Adversaries may be using low-count FQDNs to exfiltrate data or establish covert command-and-control channels by leveraging underutilized domains. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or data exfiltration attempts that evade traditional detection methods.
KQL Query
DeviceNetworkEvents
| where Timestamp > ago(1h)
| where InitiatingProcessFileName !in~ ('iexplore.exe','chrome.exe','opera.exe','safari.exe') // Remove web browsers
and isnotempty(RemoteUrl)
| extend FQDN = iff(RemoteUrl matches regex "^([a-zA-Z0-9._-])+$", tostring(RemoteUrl), parse_url(RemoteUrl).domain)
| top-nested 100 of FQDN by dcount(DeviceId) asc
| join kind=inner (
DeviceNetworkEvents
| where Timestamp > ago(1h)
| where isnotempty(RemoteUrl)
| extend FQDN = iff(RemoteUrl matches regex "^([a-zA-Z0-9._-])+$", tostring(RemoteUrl), parse_url(RemoteUrl).domain)
) on FQDN
| order by aggregated_FQDN asc
id: df02a1ed-9019-40fc-9be1-c32ac4a016c0
name: Device network events w low count FQDN
description: |
Device Network Events Involving Low Count FQDNs.
This query reduces network events to only those with the RemoteURL column populated,.
Then parses the DNS name from the URL (if needed) and finds the least prevalent.
FQDNs. The result is then joined with DeviceNetworkEvents to highlight anomalous.
Network communication.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
query: |
DeviceNetworkEvents
| where Timestamp > ago(1h)
| where InitiatingProcessFileName !in~ ('iexplore.exe','chrome.exe','opera.exe','safari.exe') // Remove web browsers
and isnotempty(RemoteUrl)
| extend FQDN = iff(RemoteUrl matches regex "^([a-zA-Z0-9._-])+$", tostring(RemoteUrl), parse_url(RemoteUrl).domain)
| top-nested 100 of FQDN by dcount(DeviceId) asc
| join kind=inner (
DeviceNetworkEvents
| where Timestamp > ago(1h)
| where isnotempty(RemoteUrl)
| extend FQDN = iff(RemoteUrl matches regex "^([a-zA-Z0-9._-])+$", tostring(RemoteUrl), parse_url(RemoteUrl).domain)
) on FQDN
| order by aggregated_FQDN asc
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using a low-count FQDN
Description: A system scheduler (e.g., cron, Task Scheduler, or Airflow) is configured to access a low-count FQDN as part of a routine job (e.g., data sync, backup, or report generation).
Filter/Exclusion: Exclude events where the RemoteURL is associated with a known scheduled job or system process (e.g., cron jobs, systemd timers, or Airflow DAGs). Use a filter like:
RemoteURL contains "cron" or "systemd" or "airflow"Scenario: Internal DNS resolution for low-count FQDNs
Description: Internal DNS servers may resolve low-count FQDNs (e.g., internal-app.example.com) that are used by internal services or development environments.
Filter/Exclusion: Exclude events where the source IP is an internal DNS server (e.g., 10.0.0.10, 192.168.50.5) or where the FQDN is in an internal DNS zone. Use a filter like:
src_ip in (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or FQDN contains "internal"Scenario: User-initiated access to a low-count FQDN via browser or CLI
Description: A user may manually access a low-count FQDN (e.g., dev-api.example.com) using a browser or CLI tool (e.g., curl, wget, or Postman) for testing or development purposes