Google DNS - Malicous Python packages

Back


Id	75491db8-eaf7-40bb-a46a-279872cc82f5
Rulename	Google DNS - Malicous Python packages
Description	Detects requests to resources with malicious Python packages.
Severity	High
Tactics	InitialAccess
Techniques	T1195
Required data connectors	GCPDNSDataConnector
Kind	Scheduled
Query frequency	15m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformDNS/Analytic Rules/GCPDNSMaliciousPythonPackages.yaml
Version	1.0.0
Arm template	75491db8-eaf7-40bb-a46a-279872cc82f5.json

KQL

GCPCloudDNS
| where Query has_any ('psec.forward.io.global.prod.fastly.net', 'b0a0374cd1cb4305002e.d.requestbin.net', 'tornadodomain.000webhostapp.com', 'yxznlysc47wvrb9r9z211e1jbah15q')
| extend DNSCustomEntity = Query, IPCustomEntity = SrcIpAddr

YAML

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformDNS/Analytic Rules/GCPDNSMaliciousPythonPackages.yaml
kind: Scheduled
queryFrequency: 15m
query: |
  GCPCloudDNS
  | where Query has_any ('psec.forward.io.global.prod.fastly.net', 'b0a0374cd1cb4305002e.d.requestbin.net', 'tornadodomain.000webhostapp.com', 'yxznlysc47wvrb9r9z211e1jbah15q')
  | extend DNSCustomEntity = Query, IPCustomEntity = SrcIpAddr  
relevantTechniques:
- T1195
entityMappings:
- entityType: DNS
  fieldMappings:
  - columnName: DNSCustomEntity
    identifier: DomainName
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
requiredDataConnectors:
- dataTypes:
  - GCPCloudDNS
  connectorId: GCPDNSDataConnector
name: Google DNS - Malicous Python packages
triggerThreshold: 0
description: |
    'Detects requests to resources with malicious Python packages.'
queryPeriod: 15m
version: 1.0.0
triggerOperator: gt
tactics:
- InitialAccess
severity: High
id: 75491db8-eaf7-40bb-a46a-279872cc82f5

ARM