Domain name lookup from query results

Hi, I have a beacon detection query that will give me a list of domains the users were successfully communicating over a certain interval. From the domain names generated in the result, I want to ...

APIs

azure

siem

soar

threat hunting

cyb3rmik3
Jul 08, 2024
abon13 hi,

There is no option to retrieve whois information straight from your environment, unless you have a connector with a service such as DomainWhois that might support this functionality. But you'll have to look into it with a proof of concept. Be that as it may, there are plenty of newly-registered-domains (NRD) feeds available out there, some paid some free from the community. Once you have found your feed, then it can be easily integrated with a detection rule in your XDR or analytic in your Sentinel.

You may check the following KQL query as an example:

let NRDMonthFeed = externaldata(domain: string)[@"https://raw.githubusercontent.com/shreshta-labs/newly-registered-domains/main/nrd-1m.csv"] with (format="csv", ignoreFirstRecord=False); let SuspDomainList = NRDMonthFeed | distinct domain; DeviceNetworkEvents | extend ToLowerUrl = tolower(RemoteUrl) | where RemoteUrl has_any (SuspDomainList) | project Timestamp, DeviceName, RemoteUrl

EDIT: So yes, if you have the DomainWhois connector and the relevant subscription, you can use the following functionality to build an automation that will look into the date registration of the domain. Check the following instructions:

Domain Whois - Get - REST API (Azure Sentinel) | Microsoft Learn

If I have answered your question, please mark your post as Solved
If you like my response, please consider giving it a like

cyb3rmik3

Iron Contributor

Jul 08, 2024

abon13 hi,

There is no option to retrieve whois information straight from your environment, unless you have a connector with a service such as DomainWhois that might support this functionality. But you'll have to look into it with a proof of concept. Be that as it may, there are plenty of newly-registered-domains (NRD) feeds available out there, some paid some free from the community. Once you have found your feed, then it can be easily integrated with a detection rule in your XDR or analytic in your Sentinel.

You may check the following KQL query as an example:

let NRDMonthFeed = externaldata(domain: string)[@"https://raw.githubusercontent.com/shreshta-labs/newly-registered-domains/main/nrd-1m.csv"] with (format="csv", ignoreFirstRecord=False);
let SuspDomainList = NRDMonthFeed
| distinct domain;
DeviceNetworkEvents
| extend ToLowerUrl = tolower(RemoteUrl)
| where RemoteUrl has_any (SuspDomainList)
| project Timestamp, DeviceName, RemoteUrl

EDIT: So yes, if you have the DomainWhois connector and the relevant subscription, you can use the following functionality to build an automation that will look into the date registration of the domain. Check the following instructions:

Domain Whois - Get - REST API (Azure Sentinel) | Microsoft Learn

If I have answered your question, please mark your post as Solved

If you like my response, please consider giving it a like

abon13
Brass Contributor
Jul 09, 2024
cyb3rmik3
This sounds good. Thank you !!

Forum Discussion

Domain name lookup from query results

Share

Resources