MDTI-Data-ReverseDnS
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This logic app automatically retrieves and enriches incident indicators generated by Microsoft Sentinel by leveraging data from the MDTI Passive DNS Reverse endpoint.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Microsoft Defender Threat Intelligence |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 4 |
http |
Built-in | 0 | 2 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Entities_-_Get_Hosts | post | /entities/host |
— |
| Entities_-_Get_IPs | post | /entities/ip |
— |
| Add_comment_to_incident_(V3)_4 | post | /Incidents/Comment |
— |
| Add_comment_to_incident_(V3)_2 | post | /Incidents/Comment |
— |
http (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| PassiveDnsReverse_by_Hostname | GET | @{parameters('MDTI-BaseUrl')}/@{parameters('Api-Version')}/security/threatIntelligence/hosts('@{items('For_each_Host')?['HostName']}.@{items('For_each_Host')?['DnsDomain']}')/passiveDnsReverse?$count=true |
— |
| PassiveDnsReverse__by_IP_Address | GET | @{parameters('MDTI-BaseUrl')}/@{parameters('Api-Version')}/security/threatIntelligence/hosts('@{items('For_each_IP_Address')?['Address']}')/passiveDnsReverse?$count=true |
— |
Additional Documentation
📄 Source: MDTI-PassiveDnsReverse/readme.md
Overview
This playbook uses the Microsoft Defender Threat Intelligence Passive DNS Reverse data to automatically enrich incidents generated by Microsoft Sentinel. Leverage this playbook to enrich your incidents with Passive DNS Reverse data hosted by the indicators found within the incident. While a forward DNS lookup queries the IP address of a certain hostname, a reverse DNS lookup queries a specific hostname of an IP address. This dataset will show similar results as the DNS dataset. Reviewing DNS records can be helpful to identify shared infrastructure used by actors across the domains they own. For example, actor groups tend to use the same nameservers to segment their infrastructure or the same mail exchange servers to administer their command and control.
Our Reverse DNS data includes the following:
- Value: the value of the Reverse DNS record.
- First Seen: a timestamp of the date that we first observed this record on the artifact.
- Last Seen: a timestamp of the date that we first observed this record on the artifact.
- Type: the type of infrastructure associated with the record. Potential options include Mail Servers (MX), text files (TXT), name servers (NS), CNAMES, and Start of Authority (SOA) records.
- Tags: any tags applied to this artifact in the Defender TI system.
Key Capabilities
- Automatically triggers on new Sentinel incidents (incident creation trigger).
- Collects Host and IP entities (up to the limits of the incident payload).
- Queries MDTI Passive DNS Reverse data via Microsoft Graph (Managed Identity auth).
- Generates per-host and per-IP HTML tables summarizing Passive DNS Reverse observations.
- Adds structured comments back to the originating incident.
Prerequisites
- Microsoft Defender Threat Intelligence (MDTI) Premium license enabled for the tenant. If you have trouble accessing your account or your credentials, contact your account representative (mdtidiscussion[@]microsoft.com).
- One of the following Azure AD roles (to grant Graph application permissions to the playbook's Managed Identity): Security Administrator, Global Administrator, or Privileged Role Administrator.
Deployment Parameters
| Name | Description | Default |
|---|---|---|
| PlaybookName | Name of the Logic App (playbook) | MDTI-Data-ReverseDnS |
| MDTI-BaseUrl | MDTI Graph API base URL (must start with https://) | https://graph.microsoft.com |
| Api-Version | MDTI Graph API version | v1.0 |
Deploy to Azure
Post-Deployment Steps
1. Assign Microsoft Graph Permission (ThreatIntelligence.Read.All) to Managed Identity
To allow the playbook to query Microsoft Defender Threat Intelligence data, you must grant the managed identity of the playbook the ThreatIntelligence.Read.All application permission in Microsoft Graph. Follow these steps:
- Ensure you have the necessary Azure AD permissions (Security Administrator, Global Administrator, or Privileged Role Administrator).
- Open the Azure Cloud Shell or use a local PowerShell session with the Microsoft Graph module installed.
- Run the following commands, replacing
'MDTI-Data-ReverseDnS'with your playbook's name if different:
# Install the Microsoft Graph module for interacting with Microsoft Graph APIs
Install-Module Microsoft.Graph -Scope CurrentUser -AllowClobber -Force
Import-Module Microsoft.Graph
# Authenticate to Microsoft Graph using Managed Identity
Connect-MgGraph -Identity
# Retrieve the Microsoft Graph Service Principal
$graphSp = Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Graph'"
# Find the ThreatIntelligence.Read.All role
*[Content truncated...]*
---
**Browse:** [🏠](../README.md) · [Solutions](../solutions-index.md) · [Connectors](../connectors-index.md) · [Methods](../methods-index.md) · [Tables](../tables-index.md) · [Content](../content/content-index.md) · [Parsers](../parsers/parsers-index.md) · [ASIM Parsers](../asim/asim-index.md) · [ASIM Products](../asim/asim-products-index.md) · [Logic Apps](../logic-apps/logic-apps-index.md) · [📊](../statistics.md)
↑ [Back to Playbooks](playbooks.md) · [Back to Microsoft Defender Threat Intelligence](../solutions/microsoft-defender-threat-intelligence.md)