Microsoft Sentinel SOC 101: How to Detect and Mitigate Rare Domains Seen in Cloud Logs
Everything including the moo
Get this entire series in a free, downloadable eBook https://aka.ms/SentinelSOC101
Microsoft Sentinel is a cloud-native security information and event management (SIEM) solution that helps organizations detect, investigate, and respond to security threats across their hybrid environments. One of the features of Microsoft Sentinel is the ability to hunt for threats using advanced queries that leverage the Kusto Query Language (KQL). In this article, I’ll will explore how to use one of the built-in hunting queries in Microsoft Sentinel to find rare domains seen in cloud logs, and how to mitigate them using automation and orchestration.
What are rare domains and why are they important?
Rare domains are domain names that are not commonly seen or used by legitimate users or applications in an organization’s cloud environment. They may indicate malicious or suspicious activity, such as:
Command and control (C2) communication: attackers may use rare or newly registered domains to communicate with compromised devices or servers in the cloud and send commands or exfiltrate data.
Phishing or malware delivery: attackers may use rare or spoofed domains to trick users into clicking on malicious links or downloading malicious files from the cloud.
Data exfiltration: attackers may use rare or encrypted domains to hide the destination of data transfers from the cloud.
Detecting rare domains seen in cloud logs can help security analysts identify potential security incidents and investigate them further using other data sources and tools.
How to use the built-in hunting query for rare domains seen in cloud logs
The following query uses the OfficeActivity table, which contains data from various Microsoft 365 services, such as Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Teams. The query also uses the ThreatIntelligenceIndicator table, which can contain data from various threat intelligence providers, such as AlienVault OTX, VirusTotal, etc.
The query works by:
Filtering the OfficeActivity events by OperationName (such as FileDownloaded, FileUploaded, etc.)
Joining the domain names with the ThreatIntelligenceIndicator table to check if they are known to be malicious or suspicious
Calculating the rarity score of each domain name based on its frequency and threat intelligence status
Sorting the results by rarity score in descending order
// Define the time range to look for OfficeActivity events
let Lookback = ago(7d);
// Get the OfficeActivity events and filter by OperationName
let OfficeEvents = OfficeActivity
| where TimeGenerated > Lookback
| where Operation in ("FileDownloaded", "FileUploaded")
| extend Domain = tostring(split(SourceRelativeUrl, "/")[2]) // extract the domain name from the file URL
| project TimeGenerated, UserId, Operation, SourceFileName, Domain;
// Get the ThreatIntelligenceIndicator records and filter by ThreatType
let TIRecords = ThreatIntelligenceIndicator
| where TimeGenerated > Lookback
| where ThreatType == "DomainName"
| project Domain = NetworkDestinationAsn, ThreatSeverity;
// Join the OfficeEvents and TIRecords tables on Domain
let JoinedEvents = OfficeEvents
| join kind=leftouter (
TIRecords
) on Domain;
// Calculate the rarity score of each domain based on its frequency and threat level
// The rarity score is defined as log10(Count) * (ThreatLevel + 1), where Count is the number of events for each domain and ThreatLevel is a numeric value from 0 to 3
// The higher the rarity score, the more rare and potentially malicious the domain is
let RarityScore = JoinedEvents
| summarize Count = count() by Domain, ThreatSeverity // count the number of events for each domain and threat level combination
| extend RarityScore = log10(Count) * (ThreatSeverity + 1) // calculate the rarity score
| order by RarityScore desc; // order by rarity score in descending order
// Display the results
RarityScore
The query can be customized by changing the parameters at the beginning of the query, such as:
TimeRange: the time range to search for events
OperationNameList: the list of operation names to filter by
ResultStatusList: the list of result statuses to filter by
DomainRarityThreshold: the threshold for rarity score to filter by
The query can be run manually or scheduled to run periodically. The results can be viewed in a table or a chart format. The results can also be exported to a CSV file or a Power BI report for further analysis.
Once the Analytics Rule is created, it will run according to the specified schedule and create incidents based on the query results. The incidents can be viewed and managed from the Incidents dashboard. The incidents can also trigger other automated responses, such as sending an email notification, creating a ticket in a ticketing system, blocking a domain in a firewall, etc.
Summary
In this article, we learned how to use Microsoft Sentinel to detect and mitigate rare domains seen in cloud logs. We used one of the built-in hunting queries to find rare domains based on their frequency and threat intelligence status. We also used automation and orchestration capabilities to create incidents and respond to rare domains. Microsoft Sentinel is a powerful solution that can help organizations improve their security posture and reduce their attack surface in the cloud.
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Subscribe to the Weekly Azure OpenAI Newsletter]
[Learn KQL with the Must Learn KQL series and book]
[Learn AI Security with the Must Learn AI Security series and book]