Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Rare client observed with high reverse DNS lookup count

Back
Id15ae38a2-2e29-48f7-883f-863fb25a5a06
RulenameRare client observed with high reverse DNS lookup count
DescriptionIdentifies clients with a high reverse DNS counts that could be carrying out reconnaissance or discovery activity.

Alerts are generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.
SeverityMedium
TacticsDiscovery
TechniquesT1046
Required data connectorsDNS
KindScheduled
Query frequency1d
Query period8d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Server DNS/Analytic Rules/DNS_HighReverseDNSCount_detection.yaml
Version1.0.2
Arm template15ae38a2-2e29-48f7-883f-863fb25a5a06.json
Deploy To Azure
let starttime = 8d;
let endtime = 1d;
let threshold = 10;
DnsEvents
| where TimeGenerated > ago(endtime)
| where Name has "in-addr.arpa"
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name), ReverseDNSLookup_List = make_set(Name,100) by ClientIP
| where dcount_Name > threshold
| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name, ReverseDNSLookup_List
// Filter out previously seen IPs
// Returns all the records from the left side that don't have matches from the right
| join kind=leftanti (DnsEvents
    | where TimeGenerated between(ago(starttime)..ago(endtime))
    | where Name has "in-addr.arpa"
    | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)
    | where dcount_Name > threshold
    | project ClientIP , dcount_Name
) on ClientIP
kind: Scheduled
status: Available
triggerThreshold: 0
relevantTechniques:
- T1046
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Server DNS/Analytic Rules/DNS_HighReverseDNSCount_detection.yaml
requiredDataConnectors:
- dataTypes:
  - DnsEvents
  connectorId: DNS
queryPeriod: 8d
tactics:
- Discovery
severity: Medium
triggerOperator: gt
description: |
  'Identifies clients with a high reverse DNS counts that could be carrying out reconnaissance or discovery activity.
  Alerts are generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.'  
query: |
  let starttime = 8d;
  let endtime = 1d;
  let threshold = 10;
  DnsEvents
  | where TimeGenerated > ago(endtime)
  | where Name has "in-addr.arpa"
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name), ReverseDNSLookup_List = make_set(Name,100) by ClientIP
  | where dcount_Name > threshold
  | project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name, ReverseDNSLookup_List
  // Filter out previously seen IPs
  // Returns all the records from the left side that don't have matches from the right
  | join kind=leftanti (DnsEvents
      | where TimeGenerated between(ago(starttime)..ago(endtime))
      | where Name has "in-addr.arpa"
      | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)
      | where dcount_Name > threshold
      | project ClientIP , dcount_Name
  ) on ClientIP  
name: Rare client observed with high reverse DNS lookup count
version: 1.0.2
id: 15ae38a2-2e29-48f7-883f-863fb25a5a06
queryFrequency: 1d
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: ClientIP
    identifier: Address
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/15ae38a2-2e29-48f7-883f-863fb25a5a06')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/15ae38a2-2e29-48f7-883f-863fb25a5a06')]",
      "properties": {
        "alertRuleTemplateName": "15ae38a2-2e29-48f7-883f-863fb25a5a06",
        "customDetails": null,
        "description": "'Identifies clients with a high reverse DNS counts that could be carrying out reconnaissance or discovery activity.\nAlerts are generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.'\n",
        "displayName": "Rare client observed with high reverse DNS lookup count",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "ClientIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Server DNS/Analytic Rules/DNS_HighReverseDNSCount_detection.yaml",
        "query": "let starttime = 8d;\nlet endtime = 1d;\nlet threshold = 10;\nDnsEvents\n| where TimeGenerated > ago(endtime)\n| where Name has \"in-addr.arpa\"\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name), ReverseDNSLookup_List = make_set(Name,100) by ClientIP\n| where dcount_Name > threshold\n| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name, ReverseDNSLookup_List\n// Filter out previously seen IPs\n// Returns all the records from the left side that don't have matches from the right\n| join kind=leftanti (DnsEvents\n    | where TimeGenerated between(ago(starttime)..ago(endtime))\n    | where Name has \"in-addr.arpa\"\n    | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)\n    | where dcount_Name > threshold\n    | project ClientIP , dcount_Name\n) on ClientIP\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P8D",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery"
        ],
        "techniques": [
          "T1046"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}