Google DNS - Malicous Python packages

Back


Id	75491db8-eaf7-40bb-a46a-279872cc82f5
Rulename	Google DNS - Malicous Python packages
Description	Detects requests to resources with malicious Python packages.
Severity	High
Tactics	InitialAccess
Techniques	T1195
Required data connectors	GCPDNSDataConnector
Kind	Scheduled
Query frequency	15m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformDNS/Analytic Rules/GCPDNSMaliciousPythonPackages.yaml
Version	1.0.0
Arm template	75491db8-eaf7-40bb-a46a-279872cc82f5.json

KQL

GCPCloudDNS
| where Query has_any ('psec.forward.io.global.prod.fastly.net', 'b0a0374cd1cb4305002e.d.requestbin.net', 'tornadodomain.000webhostapp.com', 'yxznlysc47wvrb9r9z211e1jbah15q')
| extend DNSCustomEntity = Query, IPCustomEntity = SrcIpAddr

YAML

version: 1.0.0
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformDNS/Analytic Rules/GCPDNSMaliciousPythonPackages.yaml
description: |
    'Detects requests to resources with malicious Python packages.'
queryFrequency: 15m
name: Google DNS - Malicous Python packages
tactics:
- InitialAccess
triggerThreshold: 0
id: 75491db8-eaf7-40bb-a46a-279872cc82f5
query: |
  GCPCloudDNS
  | where Query has_any ('psec.forward.io.global.prod.fastly.net', 'b0a0374cd1cb4305002e.d.requestbin.net', 'tornadodomain.000webhostapp.com', 'yxznlysc47wvrb9r9z211e1jbah15q')
  | extend DNSCustomEntity = Query, IPCustomEntity = SrcIpAddr  
severity: High
queryPeriod: 15m
entityMappings:
- fieldMappings:
  - columnName: DNSCustomEntity
    identifier: DomainName
  entityType: DNS
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
relevantTechniques:
- T1195
kind: Scheduled
requiredDataConnectors:
- connectorId: GCPDNSDataConnector
  dataTypes:
  - GCPCloudDNS

ARM