Google DNS - Possible data exfiltration

Back


Id	705bed63-668f-4508-9d2d-26faf4010700
Rulename	Google DNS - Possible data exfiltration
Description	Detects possible data exfiltration.
Severity	High
Tactics	Exfiltration
Techniques	T1567
Required data connectors	GCPDNSDataConnector
Kind	Scheduled
Query frequency	15m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformDNS/Analytic Rules/GCPDNSDataExfiltration.yaml
Version	1.0.0
Arm template	705bed63-668f-4508-9d2d-26faf4010700.json

KQL

GCPCloudDNS
| where Query has 'webhook.site'
| extend DNSCustomEntity = Query, IPCustomEntity = SrcIpAddr

YAML

entityMappings:
- entityType: DNS
  fieldMappings:
  - identifier: DomainName
    columnName: DNSCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
query: |
  GCPCloudDNS
  | where Query has 'webhook.site'
  | extend DNSCustomEntity = Query, IPCustomEntity = SrcIpAddr  
id: 705bed63-668f-4508-9d2d-26faf4010700
kind: Scheduled
relevantTechniques:
- T1567
requiredDataConnectors:
- connectorId: GCPDNSDataConnector
  dataTypes:
  - GCPCloudDNS
triggerOperator: gt
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformDNS/Analytic Rules/GCPDNSDataExfiltration.yaml
description: |
    'Detects possible data exfiltration.'
triggerThreshold: 0
name: Google DNS - Possible data exfiltration
tactics:
- Exfiltration
queryPeriod: 15m
version: 1.0.0
queryFrequency: 15m

ARM