let threshold = 15;
GCPCloudDNS
| where QueryTypeName in~ ('SIG', 'RRSIG')
| where NetworkProtocol =~ 'TCP'
| summarize count() by SrcIpAddr, bin(TimeGenerated, 1m)
| where count_ < threshold
| extend IPCustomEntity = SrcIpAddr
queryFrequency: 15m
queryPeriod: 15m
kind: Scheduled
version: 1.0.0
triggerThreshold: 0
description: |
'Detects exploitation pattern of CVE-2020-1350 (SIGRED) vulnerability.'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformDNS/Analytic Rules/GCPDNSSIGREDPattern.yaml
requiredDataConnectors:
- connectorId: GCPDNSDataConnector
dataTypes:
- GCPCloudDNS
id: 1267d53d-f5fd-418b-b8da-34453a5994c2
tactics:
- PrivilegeEscalation
name: Google DNS - CVE-2020-1350 (SIGRED) exploitation pattern
triggerOperator: gt
relevantTechniques:
- T1068
query: |
let threshold = 15;
GCPCloudDNS
| where QueryTypeName in~ ('SIG', 'RRSIG')
| where NetworkProtocol =~ 'TCP'
| summarize count() by SrcIpAddr, bin(TimeGenerated, 1m)
| where count_ < threshold
| extend IPCustomEntity = SrcIpAddr
entityMappings:
- fieldMappings:
- identifier: Address
columnName: IPCustomEntity
entityType: IP
severity: High
