cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Domain name lookup from query results

abon13
Brass Contributor

‎Jul 07 2024 10:22 PM

‎Jul 07 2024 10:22 PM

Domain name lookup from query results

Hi, I have a beacon detection query that will give me a list of domains the users were successfully communicating over a certain interval. 

From the domain names generated in the result, I  want to perform whois lookup of every domain and alert on those created in last 30 days. I am looking for suggestions on the best way to implement whois lookup from the query results. 

 

Thank you !!

 

 

 

 

Labels:
232 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by abon13 (Brass Contributor)
cyb3rmik3

‎Jul 08 2024 06:41 AM - edited ‎Jul 08 2024 06:43 AM

‎Jul 08 2024 06:41 AM - edited ‎Jul 08 2024 06:43 AM

Solution

Re: Domain name lookup from query results

@abon13 hi,

 

There is no option to retrieve whois information straight from your environment, unless you have a connector with a service such as DomainWhois that might support this functionality. But you'll have to look into it with a proof of concept. Be that as it may, there are plenty of newly-registered-domains (NRD) feeds available out there, some paid some free from the community. Once you have found your feed, then it can be easily integrated with a detection rule in your XDR or analytic in your Sentinel.

 

You may check the following KQL query as an example:

 

 

let NRDMonthFeed = externaldata(domain: string)[@"https://raw.githubusercontent.com/shreshta-labs/newly-registered-domains/main/nrd-1m.csv"] with (format="csv", ignoreFirstRecord=False);
let SuspDomainList = NRDMonthFeed
| distinct domain;
DeviceNetworkEvents
| extend ToLowerUrl = tolower(RemoteUrl)
| where RemoteUrl has_any (SuspDomainList)
| project Timestamp, DeviceName, RemoteUrl

 

 

EDIT: So yes, if you have the DomainWhois connector and the relevant subscription, you can use the following functionality to build an automation that will look into the date registration of the domain. Check the following instructions:

 

Domain Whois - Get - REST API (Azure Sentinel) | Microsoft Learn

 

If I have answered your question, please mark your post as Solved

If you like my response, please consider giving it a like

1 Like
Reply
abon13

‎Jul 09 2024 01:08 AM

‎Jul 09 2024 01:08 AM

Re: Domain name lookup from query results

@cyb3rmik3
This sounds good. Thank you !!
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by abon13 (Brass Contributor)
cyb3rmik3

‎Jul 08 2024 06:41 AM - edited ‎Jul 08 2024 06:43 AM

‎Jul 08 2024 06:41 AM - edited ‎Jul 08 2024 06:43 AM

Solution

Re: Domain name lookup from query results

@abon13 hi,

 

There is no option to retrieve whois information straight from your environment, unless you have a connector with a service such as DomainWhois that might support this functionality. But you'll have to look into it with a proof of concept. Be that as it may, there are plenty of newly-registered-domains (NRD) feeds available out there, some paid some free from the community. Once you have found your feed, then it can be easily integrated with a detection rule in your XDR or analytic in your Sentinel.

 

You may check the following KQL query as an example:

 

 

let NRDMonthFeed = externaldata(domain: string)[@"https://raw.githubusercontent.com/shreshta-labs/newly-registered-domains/main/nrd-1m.csv"] with (format="csv", ignoreFirstRecord=False);
let SuspDomainList = NRDMonthFeed
| distinct domain;
DeviceNetworkEvents
| extend ToLowerUrl = tolower(RemoteUrl)
| where RemoteUrl has_any (SuspDomainList)
| project Timestamp, DeviceName, RemoteUrl

 

 

EDIT: So yes, if you have the DomainWhois connector and the relevant subscription, you can use the following functionality to build an automation that will look into the date registration of the domain. Check the following instructions:

 

Domain Whois - Get - REST API (Azure Sentinel) | Microsoft Learn

 

If I have answered your question, please mark your post as Solved

If you like my response, please consider giving it a like

View solution in original post

1 Like
Reply