Google DNS - Malicous Python packages

Back


Id	75491db8-eaf7-40bb-a46a-279872cc82f5
Rulename	Google DNS - Malicous Python packages
Description	Detects requests to resources with malicious Python packages.
Severity	High
Tactics	InitialAccess
Techniques	T1195
Required data connectors	GCPDNSDataConnector
Kind	Scheduled
Query frequency	15m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformDNS/Analytic Rules/GCPDNSMaliciousPythonPackages.yaml
Version	1.0.0
Arm template	75491db8-eaf7-40bb-a46a-279872cc82f5.json

KQL

GCPCloudDNS
| where Query has_any ('psec.forward.io.global.prod.fastly.net', 'b0a0374cd1cb4305002e.d.requestbin.net', 'tornadodomain.000webhostapp.com', 'yxznlysc47wvrb9r9z211e1jbah15q')
| extend DNSCustomEntity = Query, IPCustomEntity = SrcIpAddr

YAML

description: |
    'Detects requests to resources with malicious Python packages.'
version: 1.0.0
tactics:
- InitialAccess
query: |
  GCPCloudDNS
  | where Query has_any ('psec.forward.io.global.prod.fastly.net', 'b0a0374cd1cb4305002e.d.requestbin.net', 'tornadodomain.000webhostapp.com', 'yxznlysc47wvrb9r9z211e1jbah15q')
  | extend DNSCustomEntity = Query, IPCustomEntity = SrcIpAddr  
triggerOperator: gt
kind: Scheduled
queryFrequency: 15m
triggerThreshold: 0
relevantTechniques:
- T1195
id: 75491db8-eaf7-40bb-a46a-279872cc82f5
queryPeriod: 15m
entityMappings:
- fieldMappings:
  - identifier: DomainName
    columnName: DNSCustomEntity
  entityType: DNS
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
severity: High
name: Google DNS - Malicous Python packages
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformDNS/Analytic Rules/GCPDNSMaliciousPythonPackages.yaml
requiredDataConnectors:
- dataTypes:
  - GCPCloudDNS
  connectorId: GCPDNSDataConnector

ARM