Rare client observed with high reverse DNS lookup count

Back


Id	15ae38a2-2e29-48f7-883f-863fb25a5a06
Rulename	Rare client observed with high reverse DNS lookup count
Description	Identifies clients with a high reverse DNS counts which could be carrying out reconnaissance or discovery activity. Alert is generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.
Severity	Medium
Tactics	Discovery
Techniques	T1046
Required data connectors	DNS
Kind	Scheduled
Query frequency	1d
Query period	8d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Server DNS/Analytic Rules/DNS_HighReverseDNSCount_detection.yaml
Version	1.0.1
Arm template	15ae38a2-2e29-48f7-883f-863fb25a5a06.json

KQL

let starttime = 8d;
let endtime = 1d;
let threshold = 10;
DnsEvents
| where TimeGenerated > ago(endtime)
| where Name contains "in-addr.arpa"
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name) by ClientIP
| where dcount_Name > threshold
| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name
| join kind=leftanti (DnsEvents
    | where TimeGenerated between(ago(starttime)..ago(endtime))
    | where Name contains "in-addr.arpa"
    | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)
    | where dcount_Name > threshold
    | project ClientIP , dcount_Name
) on ClientIP
| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP

YAML

queryPeriod: 8d
version: 1.0.1
relevantTechniques:
- T1046
queryFrequency: 1d
kind: Scheduled
name: Rare client observed with high reverse DNS lookup count
id: 15ae38a2-2e29-48f7-883f-863fb25a5a06
entityMappings:
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Server DNS/Analytic Rules/DNS_HighReverseDNSCount_detection.yaml
severity: Medium
query: |
  let starttime = 8d;
  let endtime = 1d;
  let threshold = 10;
  DnsEvents
  | where TimeGenerated > ago(endtime)
  | where Name contains "in-addr.arpa"
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name) by ClientIP
  | where dcount_Name > threshold
  | project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name
  | join kind=leftanti (DnsEvents
      | where TimeGenerated between(ago(starttime)..ago(endtime))
      | where Name contains "in-addr.arpa"
      | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)
      | where dcount_Name > threshold
      | project ClientIP , dcount_Name
  ) on ClientIP
  | extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP  
tactics:
- Discovery
description: |
  'Identifies clients with a high reverse DNS counts which could be carrying out reconnaissance or discovery activity.
  Alert is generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.'  
requiredDataConnectors:
- connectorId: DNS
  dataTypes:
  - DnsEvents
status: Available
triggerThreshold: 0
triggerOperator: gt

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/15ae38a2-2e29-48f7-883f-863fb25a5a06')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/15ae38a2-2e29-48f7-883f-863fb25a5a06')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Rare client observed with high reverse DNS lookup count",
        "description": "'Identifies clients with a high reverse DNS counts which could be carrying out reconnaissance or discovery activity.\nAlert is generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let starttime = 8d;\nlet endtime = 1d;\nlet threshold = 10;\nDnsEvents\n| where TimeGenerated > ago(endtime)\n| where Name contains \"in-addr.arpa\"\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name) by ClientIP\n| where dcount_Name > threshold\n| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name\n| join kind=leftanti (DnsEvents\n    | where TimeGenerated between(ago(starttime)..ago(endtime))\n    | where Name contains \"in-addr.arpa\"\n    | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)\n    | where dcount_Name > threshold\n    | project ClientIP , dcount_Name\n) on ClientIP\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P8D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery"
        ],
        "techniques": [
          "T1046"
        ],
        "alertRuleTemplateName": "15ae38a2-2e29-48f7-883f-863fb25a5a06",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IPCustomEntity"
              }
            ],
            "entityType": "IP"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Server DNS/Analytic Rules/DNS_HighReverseDNSCount_detection.yaml",
        "status": "Available",
        "templateVersion": "1.0.1"
      }
    }
  ]
}