Jul 07 2024 10:22 PM
Hi, I have a beacon detection query that will give me a list of domains the users were successfully communicating over a certain interval.
From the domain names generated in the result, I want to perform whois lookup of every domain and alert on those created in last 30 days. I am looking for suggestions on the best way to implement whois lookup from the query results.
Thank you !!
Jul 08 2024 06:41 AM - edited Jul 08 2024 06:43 AM
Solution@abon13 hi,
There is no option to retrieve whois information straight from your environment, unless you have a connector with a service such as DomainWhois that might support this functionality. But you'll have to look into it with a proof of concept. Be that as it may, there are plenty of newly-registered-domains (NRD) feeds available out there, some paid some free from the community. Once you have found your feed, then it can be easily integrated with a detection rule in your XDR or analytic in your Sentinel.
You may check the following KQL query as an example:
let NRDMonthFeed = externaldata(domain: string)[@"https://raw.githubusercontent.com/shreshta-labs/newly-registered-domains/main/nrd-1m.csv"] with (format="csv", ignoreFirstRecord=False);
let SuspDomainList = NRDMonthFeed
| distinct domain;
DeviceNetworkEvents
| extend ToLowerUrl = tolower(RemoteUrl)
| where RemoteUrl has_any (SuspDomainList)
| project Timestamp, DeviceName, RemoteUrl
EDIT: So yes, if you have the DomainWhois connector and the relevant subscription, you can use the following functionality to build an automation that will look into the date registration of the domain. Check the following instructions:
Domain Whois - Get - REST API (Azure Sentinel) | Microsoft Learn
If I have answered your question, please mark your post as Solved
If you like my response, please consider giving it a like
Jul 09 2024 01:08 AM
Jul 08 2024 06:41 AM - edited Jul 08 2024 06:43 AM
Solution@abon13 hi,
There is no option to retrieve whois information straight from your environment, unless you have a connector with a service such as DomainWhois that might support this functionality. But you'll have to look into it with a proof of concept. Be that as it may, there are plenty of newly-registered-domains (NRD) feeds available out there, some paid some free from the community. Once you have found your feed, then it can be easily integrated with a detection rule in your XDR or analytic in your Sentinel.
You may check the following KQL query as an example:
let NRDMonthFeed = externaldata(domain: string)[@"https://raw.githubusercontent.com/shreshta-labs/newly-registered-domains/main/nrd-1m.csv"] with (format="csv", ignoreFirstRecord=False);
let SuspDomainList = NRDMonthFeed
| distinct domain;
DeviceNetworkEvents
| extend ToLowerUrl = tolower(RemoteUrl)
| where RemoteUrl has_any (SuspDomainList)
| project Timestamp, DeviceName, RemoteUrl
EDIT: So yes, if you have the DomainWhois connector and the relevant subscription, you can use the following functionality to build an automation that will look into the date registration of the domain. Check the following instructions:
Domain Whois - Get - REST API (Azure Sentinel) | Microsoft Learn
If I have answered your question, please mark your post as Solved
If you like my response, please consider giving it a like