Rare client observed with high reverse DNS lookup count
| Id | 15ae38a2-2e29-48f7-883f-863fb25a5a06 |
| Rulename | Rare client observed with high reverse DNS lookup count |
| Description | Identifies clients with a high reverse DNS counts that could be carrying out reconnaissance or discovery activity. Alerts are generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period. |
| Severity | Medium |
| Tactics | Discovery |
| Techniques | T1046 |
| Required data connectors | DNS |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 8d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Server DNS/Analytic Rules/DNS_HighReverseDNSCount_detection.yaml |
| Version | 1.0.2 |
| Arm template | 15ae38a2-2e29-48f7-883f-863fb25a5a06.json |
let starttime = 8d;
let endtime = 1d;
let threshold = 10;
DnsEvents
| where TimeGenerated > ago(endtime)
| where Name has "in-addr.arpa"
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name), ReverseDNSLookup_List = make_set(Name,100) by ClientIP
| where dcount_Name > threshold
| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name, ReverseDNSLookup_List
// Filter out previously seen IPs
// Returns all the records from the left side that don't have matches from the right
| join kind=leftanti (DnsEvents
| where TimeGenerated between(ago(starttime)..ago(endtime))
| where Name has "in-addr.arpa"
| summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)
| where dcount_Name > threshold
| project ClientIP , dcount_Name
) on ClientIP
relevantTechniques:
- T1046
name: Rare client observed with high reverse DNS lookup count
requiredDataConnectors:
- dataTypes:
- DnsEvents
connectorId: DNS
entityMappings:
- fieldMappings:
- identifier: Address
columnName: ClientIP
entityType: IP
triggerThreshold: 0
id: 15ae38a2-2e29-48f7-883f-863fb25a5a06
tactics:
- Discovery
version: 1.0.2
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Server DNS/Analytic Rules/DNS_HighReverseDNSCount_detection.yaml
queryPeriod: 8d
kind: Scheduled
queryFrequency: 1d
severity: Medium
status: Available
description: |
'Identifies clients with a high reverse DNS counts that could be carrying out reconnaissance or discovery activity.
Alerts are generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.'
query: |
let starttime = 8d;
let endtime = 1d;
let threshold = 10;
DnsEvents
| where TimeGenerated > ago(endtime)
| where Name has "in-addr.arpa"
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name), ReverseDNSLookup_List = make_set(Name,100) by ClientIP
| where dcount_Name > threshold
| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name, ReverseDNSLookup_List
// Filter out previously seen IPs
// Returns all the records from the left side that don't have matches from the right
| join kind=leftanti (DnsEvents
| where TimeGenerated between(ago(starttime)..ago(endtime))
| where Name has "in-addr.arpa"
| summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)
| where dcount_Name > threshold
| project ClientIP , dcount_Name
) on ClientIP
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/15ae38a2-2e29-48f7-883f-863fb25a5a06')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/15ae38a2-2e29-48f7-883f-863fb25a5a06')]",
"properties": {
"alertRuleTemplateName": "15ae38a2-2e29-48f7-883f-863fb25a5a06",
"customDetails": null,
"description": "'Identifies clients with a high reverse DNS counts that could be carrying out reconnaissance or discovery activity.\nAlerts are generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.'\n",
"displayName": "Rare client observed with high reverse DNS lookup count",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "ClientIP",
"identifier": "Address"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Server DNS/Analytic Rules/DNS_HighReverseDNSCount_detection.yaml",
"query": "let starttime = 8d;\nlet endtime = 1d;\nlet threshold = 10;\nDnsEvents\n| where TimeGenerated > ago(endtime)\n| where Name has \"in-addr.arpa\"\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name), ReverseDNSLookup_List = make_set(Name,100) by ClientIP\n| where dcount_Name > threshold\n| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name, ReverseDNSLookup_List\n// Filter out previously seen IPs\n// Returns all the records from the left side that don't have matches from the right\n| join kind=leftanti (DnsEvents\n | where TimeGenerated between(ago(starttime)..ago(endtime))\n | where Name has \"in-addr.arpa\"\n | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)\n | where dcount_Name > threshold\n | project ClientIP , dcount_Name\n) on ClientIP\n",
"queryFrequency": "P1D",
"queryPeriod": "P8D",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Discovery"
],
"techniques": [
"T1046"
],
"templateVersion": "1.0.2",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}