Forum Discussion

abon13's avatar
abon13
Brass Contributor
Jul 08, 2024

Domain name lookup from query results

Hi, I have a beacon detection query that will give me a list of domains the users were successfully communicating over a certain interval. 

From the domain names generated in the result, I  want to perform whois lookup of every domain and alert on those created in last 30 days. I am looking for suggestions on the best way to implement whois lookup from the query results. 

 

Thank you !!

 

 

 

 

  • abon13 hi,

     

    There is no option to retrieve whois information straight from your environment, unless you have a connector with a service such as DomainWhois that might support this functionality. But you'll have to look into it with a proof of concept. Be that as it may, there are plenty of newly-registered-domains (NRD) feeds available out there, some paid some free from the community. Once you have found your feed, then it can be easily integrated with a detection rule in your XDR or analytic in your Sentinel.

     

    You may check the following KQL query as an example:

     

     

    let NRDMonthFeed = externaldata(domain: string)[@"https://raw.githubusercontent.com/shreshta-labs/newly-registered-domains/main/nrd-1m.csv"] with (format="csv", ignoreFirstRecord=False);
    let SuspDomainList = NRDMonthFeed
    | distinct domain;
    DeviceNetworkEvents
    | extend ToLowerUrl = tolower(RemoteUrl)
    | where RemoteUrl has_any (SuspDomainList)
    | project Timestamp, DeviceName, RemoteUrl

     

     

    EDIT: So yes, if you have the DomainWhois connector and the relevant subscription, you can use the following functionality to build an automation that will look into the date registration of the domain. Check the following instructions:

     

    Domain Whois - Get - REST API (Azure Sentinel) | Microsoft Learn

     

    If I have answered your question, please mark your post as Solved

    If you like my response, please consider giving it a like

  • cyb3rmik3's avatar
    cyb3rmik3
    Iron Contributor

    abon13 hi,

     

    There is no option to retrieve whois information straight from your environment, unless you have a connector with a service such as DomainWhois that might support this functionality. But you'll have to look into it with a proof of concept. Be that as it may, there are plenty of newly-registered-domains (NRD) feeds available out there, some paid some free from the community. Once you have found your feed, then it can be easily integrated with a detection rule in your XDR or analytic in your Sentinel.

     

    You may check the following KQL query as an example:

     

     

    let NRDMonthFeed = externaldata(domain: string)[@"https://raw.githubusercontent.com/shreshta-labs/newly-registered-domains/main/nrd-1m.csv"] with (format="csv", ignoreFirstRecord=False);
    let SuspDomainList = NRDMonthFeed
    | distinct domain;
    DeviceNetworkEvents
    | extend ToLowerUrl = tolower(RemoteUrl)
    | where RemoteUrl has_any (SuspDomainList)
    | project Timestamp, DeviceName, RemoteUrl

     

     

    EDIT: So yes, if you have the DomainWhois connector and the relevant subscription, you can use the following functionality to build an automation that will look into the date registration of the domain. Check the following instructions:

     

    Domain Whois - Get - REST API (Azure Sentinel) | Microsoft Learn

     

    If I have answered your question, please mark your post as Solved

    If you like my response, please consider giving it a like

Resources