DomainTools DNSDB Co-Located Hosts
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook uses the Farsight DNSDB connector to automatically enrich Domain's found in the Microsoft Sentinel incidents. This use case describes the desire to easily identify Hosts that are co-located (based on Address) based on the input of a domain and a given point in time. The response would be a set of domains that also shared the same IP address as the originating domain name at the given point in time.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | DomainTools |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 4 |
farsightdnsdb |
Managed | 1 | 4 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Entities_-_Get_DNS | post | /entities/dnsresolution |
— |
| Entities_-_Get_Hosts | post | /entities/host |
— |
| Add_co_located_domains_to_the_incident_comment | post | /Incidents/Comment |
— |
| Add_comment_to_incident_(V3) | post | /Incidents/Comment |
— |
farsightdnsdb (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| RData_Lookup_with_RRType | get | /lookup/rdata/@{encodeURIComponent('ip')}/@{encodeURIComponent(items('For_each_Unique_IPS'))}/ANY |
— |
| RRSet_Lookup_with_RRType_AAAA_Records | get | /lookup/rrset/name/@{encodeURIComponent(items('For_each'))}/@{encodeURIComponent('AAAA')} |
— |
| RRSet_Lookup_with_RRType_A_Records | get | /lookup/rrset/name/@{encodeURIComponent(items('For_each'))}/@{encodeURIComponent('A')} |
— |
| RRSet_Lookup_with_RRType_CNAME | get | /lookup/rrset/name/@{encodeURIComponent(items('For_each'))}/@{encodeURIComponent('CNAME')} |
— |
Additional Documentation
DomainTools DNSDB Co-Located Hosts
This playbook uses the Farsight DNSDB connector to automatically enrich Domain's found in the Microsoft Sentinel incidents. This use case describes the desire to easily identify Hosts that are co-located (based on Address) based on the input of a domain and a given point in time. The response would be a set of domains that also shared the same IP address as the originating domain name at the given point in time.
Table of Contents
Overview
- This playbook fetches all the Host and DNS resolution etities from the incident.
- Iterates through each entity, perform logic.
- Adds the co-located hosts for each entity as sentinel comments.
Prerequisites
- A DomainTool DNSDB API Key.
Deployment Instructions
- Deploy the playbooks by clicking on the "Deploy to Azure" button. This will take you to the Deploy an ARM Template wizard.
- Fill in the required parameters for deploying the playbook.
- Click "Review + create". Once the validation is successful, click on "Create".
Post-Deployment Instructions
Authorize connections
Once deployment is complete please open the logic app and follow below steps
- As a best practice, we have used the Sentinel connection in Logic Apps that use "ManagedSecurityIdentity" permissions. Please refer to this document and provide permissions to the Logic App accordingly.
- Provide connection details for the Farsight DNSDB Custom Connector.
- You could provide time fencing options, please only provide values from the list (1h,6h,12h,24h, 30d, 60d,90d,365d(Default 1h)).
- Save the Logic App. If the Logic App prompts any missing connections, please update the connections accordingly.
Configurations in Sentinel:
- Configure the analytic rules->Automated response>Automation rules to trigger this playbook.
- Configure Incident Settings , Enable create incidents.
- Configure "Microsoft Sentinel Responder" permission to this playbook, from settings>workspace settings>Access control (IAM)>Add role assignment.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊