Skip to content

h0ffayyy/SentinelDomainMonitor

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits

.github/workflows

.github/workflows

 
 

DomainMonitor

DomainMonitor

 
 

KQL

KQL

 
 

Playbooks/Manage-DomainMonitorContainer

Playbooks/Manage-DomainMonitorContainer

 
 

Workbooks/MicrosoftSentinel-DomainMonitor

Workbooks/MicrosoftSentinel-DomainMonitor

 
 

images

images

 
 

logs

logs

 
 

Dockerfile

Dockerfile

 
 

README.md

README.md

 
 

azuredeploy.json

azuredeploy.json

 
 

main.bicep

main.bicep

 
 

requirements.txt

requirements.txt

 
 

Repository files navigation

MicrosoftSentinel-DomainMonitor

Simple python program that takes a list of domains and uses dnstwist to check for active lookalikes with WHOIS enrichment. Designed to be used with Azure Log Analytics and Microsoft Sentinel.

Table of Contents

Sentinel resources

Included in this repository are two Microsoft Sentinel resources to help you get started monitoring domains. Check the README files for each for more info:

Run with Azure Containers

GitHub Workflow Status (with event)

A Dockerfile has been provided to run this in an Azure Container Instance. I also recommend deploying the solution using the provided ARM template.

Note Please note that running this in an Azure Container Instance with longer domains is pretty slow. For my website, aaron-hoffmann.com, it takes about an hour to complete. For reference, a one or two letter domain only takes a couple mintues, and google.com took about 10 minutes.

For full details on getting started with Azure Container Instances, check out the official documentation.

ACI manual setup - Build the image yourself

Exapnd
  1. Create an Azure Container Registry
  2. Log in to your registry: az acr login --name <registry-name>
  3. Clone the repository and cd to the directory: cd SentinelDomainMonitor/
  4. Build the image: docker build -t sentinel-domain-monitor .
  5. After the image has been built, tag the image for your container registry: docker tag sentinel-domain-monitor:v1 <registry-login-server>/sentinel-domain-monitor:v1
  6. Push the image to the registry: docker push <login-server>/sentinel-domain-monitor:v1
  7. Once the image has been uploaded, create a container instance. You can use the default size of 1 vCPU and 1.5GB memory
  8. Wait for the container run to complete, and verify you see events in the DomainMonitor_CL Log Analytics table

ACI manual setup - Use my DockerHub image

Exapnd
  1. Create a new container instance
  2. Under Image Source, select 'Other'
  3. Enter the value: h0ffayyy/sentinel-domain-monitor:v1
  4. Set OS type as Linux
  5. You can use the default size of 1 vCPU and 1.5GB memory
  6. Wait for the container run to complete, and verify you see events in the DomainMonitor_CL Log Analytics table

Environment variables

When creating the container, set the following environment variables in the Advanced tab:

  • WORKSPACE_ID: your log analytics workspace ID
  • SHARED_KEY: your log analytics workspace primary key
  • azure_storage_account: the name of the storage account
  • azure_storage_blob_name: the name of the blob that contains the domains to be monitored
  • azure_storage_container: the name of the blob storage container

Configuring watched domains

  • If deploying using the provided ARM/Bicep template, place your watched domains in a text file named domains.txt and upload it to the blob storage container that was created.
  • If deploying manually, place your domains.txt file in the same directory as the Dockerfile and uncomment the line #COPY domains.txt .

Optional - control container with a Logic App

If you'd like to automatically start the container, an example logic app has been included. The logic app is set to trigger once a day.

Run locally

Requirements

SentinelDomainMonitor requires the following python packages:

dnstwist[full]
logger
python-whois
requests

See requirements.txt

Additionally, your OS must has a package for whois.

  • Debian/Ubuntu: sudo apt install whois

Installation

To install, download the latest release and unzip the contents.

Configuration

Place the domains you want to monitor in the domains.txt file, one per line.

Set the following environment variables:

  • WORKSPACE_ID: your log analytics workspace ID
  • SHARED_KEY: your log analytics workspace primary key

Logging

SentinelDomainMonitor write logs locally to logs/domain_monitor.log in the container, and to Log Analytics under the table name "DomainMonitor_CL".

Costs

Costs will vary based on deployed region, total runtime, etc. Running this once per day with an Azure Container Registry, Azure Container instance, and Logic App in East US is roughly $5-6 USD per month:

Deploy to Azure

Deploy the entire solution, including workbooks and playbooks using the buttons below:

Deploy to Azure Deploy to Azure Gov

This template creates the following resources:

  • Azure Container Instance that points to my DockerHub image
  • Storage Account and Blob storage container
  • Role assignment providing container instance Azure Blob Storage Reader access to the storage account
  • Playbook

About

Use dnstwist to monitor for lookalike domains and send logs to Azure Log Analytics

Topics

azure containers cybersecurity microsoft-sentinel

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages