Microsoft Sentinel: Farsight DNSDB¶
Overview¶
The Farsight DNSDB integration enables lookups of DNS infrastructure against domain and IP indicators. It provides access to passive DNS data, allowing you to investigate historical DNS records and discover related infrastructure.
Requirements¶
- A Microsoft Power Apps or Power Automate plan with custom connector feature
- An Azure subscription
- A Farsight DNSDB API Key
Installation¶
Install from Azure Marketplace¶
- Go to the Farsight DNSDB Marketplace link
- Select Get It Now
- Follow the guided installation steps provided by Microsoft
Alternatively, the solution is available in Content Hub within Microsoft Sentinel.
Install Playbooks¶
Reference playbooks are available to automate common workflows.
To install a playbook:
- Navigate to Automation → Playbook templates
- Search for "DNSDB" or "Farsight"
- Select the desired playbook
- Select Create playbook
- Follow the installation steps
Configure API Connections¶
The installation process for DNSDB is nearly identical to the DomainTools Iris installation.
- Open each playbook in Logic App designer
- On first use, select Change Connection then Add new
- Enter your Farsight DNSDB API key
- Select Create then Save
- On subsequent Logic App connections, simply select the existing connection
Note
Any usage is counted against your daily or block quota.
Configure Permissions¶
Each Logic App needs permission to add comments to incidents.
- From the Sentinel environment, go to Settings → Workspace Settings → IAM → Add role assignment → Microsoft Sentinel Responder
!!! note
If it reports disabled, an administrator may need to assist, or elevate your permissions to allow managing role assignments as outlined in the Azure technical documentation.
- On the next screen, assign access to Managed identity → Select Members → Logic App
- Select each playbook you just added
- Select Review + assign
- Select Microsoft Sentinel Responder under the role assignment
- Select Managed identity, filter for the Logic Apps, and select each of the playbooks you just added
- In case of any existing apps with permissions, a failure notice for the duplicate may appear that can be ignored
The app is now configured.
Available Playbooks¶
| Playbook | Description |
|---|---|
| DNSDB_Historical_Hosts | This playbook uses the Farsight DNSDB connector to automatically enrich IP addresses found in the Sentinel incidents. This use case describes the desire to identify all hosts that resolved to a given address based on a time window from a starting and stopping point in time. |
| DNSDB_Historical_Address | This playbook uses the Farsight DNSDB connector to automatically enrich domains found in the Sentinel incidents. This use case describes the desire to identify all addresses used as DNS A records for a given host based on a time window from a starting and stopping point in time. |
| DNSDB_Co_Located_IP_Address | This playbook uses the Farsight DNSDB connector to automatically enrich IP addresses found in the Sentinel incidents. This lookup will identify all the IPs that are co-located (based on Domain) based on the input of an IP Address. This would be a set of IPs that also shared the same Domain as the originating IP address. |
| DNSDB_Co_Located_Hosts | This playbook uses the Farsight DNSDB connector to automatically enrich Domains found in the Sentinel incidents. This use case describes the desire to easily identify Hosts that are co-located (based on Address) based on the input of a host and a given point in time. The response would be a set of domains that also shared the same IP address as the originating domain name at the given point in time. |
Available Actions¶
| Action | Description |
|---|---|
| Flexible Search | Flexible Search adds both Regular Expressions and Globbing support to the DNSDB API to expand the types of search queries and add more control to searches. |
| Ping | This request is for end to end connectivity tests to the DNSDB API endpoint, letting you know that there are no firewall blockages. This request does not require an API key. It returns just a JSON object {'ping': 'ok'}. |
| RData Lookup | The RData lookup queries DNSDB's RData index, which supports inverse lookups based on RData record values. |
| RData Lookup with RRType | The RData lookup queries DNSDB's RData index, which supports inverse lookups based on RData record values. |
| RRSet Lookup | The RRSet lookup queries DNSDB's RRset index, which supports forward lookups based on the owner name of an RRset. |
| RRSet Lookup with RRType | The RRSet lookup queries DNSDB's RRset index, which supports forward lookups based on the owner name of an RRset. |
| RRSet Lookup with RRType and Bailiwick | The RRSet lookup queries DNSDB's RRset index, which supports forward lookups based on the owner name of an RRset. |
| Service Limits | Retrieve service limits |
Using the Integration¶
Once the playbooks are installed, you can trigger them using the Automated Response section of Analytic rules in Sentinel.
Farsight DNSDB supports the enrichment of both domain and IP-based indicators. Verify that the incident contains the appropriate entity types to get started.
After an incident is created (or as a shortcut for testing, you may right-click an existing incident with the appropriate entity type and re-run the automation). If run successfully, the output appears as a comment on the ticket.