Google DNS - Malicous Python packages

Back


Id	75491db8-eaf7-40bb-a46a-279872cc82f5
Rulename	Google DNS - Malicous Python packages
Description	Detects requests to resources with malicious Python packages.
Severity	High
Tactics	InitialAccess
Techniques	T1195
Required data connectors	GCPDNSDataConnector
Kind	Scheduled
Query frequency	15m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformDNS/Analytic Rules/GCPDNSMaliciousPythonPackages.yaml
Version	1.0.0
Arm template	75491db8-eaf7-40bb-a46a-279872cc82f5.json

KQL

GCPCloudDNS
| where Query has_any ('psec.forward.io.global.prod.fastly.net', 'b0a0374cd1cb4305002e.d.requestbin.net', 'tornadodomain.000webhostapp.com', 'yxznlysc47wvrb9r9z211e1jbah15q')
| extend DNSCustomEntity = Query, IPCustomEntity = SrcIpAddr

YAML

description: |
    'Detects requests to resources with malicious Python packages.'
version: 1.0.0
queryFrequency: 15m
triggerThreshold: 0
tactics:
- InitialAccess
queryPeriod: 15m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformDNS/Analytic Rules/GCPDNSMaliciousPythonPackages.yaml
query: |
  GCPCloudDNS
  | where Query has_any ('psec.forward.io.global.prod.fastly.net', 'b0a0374cd1cb4305002e.d.requestbin.net', 'tornadodomain.000webhostapp.com', 'yxznlysc47wvrb9r9z211e1jbah15q')
  | extend DNSCustomEntity = Query, IPCustomEntity = SrcIpAddr  
id: 75491db8-eaf7-40bb-a46a-279872cc82f5
name: Google DNS - Malicous Python packages
triggerOperator: gt
severity: High
kind: Scheduled
entityMappings:
- fieldMappings:
  - columnName: DNSCustomEntity
    identifier: DomainName
  entityType: DNS
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
relevantTechniques:
- T1195
requiredDataConnectors:
- dataTypes:
  - GCPCloudDNS
  connectorId: GCPDNSDataConnector

ARM