GCPCloudDNS
| where Query has_any ('psec.forward.io.global.prod.fastly.net', 'b0a0374cd1cb4305002e.d.requestbin.net', 'tornadodomain.000webhostapp.com', 'yxznlysc47wvrb9r9z211e1jbah15q')
| extend DNSCustomEntity = Query, IPCustomEntity = SrcIpAddr
name: Google DNS - Malicous Python packages
query: |
GCPCloudDNS
| where Query has_any ('psec.forward.io.global.prod.fastly.net', 'b0a0374cd1cb4305002e.d.requestbin.net', 'tornadodomain.000webhostapp.com', 'yxznlysc47wvrb9r9z211e1jbah15q')
| extend DNSCustomEntity = Query, IPCustomEntity = SrcIpAddr
queryFrequency: 15m
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
- GCPCloudDNS
connectorId: GCPDNSDataConnector
entityMappings:
- entityType: DNS
fieldMappings:
- identifier: DomainName
columnName: DNSCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformDNS/Analytic Rules/GCPDNSMaliciousPythonPackages.yaml
description: |
'Detects requests to resources with malicious Python packages.'
version: 1.0.0
id: 75491db8-eaf7-40bb-a46a-279872cc82f5
kind: Scheduled
relevantTechniques:
- T1195
severity: High
tactics:
- InitialAccess
queryPeriod: 15m
