Rare client observed with high reverse DNS lookup count

Back


Id	15ae38a2-2e29-48f7-883f-863fb25a5a06
Rulename	Rare client observed with high reverse DNS lookup count
Description	Identifies clients with a high reverse DNS counts that could be carrying out reconnaissance or discovery activity. Alerts are generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.
Severity	Medium
Tactics	Discovery
Techniques	T1046
Required data connectors	DNS
Kind	Scheduled
Query frequency	1d
Query period	8d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Server DNS/Analytic Rules/DNS_HighReverseDNSCount_detection.yaml
Version	1.0.2
Arm template	15ae38a2-2e29-48f7-883f-863fb25a5a06.json

KQL

let starttime = 8d;
let endtime = 1d;
let threshold = 10;
DnsEvents
| where TimeGenerated > ago(endtime)
| where Name has "in-addr.arpa"
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name), ReverseDNSLookup_List = make_set(Name,100) by ClientIP
| where dcount_Name > threshold
| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name, ReverseDNSLookup_List
// Filter out previously seen IPs
// Returns all the records from the left side that don't have matches from the right
| join kind=leftanti (DnsEvents
    | where TimeGenerated between(ago(starttime)..ago(endtime))
    | where Name has "in-addr.arpa"
    | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)
    | where dcount_Name > threshold
    | project ClientIP , dcount_Name
) on ClientIP

YAML

description: |
  'Identifies clients with a high reverse DNS counts that could be carrying out reconnaissance or discovery activity.
  Alerts are generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.'  
entityMappings:
- fieldMappings:
  - columnName: ClientIP
    identifier: Address
  entityType: IP
query: |
  let starttime = 8d;
  let endtime = 1d;
  let threshold = 10;
  DnsEvents
  | where TimeGenerated > ago(endtime)
  | where Name has "in-addr.arpa"
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name), ReverseDNSLookup_List = make_set(Name,100) by ClientIP
  | where dcount_Name > threshold
  | project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name, ReverseDNSLookup_List
  // Filter out previously seen IPs
  // Returns all the records from the left side that don't have matches from the right
  | join kind=leftanti (DnsEvents
      | where TimeGenerated between(ago(starttime)..ago(endtime))
      | where Name has "in-addr.arpa"
      | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)
      | where dcount_Name > threshold
      | project ClientIP , dcount_Name
  ) on ClientIP  
tactics:
- Discovery
severity: Medium
triggerThreshold: 0
queryFrequency: 1d
status: Available
queryPeriod: 8d
relevantTechniques:
- T1046
id: 15ae38a2-2e29-48f7-883f-863fb25a5a06
name: Rare client observed with high reverse DNS lookup count
kind: Scheduled
triggerOperator: gt
version: 1.0.2
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Server DNS/Analytic Rules/DNS_HighReverseDNSCount_detection.yaml
requiredDataConnectors:
- dataTypes:
  - DnsEvents
  connectorId: DNS

ARM