Google DNS - Malicous Python packages

Back


Id	75491db8-eaf7-40bb-a46a-279872cc82f5
Rulename	Google DNS - Malicous Python packages
Description	Detects requests to resources with malicious Python packages.
Severity	High
Tactics	InitialAccess
Techniques	T1195
Required data connectors	GCPDNSDataConnector
Kind	Scheduled
Query frequency	15m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformDNS/Analytic Rules/GCPDNSMaliciousPythonPackages.yaml
Version	1.0.0
Arm template	75491db8-eaf7-40bb-a46a-279872cc82f5.json

KQL

GCPCloudDNS
| where Query has_any ('psec.forward.io.global.prod.fastly.net', 'b0a0374cd1cb4305002e.d.requestbin.net', 'tornadodomain.000webhostapp.com', 'yxznlysc47wvrb9r9z211e1jbah15q')
| extend DNSCustomEntity = Query, IPCustomEntity = SrcIpAddr

YAML

query: |
  GCPCloudDNS
  | where Query has_any ('psec.forward.io.global.prod.fastly.net', 'b0a0374cd1cb4305002e.d.requestbin.net', 'tornadodomain.000webhostapp.com', 'yxznlysc47wvrb9r9z211e1jbah15q')
  | extend DNSCustomEntity = Query, IPCustomEntity = SrcIpAddr  
entityMappings:
- fieldMappings:
  - identifier: DomainName
    columnName: DNSCustomEntity
  entityType: DNS
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
triggerOperator: gt
description: |
    'Detects requests to resources with malicious Python packages.'
tactics:
- InitialAccess
severity: High
queryFrequency: 15m
kind: Scheduled
name: Google DNS - Malicous Python packages
triggerThreshold: 0
id: 75491db8-eaf7-40bb-a46a-279872cc82f5
requiredDataConnectors:
- connectorId: GCPDNSDataConnector
  dataTypes:
  - GCPCloudDNS
relevantTechniques:
- T1195
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformDNS/Analytic Rules/GCPDNSMaliciousPythonPackages.yaml
queryPeriod: 15m

ARM