SOLVED

Domain name lookup from query results

Brass Contributor

Hi, I have a beacon detection query that will give me a list of domains the users were successfully communicating over a certain interval. 

From the domain names generated in the result, I  want to perform whois lookup of every domain and alert on those created in last 30 days. I am looking for suggestions on the best way to implement whois lookup from the query results. 

 

Thank you !!

 

 

 

 

2 Replies
best response confirmed by abon13 (Brass Contributor)
Solution

@abon13 hi,

 

There is no option to retrieve whois information straight from your environment, unless you have a connector with a service such as DomainWhois that might support this functionality. But you'll have to look into it with a proof of concept. Be that as it may, there are plenty of newly-registered-domains (NRD) feeds available out there, some paid some free from the community. Once you have found your feed, then it can be easily integrated with a detection rule in your XDR or analytic in your Sentinel.

 

You may check the following KQL query as an example:

 

 

let NRDMonthFeed = externaldata(domain: string)[@"https://raw.githubusercontent.com/shreshta-labs/newly-registered-domains/main/nrd-1m.csv"] with (format="csv", ignoreFirstRecord=False);
let SuspDomainList = NRDMonthFeed
| distinct domain;
DeviceNetworkEvents
| extend ToLowerUrl = tolower(RemoteUrl)
| where RemoteUrl has_any (SuspDomainList)
| project Timestamp, DeviceName, RemoteUrl

 

 

EDIT: So yes, if you have the DomainWhois connector and the relevant subscription, you can use the following functionality to build an automation that will look into the date registration of the domain. Check the following instructions:

 

Domain Whois - Get - REST API (Azure Sentinel) | Microsoft Learn

 

If I have answered your question, please mark your post as Solved

If you like my response, please consider giving it a like

@cyb3rmik3
This sounds good. Thank you !!
1 best response

Accepted Solutions
best response confirmed by abon13 (Brass Contributor)
Solution

@abon13 hi,

 

There is no option to retrieve whois information straight from your environment, unless you have a connector with a service such as DomainWhois that might support this functionality. But you'll have to look into it with a proof of concept. Be that as it may, there are plenty of newly-registered-domains (NRD) feeds available out there, some paid some free from the community. Once you have found your feed, then it can be easily integrated with a detection rule in your XDR or analytic in your Sentinel.

 

You may check the following KQL query as an example:

 

 

let NRDMonthFeed = externaldata(domain: string)[@"https://raw.githubusercontent.com/shreshta-labs/newly-registered-domains/main/nrd-1m.csv"] with (format="csv", ignoreFirstRecord=False);
let SuspDomainList = NRDMonthFeed
| distinct domain;
DeviceNetworkEvents
| extend ToLowerUrl = tolower(RemoteUrl)
| where RemoteUrl has_any (SuspDomainList)
| project Timestamp, DeviceName, RemoteUrl

 

 

EDIT: So yes, if you have the DomainWhois connector and the relevant subscription, you can use the following functionality to build an automation that will look into the date registration of the domain. Check the following instructions:

 

Domain Whois - Get - REST API (Azure Sentinel) | Microsoft Learn

 

If I have answered your question, please mark your post as Solved

If you like my response, please consider giving it a like

View solution in original post