT&CK technique (T1568.001) known as "Fast Flux." Here's a simplified breakdown of what the query does:
-
Threat Intelligence Indicators Extraction:
- It looks at threat intelligence data from the past year (
365 days). - It filters for indicators that are currently valid (
now()is betweenValidFromandValidUntil). - It checks for indicators that have associated labels.
- It expands these labels and filters for those associated with "mitre."
- It extracts the MITRE ID from these labels and checks if it matches "T1568.001" (Fast Flux).
- It collects the observable values (e.g., domain names or IP addresses) related to this MITRE technique.
- It looks at threat intelligence data from the past year (
-
Device Network Events Monitoring:
- It examines network events from the last hour.
- It focuses on events where the action type is "DnsConnectionInspected," meaning DNS queries are being monitored.
- It filters for outgoing DNS queries.
- It checks if any of these queries match the observable values identified as Fast Flux threats.
In summary, this query is used to detect outgoing DNS queries from devices that match known Fast Flux threat indicators, helping to identify potential malicious activity related to this technique.
Details

Steven Lim
Released: April 28, 2025
Tables
ThreatIntelIndicatorsDeviceNetworkEvents
Keywords
ThreatIntelIndicatorsDeviceNetworkEventsDataLabelsAdditionalFieldsObservableValueTimeGeneratedActionTypeDirectionQuery
Operators
let|>ago()between()..isnotempty()mv-expandhasextendparse_json()tostring()==projecthas_any()
MITRE Techniques