Rare client observed with high reverse DNS lookup count - Anomaly based ASIM DNS Solution

let threshold = 2.5;
let SearchDomain = dynamic(["in-addr.arpa"]);
let min_t = ago(14d);
let max_t = now();
let timeframe = 1d;
let DNSEvents=(stime: datetime, etime: datetime) {
  _Im_Dns(starttime=stime, endtime=etime, domain_has_any=SearchDomain)
};
DNSEvents(stime=min_t, etime=max_t)
| make-series QueryCount=dcount(DnsQuery) on TimeGenerated from min_t to max_t step timeframe by SrcIpAddr
| extend (anomalies, score, baseline) = series_decompose_anomalies(QueryCount, threshold, -1, 'linefit')
| mv-expand anomalies, score, baseline, TimeGenerated, QueryCount
| extend
  anomalies = toint(anomalies),
  score = toint(score),
  baseline = toint(baseline),
  EventTime = todatetime(TimeGenerated),
  Total = tolong(QueryCount)
| where EventTime >= ago(timeframe)
| where score >= threshold * 2
| join kind = inner (DNSEvents(stime=ago(timeframe), etime=max_t)
  | summarize DNSQueries=make_set(DnsQuery, 1000) by SrcIpAddr)
  on SrcIpAddr
| project-away SrcIpAddr1

id: 0fe6bde4-b215-480c-99b4-84a96edcdbd7
tactics:
- Reconnaissance
queryPeriod: 14d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DNS Essentials/Analytic Rules/RareClientObservedWithHighReverseDNSLookupCountAnomalyBased.yaml
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerThreshold: 0
name: Rare client observed with high reverse DNS lookup count - Anomaly based (ASIM DNS Solution)
query: |
  let threshold = 2.5;
  let SearchDomain = dynamic(["in-addr.arpa"]);
  let min_t = ago(14d);
  let max_t = now();
  let timeframe = 1d;
  let DNSEvents=(stime: datetime, etime: datetime) {
    _Im_Dns(starttime=stime, endtime=etime, domain_has_any=SearchDomain)
  };
  DNSEvents(stime=min_t, etime=max_t)
  | make-series QueryCount=dcount(DnsQuery) on TimeGenerated from min_t to max_t step timeframe by SrcIpAddr
  | extend (anomalies, score, baseline) = series_decompose_anomalies(QueryCount, threshold, -1, 'linefit')
  | mv-expand anomalies, score, baseline, TimeGenerated, QueryCount
  | extend
    anomalies = toint(anomalies),
    score = toint(score),
    baseline = toint(baseline),
    EventTime = todatetime(TimeGenerated),
    Total = tolong(QueryCount)
  | where EventTime >= ago(timeframe)
  | where score >= threshold * 2
  | join kind = inner (DNSEvents(stime=ago(timeframe), etime=max_t)
    | summarize DNSQueries=make_set(DnsQuery, 1000) by SrcIpAddr)
    on SrcIpAddr
  | project-away SrcIpAddr1  
severity: Medium
customDetails:
  DNSQueries: DNSQueries
  AnomalyScore: score
  baseline: baseline
  Total: Total
triggerOperator: gt
kind: Scheduled
relevantTechniques:
- T1590
tags:
- SchemaVersion: 0.1.6
  Schema: ASimDns
queryFrequency: 1d
requiredDataConnectors: []
version: 1.0.2
description: |
    'This rule makes use of the series decompose anomaly method to identify clients with high reverse DNS counts. This helps in detecting the possible initial phases of an attack, like discovery and reconnaissance. It utilizes [ASIM](https://aka.ms/AboutASIM) normalization and is applied to any source that supports the ASIM DNS schema.'
status: Available
alertDetailsOverride:
  alertDisplayNameFormat: "[Anomaly] Rare client has been observed as making high reverse DNS lookup count  - client IP: '{{SrcIpAddr}}'"
  alertDescriptionFormat: |-
    Client has been identified as making high reverse DNS counts which could be carrying out reconnaissance or discovery activity.

    Reverse DNS lookup count baseline for this client: '{{baseline}}'

    Current reverse DNS lookup count by this client showing as: '{{Total}}'

    DNS queries requested by this client inlcude: '{{DNSQueries}}'    
entityMappings:
- fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
  entityType: IP

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0fe6bde4-b215-480c-99b4-84a96edcdbd7')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0fe6bde4-b215-480c-99b4-84a96edcdbd7')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Client has been identified as making high reverse DNS counts which could be carrying out reconnaissance or discovery activity.\n\nReverse DNS lookup count baseline for this client: '{{baseline}}'\n\nCurrent reverse DNS lookup count by this client showing as: '{{Total}}'\n\nDNS queries requested by this client inlcude: '{{DNSQueries}}'",
          "alertDisplayNameFormat": "[Anomaly] Rare client has been observed as making high reverse DNS lookup count  - client IP: '{{SrcIpAddr}}'"
        },
        "alertRuleTemplateName": "0fe6bde4-b215-480c-99b4-84a96edcdbd7",
        "customDetails": {
          "AnomalyScore": "score",
          "baseline": "baseline",
          "DNSQueries": "DNSQueries",
          "Total": "Total"
        },
        "description": "'This rule makes use of the series decompose anomaly method to identify clients with high reverse DNS counts. This helps in detecting the possible initial phases of an attack, like discovery and reconnaissance. It utilizes [ASIM](https://aka.ms/AboutASIM) normalization and is applied to any source that supports the ASIM DNS schema.'\n",
        "displayName": "Rare client observed with high reverse DNS lookup count - Anomaly based (ASIM DNS Solution)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DNS Essentials/Analytic Rules/RareClientObservedWithHighReverseDNSLookupCountAnomalyBased.yaml",
        "query": "let threshold = 2.5;\nlet SearchDomain = dynamic([\"in-addr.arpa\"]);\nlet min_t = ago(14d);\nlet max_t = now();\nlet timeframe = 1d;\nlet DNSEvents=(stime: datetime, etime: datetime) {\n  _Im_Dns(starttime=stime, endtime=etime, domain_has_any=SearchDomain)\n};\nDNSEvents(stime=min_t, etime=max_t)\n| make-series QueryCount=dcount(DnsQuery) on TimeGenerated from min_t to max_t step timeframe by SrcIpAddr\n| extend (anomalies, score, baseline) = series_decompose_anomalies(QueryCount, threshold, -1, 'linefit')\n| mv-expand anomalies, score, baseline, TimeGenerated, QueryCount\n| extend\n  anomalies = toint(anomalies),\n  score = toint(score),\n  baseline = toint(baseline),\n  EventTime = todatetime(TimeGenerated),\n  Total = tolong(QueryCount)\n| where EventTime >= ago(timeframe)\n| where score >= threshold * 2\n| join kind = inner (DNSEvents(stime=ago(timeframe), etime=max_t)\n  | summarize DNSQueries=make_set(DnsQuery, 1000) by SrcIpAddr)\n  on SrcIpAddr\n| project-away SrcIpAddr1\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Reconnaissance"
        ],
        "tags": [
          {
            "Schema": "ASimDns",
            "SchemaVersion": "0.1.6"
          }
        ],
        "techniques": [
          "T1590"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}