Microsoft Sentinel SOC 101: How to Detect and Mitigate Rare Domains Seen in Cloud Logs with Microsoft Sentinel
Rarities
Get this entire series in a free, downloadable eBook https://aka.ms/SentinelSOC101
Cloud environments pose challenges and risks for security professionals, as they increase the attack surface and introduce new vectors for cyberattacks. One of the common techniques used by attackers to compromise cloud resources is to leverage rare or malicious domains, which are domains that have low popularity, reputation, or legitimacy, and are often associated with malicious activities such as phishing, malware distribution, command and control, or data exfiltration.
A domain name is a human-readable identifier that corresponds to an IP address of a server on the internet. For example, the domain name microsoft.com resolves to the IP address 40.76.4.15. Domain names are used to access websites, send and receive emails, and perform other online activities.
However, not all domain names are benign or legitimate. Some domains are created or compromised by attackers for malicious purposes, such as hosting phishing pages, distributing malware, or communicating with command-and-control servers. These domains are often obscure, random, or misspelled, and have a low reputation or popularity. They are also frequently changed or rotated to evade detection and blocking by security solutions.
Therefore, detecting and analyzing rare domains seen in cloud logs can help security analysts identify and investigate potential threats, such as:
Phishing attacks: Attackers may use rare domains to send spoofed or deceptive emails to trick users into clicking on malicious links or attachments or entering their credentials or other sensitive information.
Malware delivery: Attackers may use rare domains to host malicious files or scripts that are downloaded or executed by unsuspecting users or compromised systems.
Data exfiltration: Attackers may use rare domains to transfer data from compromised systems to their own servers, or to encrypt and ransom the data.
Command and control: Attackers may use rare domains to communicate with compromised systems, sending commands or receiving status update.
Rare domains can be used by attackers to evade detection and bypass security controls, as they are less likely to be blocked or flagged by traditional security solutions. For example, attackers can use rare domains to host phishing pages, deliver malware payloads, communicate with compromised devices, or exfiltrate sensitive data. Rare domains can also be used to perform reconnaissance, enumeration, or lateral movement within the cloud environment, as they can help attackers discover and exploit vulnerabilities, misconfigurations, or weak credentials.
Detecting and mitigating rare domains seen in cloud logs is a critical task for security analysts, as it can help them identify and stop malicious activities, prevent data breaches, and protect the cloud infrastructure. However, detecting and mitigating rare domains is not a trivial task, as it requires collecting, analyzing, and correlating large volumes of cloud log data from various sources, such as Azure Active Directory, Office 365, Azure Monitor, Azure Firewall, and others. Moreover, it requires applying advanced techniques and tools, such as threat intelligence, machine learning, and automation, to filter out the noise, identify the anomalies, and respond to the incidents.
In this article, I’ll discuss how you can use Microsoft Sentinel, a cloud-native security information and event management (SIEM) solution, to detect and mitigate rare domains seen in cloud logs. I’ll cover the following topics:
How to collect and ingest cloud log data into Microsoft Sentinel
How to use built-in hunting queries and analytics rules to detect rare domains in cloud logs
How to use threat intelligence and machine learning to enrich and validate rare domains
How to use automation rules and playbooks to mitigate rare domains and respond to incidents
Collecting and ingesting cloud log data into Microsoft Sentinel
The first step to detect and mitigate rare domains seen in cloud logs is to collect and ingest the relevant cloud log data into Microsoft Sentinel. Microsoft Sentinel supports various data connectors that allow you to easily collect and ingest data from different cloud sources, such as Entra ID, Office 365, Azure Monitor, Azure Firewall, and others. You can also use custom connectors or APIs to ingest data from other cloud sources that are not supported by the built-in connectors.
To collect and ingest cloud log data into Microsoft Sentinel, you need to follow these steps:
Navigate to the Microsoft Sentinel portal in the Azure portal.
Select the workspace where you want to collect and ingest the data.
Select Data connectors from the navigation menu.
Select the data connector that corresponds to the cloud source you want to collect data from. For example, if you want to collect data from Entra ID, select the Azure Active Directory connector.
Follow the instructions on the connector page to configure and enable the data collection. For example, for the Azure Active Directory connector, you need to select the sign-in logs and audit logs that you want to collect, and then click Open connector page to enable the data collection.
Repeat steps 4 and 5 for each data connector that you want to enable.
Verify that the data collection is working by selecting Logs from the navigation menu, and then running a query to check the data in the corresponding tables. For example, if you enabled the Entra ID connector, you can run the following query to check the data in the SigninLogs table:
SigninLogs
| take 10Using built-in hunting queries and analytics rules to detect rare domains in cloud logs
The next step to detect and mitigate rare domains seen in cloud logs is to use the built-in hunting queries and analytics rules in Microsoft Sentinel to analyze and correlate the cloud log data. Hunting queries and analytics rules are predefined queries that use the Kusto Query Language (KQL) to search for specific patterns, indicators, or anomalies in the data that may indicate malicious activities. Hunting queries and analytics rules can also use parameters, variables, functions, or operators to customize and optimize the queries.
Microsoft Sentinel provides several built-in hunting queries and analytics rules that can help you detect rare domains in cloud logs, such as:
Rare domains seen in Azure AD sign-in logs
Rare domains seen in Office 365 email logs
Rare domains seen in Azure Monitor activity logs
Rare domains seen in Azure Firewall logs
You can also create your own hunting queries and analytics rules to detect rare domains in cloud logs, based on your own criteria, logic, or use cases.
To use the built-in hunting queries and analytics rules to detect rare domains in cloud logs, you need to follow these steps:
Navigate to the Microsoft Sentinel portal in the Azure portal.
Select the workspace where you ingested the cloud log data.
Select Hunting from the navigation menu.
Select the hunting query or analytics rule that corresponds to the cloud log data you want to analyze. For example, if you want to analyze the Azure AD sign-in logs, select the Rare domains seen in Azure AD sign-in logs query or rule.
Review the query or rule details, such as the description, severity, tactics, query, and parameters. You can also modify the query or rule to suit your needs, such as changing the parameters, variables, functions, or operators.
Run the query or rule by clicking Run query or Create rule. If you run the query, you will see the results in a table or a chart, depending on the query output. If you create the rule, you will see the rule configuration page, where you can specify the rule name, description, frequency, severity, tactics, and actions.
Review the query or rule results or configuration and take the appropriate actions. For example, if you run the query and see rare domains in the results, you can investigate them further by using the investigation graph or the entity page. If you create the rule and see rare domains in the incidents, you can respond to them by using the incident page or the playbook.
Using threat intelligence and machine learning to enrich and validate rare domains
The third step to detect and mitigate rare domains seen in cloud logs is to use threat intelligence and machine learning to enrich and validate the rare domains. Threat intelligence and machine learning are advanced techniques and tools that can help you enhance and verify the rare domains by providing additional information, context, or insights, such as:
The domain reputation, popularity, or legitimacy
The domain registration, expiration, or update date
The domain owner, registrar, or hosting provider
The domain associated IP addresses, subdomains, or certificates
The domain related indicators of compromise (IOCs), tactics, techniques, and procedures (TTPs), or threat actors
The domain similarity, distance, or entropy score
The domain risk, confidence, or severity score
Microsoft Sentinel integrates with various threat intelligence and machine learning sources and services, such as:
Microsoft Threat Intelligence
Sentinel Threat Intelligence Providers
Azure Machine Learning
Azure Cognitive Services
You can also use custom sources or services to enrich and validate rare domains, such as:
VirusTotal
DomainTools
OpenAI
TensorFlow
To use threat intelligence and machine learning to enrich and validate rare domains, you need to follow these steps:
Navigate to the Microsoft Sentinel portal in the Azure portal.
Select the workspace where you ingested the cloud log data.
Select Threat intelligence from the navigation menu.
Select the threat intelligence or machine learning source or service that you want to use to enrich and validate the rare domains. For example, if you
Rare domains in Office 365
Let’s take a step further and use the Office 365 Audit logs to also identify rare domains.
One of the data sources that Sentinel can ingest is the Office 365 audit logs, which contain information about user and admin activities in Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Teams. These logs can reveal the domain names that are involved in various cloud operations, such as sending or receiving emails, accessing or sharing files, or joining or creating teams.
To enable the Office 365 data connector in Sentinel, you need to have unified audit logging enabled in your Office 365 deployment. You can use the Microsoft 365 Security and Compliance Center to check the status of unified audit logging. Then, you can enable the Office 365 log connector in Sentinel, in the Data Connectors blade.
Once the data connector is enabled, Sentinel will start ingesting the Office 365 audit logs into a table called OfficeActivity. This table contains various columns that store the details of each cloud operation, such as Operation, ResultStatus, UserId, ClientIP, UserAgent, and more. One of the columns that is particularly relevant for our purpose is the DestinationDomainName column, which stores the domain name that is associated with the operation. For example, if a user sends an email to someone@example.com, the DestinationDomainName column will have the value example.com.
To detect rare domains seen in the Office 365 audit logs, the following query can be used:
It filters the OfficeActivity table by the Operation column, selecting only the operations that involve sending or receiving emails, or accessing or sharing files.
It groups the records by the OrganizationName column and counts the number of unique users and unique user agents for each domain.
It calculates the entropy of the OrganizationName column, which is a measure of randomness or unpredictability. The higher the entropy, the more likely the domain name is obscure or malicious.
It filters the results by the entropy value, selecting only the domains that have an entropy higher than 3.5, which is a threshold that can be adjusted based on your environment and preferences.
It sorts the results by the number of unique users in ascending order, and displays the top 10 rare domains, along with the number of unique users, user agents, and records for each domain.
The query looks like this:
OfficeActivity
| where TimeGenerated > ago(30d)
| where Operation in ("Send", "Receive", "Download", "Upload", "Accessed", "Modified", "Renamed", "Deleted", "Shared", "Unshared")
| summarize Users=dcount(UserId), UserAgents=dcount(UserAgent), Records=count() by OrganizationName
| extend DomainLength = strlen(OrganizationName)
| extend Entropy = DomainLength * 1.0 / array_length(split(OrganizationName, ""))
| where Entropy > 3.5
| order by Users asc
| take 10These domains have a high entropy value, indicating that they are random or obscure, and a low number of users and user agents, indicating that they are not popular or reputable. These domains may be used by attackers for phishing, malware delivery, data exfiltration, or command and control.
How to mitigate rare domains using Microsoft Sentinel?
Once you have detected the rare domains seen in the Office 365 audit logs, you need to take action to mitigate them and prevent further damage. Microsoft Sentinel provides several capabilities to help us automate and streamline the response, such as:
Investigation: You can use the Investigation feature to visualize and explore the relationships between the rare domains and other entities, such as users, devices, IP addresses, and alerts. This can help you understand the scope and impact of the threat and identify the root cause and potential indicators of compromise.
Playbooks: You can use the Playbooks feature to create and run logic apps that perform various actions based on the rare domains, such as blocking the domains in the firewall, sending an email notification, creating a ticket, or running a custom script. This can help you contain and remediate the threat and notify the relevant stakeholders.
Automation rules: You can use the Automation rules feature to trigger the playbooks automatically based on certain conditions, such as the severity, status, or category of the rare domains. This can help you reduce the manual effort and time required to respond to the threat and enforce consistent and standardized workflows.
To illustrate how to use these capabilities, assume that you want to block the rare domains in the Azure Firewall, and send an email notification to the security team. We can follow these steps:
Create a playbook: We can create a logic app that takes the rare domains as an input and performs two actions: calling the Azure Firewall REST API to add the domains to the deny list and sending an email to the security team with the details of the domains and the firewall rule. We can use the Azure Logic Apps Designer to create the logic app and save it as a playbook in Sentinel.
Create an automation rule: We can create an automation rule that triggers the playbook whenever a rare domain is detected by the hunting query. You can use the Automation Rules blade to create the automation rule and select the playbook as the action.
Summary
Hopefully, with this article you now understand several things:
How to use Microsoft Sentinel, a cloud native SIEM solution, to detect and mitigate rare or malicious domains seen in cloud logs, such as Office 365 audit logs.
What are rare domains and why they are important, as they can be used by attackers for phishing, malware delivery, data exfiltration, or command and control.
How to use the built-in and custom queries in Sentinel to find rare domains based on their entropy and popularity, and how to use the investigation, playbooks, and automation rules features to analyze and respond to them.
How to block rare domains in the Azure Firewall and send an email notification to the security team using a playbook and an automation rule.
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Subscribe to the Weekly Azure OpenAI Newsletter]
[Learn KQL with the Must Learn KQL series and book]
[Learn AI Security with the Must Learn AI Security series and book]