Simple python program that takes a list of domains and uses dnstwist to check for active lookalikes with WHOIS enrichment. Designed to be used with Azure Log Analytics and Microsoft Sentinel.
Included in this repository are two Microsoft Sentinel resources to help you get started monitoring domains. Check the README files for each for more info:
- Playbook Manage-DomainMonitorContainer: A playbook that automatically starts the DomainMonitor container once per day
- Workbook MicrosoftSentinel-DomainMonitor: A workbook that visualizes the data from the DomainMonitor.
A Dockerfile has been provided to run this in an Azure Container Instance. I also recommend deploying the solution using the provided ARM template.
Note Please note that running this in an Azure Container Instance with longer domains is pretty slow. For my website,
aaron-hoffmann.com
, it takes about an hour to complete. For reference, a one or two letter domain only takes a couple mintues, and google.com took about 10 minutes.
For full details on getting started with Azure Container Instances, check out the official documentation.
Exapnd
- Create an Azure Container Registry
- Log in to your registry:
az acr login --name <registry-name>
- Clone the repository and cd to the directory:
cd SentinelDomainMonitor/
- Build the image:
docker build -t sentinel-domain-monitor .
- After the image has been built, tag the image for your container registry:
docker tag sentinel-domain-monitor:v1 <registry-login-server>/sentinel-domain-monitor:v1
- Push the image to the registry:
docker push <login-server>/sentinel-domain-monitor:v1
- Once the image has been uploaded, create a container instance. You can use the default size of 1 vCPU and 1.5GB memory
- Wait for the container run to complete, and verify you see events in the DomainMonitor_CL Log Analytics table
Exapnd
- Create a new container instance
- Under Image Source, select 'Other'
- Enter the value:
h0ffayyy/sentinel-domain-monitor:v1
- Set OS type as Linux
- You can use the default size of 1 vCPU and 1.5GB memory
- Wait for the container run to complete, and verify you see events in the DomainMonitor_CL Log Analytics table
When creating the container, set the following environment variables in the Advanced tab:
WORKSPACE_ID
: your log analytics workspace IDSHARED_KEY
: your log analytics workspace primary keyazure_storage_account
: the name of the storage accountazure_storage_blob_name
: the name of the blob that contains the domains to be monitoredazure_storage_container
: the name of the blob storage container
- If deploying using the provided ARM/Bicep template, place your watched domains in a text file named
domains.txt
and upload it to the blob storage container that was created. - If deploying manually, place your domains.txt file in the same directory as the Dockerfile and uncomment the line
#COPY domains.txt .
If you'd like to automatically start the container, an example logic app has been included. The logic app is set to trigger once a day.
SentinelDomainMonitor requires the following python packages:
dnstwist[full]
logger
python-whois
requests
See requirements.txt
Additionally, your OS must has a package for whois
.
- Debian/Ubuntu:
sudo apt install whois
To install, download the latest release and unzip the contents.
Place the domains you want to monitor in the domains.txt
file, one per line.
Set the following environment variables:
- WORKSPACE_ID: your log analytics workspace ID
- SHARED_KEY: your log analytics workspace primary key
SentinelDomainMonitor write logs locally to logs/domain_monitor.log
in the container, and to Log Analytics under the table name "DomainMonitor_CL".
Costs will vary based on deployed region, total runtime, etc. Running this once per day with an Azure Container Registry, Azure Container instance, and Logic App in East US is roughly $5-6 USD per month:
Deploy the entire solution, including workbooks and playbooks using the buttons below:
This template creates the following resources:
- Azure Container Instance that points to my DockerHub image
- Storage Account and Blob storage container
- Role assignment providing container instance Azure Blob Storage Reader access to the storage account
- Playbook