Rare client observed with high reverse DNS lookup count

Back


Id	15ae38a2-2e29-48f7-883f-863fb25a5a06
Rulename	Rare client observed with high reverse DNS lookup count
Description	Identifies clients with a high reverse DNS counts that could be carrying out reconnaissance or discovery activity. Alerts are generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.
Severity	Medium
Tactics	Discovery
Techniques	T1046
Required data connectors	DNS
Kind	Scheduled
Query frequency	1d
Query period	8d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Server DNS/Analytic Rules/DNS_HighReverseDNSCount_detection.yaml
Version	1.0.2
Arm template	15ae38a2-2e29-48f7-883f-863fb25a5a06.json

KQL

let starttime = 8d;
let endtime = 1d;
let threshold = 10;
DnsEvents
| where TimeGenerated > ago(endtime)
| where Name has "in-addr.arpa"
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name), ReverseDNSLookup_List = make_set(Name,100) by ClientIP
| where dcount_Name > threshold
| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name, ReverseDNSLookup_List
// Filter out previously seen IPs
// Returns all the records from the left side that don't have matches from the right
| join kind=leftanti (DnsEvents
    | where TimeGenerated between(ago(starttime)..ago(endtime))
    | where Name has "in-addr.arpa"
    | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)
    | where dcount_Name > threshold
    | project ClientIP , dcount_Name
) on ClientIP

YAML

kind: Scheduled
triggerThreshold: 0
queryPeriod: 8d
version: 1.0.2
query: |
  let starttime = 8d;
  let endtime = 1d;
  let threshold = 10;
  DnsEvents
  | where TimeGenerated > ago(endtime)
  | where Name has "in-addr.arpa"
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name), ReverseDNSLookup_List = make_set(Name,100) by ClientIP
  | where dcount_Name > threshold
  | project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name, ReverseDNSLookup_List
  // Filter out previously seen IPs
  // Returns all the records from the left side that don't have matches from the right
  | join kind=leftanti (DnsEvents
      | where TimeGenerated between(ago(starttime)..ago(endtime))
      | where Name has "in-addr.arpa"
      | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)
      | where dcount_Name > threshold
      | project ClientIP , dcount_Name
  ) on ClientIP  
status: Available
tactics:
- Discovery
queryFrequency: 1d
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: ClientIP
    identifier: Address
id: 15ae38a2-2e29-48f7-883f-863fb25a5a06
requiredDataConnectors:
- connectorId: DNS
  dataTypes:
  - DnsEvents
name: Rare client observed with high reverse DNS lookup count
severity: Medium
relevantTechniques:
- T1046
description: |
  'Identifies clients with a high reverse DNS counts that could be carrying out reconnaissance or discovery activity.
  Alerts are generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.'  
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Server DNS/Analytic Rules/DNS_HighReverseDNSCount_detection.yaml

ARM