From 05c61992965bb24776e4f5fa2f09043506925bdc Mon Sep 17 00:00:00 2001 From: Matt Egen Date: Mon, 9 May 2022 11:48:12 -0700 Subject: [PATCH] Update ReadMe.md Corrected AzureDeploy button link. Was pointing to wrong location --- Tools/RDAP/RDAPQuery/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Tools/RDAP/RDAPQuery/README.md b/Tools/RDAP/RDAPQuery/README.md index 4ed431964a..712d1916b0 100644 --- a/Tools/RDAP/RDAPQuery/README.md +++ b/Tools/RDAP/RDAPQuery/README.md @@ -6,7 +6,7 @@ mattegen@microsoft.com Follow @FlyingBlueMonki on Twitter -[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fblob%2Fmaster%2FTools%2FRDAP%2FRDAPQuery%2Fazuredeploy.json) +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FTools%2FRDAP%2FRDAPQuery%2Fazuredeploy.json) With the ever increasing number of new domains on the Internet as well as all of the new Top Level Domains (TLD), it's often hard to know if a user has gone to a potentially malicious new site that has just popped up online. To help with this, a SOC team or analyst could track for users accessing newly registered domains. One way to do this is to query the Registration Data Access Protocol (RDAP). RDAP allows you to access domain name registration data (much like its predecesor the WHOIS protocol does today) but via an API call and with a better, more machine readable structure to the data. This Azure Function queries an Azure Sentinel environment, finds domain names of interest, and then conducts an RDAP lookup to retrieve information about the domain for investigators and analysts. There is also an Azure Sentinel Analytic rule that can then alert if evidence of a domain that was registered in the last 30 days should be found.