Rare client observed with high reverse DNS lookup count - Static threshold based ASIM DNS Solution
| Id | 77b7c820-5f60-4779-8bdb-f06e21add5f1 |
| Rulename | Rare client observed with high reverse DNS lookup count - Static threshold based (ASIM DNS Solution) |
| Description | This rule identifies clients with high reverse DNS counts, which could be carrying out reconnaissance or discovery activity. This helps in detecting the possible initial phases of an attack, like discovery and reconnaissance. It utilizes ASIM normalization and is applied to any source that supports the ASIM DNS schema. |
| Severity | Medium |
| Tactics | Reconnaissance |
| Techniques | T1590 |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 10d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DNS Essentials/Analytic Rules/RareClientObservedWithHighReverseDNSLookupCountStaticThresholdBased.yaml |
| Version | 1.0.2 |
| Arm template | 77b7c820-5f60-4779-8bdb-f06e21add5f1.json |
let threshold = 10;
let stime = 10d;
let etime = 1d;
let SearchDomain = dynamic(["in-addr.arpa"]);
_Im_Dns(starttime=ago(etime), domain_has_any=SearchDomain)
| summarize
StartTimeUtc = min(TimeGenerated),
EndTimeUtc = max(TimeGenerated),
DNSQueryCount=dcount(DnsQuery)
by SrcIpAddr
| where DNSQueryCount > threshold
| project StartTimeUtc, EndTimeUtc, SrcIpAddr, DNSQueryCount
| join kind=leftanti (_Im_Dns(starttime=ago(stime), endtime=ago(etime), domain_has_any=SearchDomain)
| summarize DNSQueryCount=dcount(DnsQuery) by SrcIpAddr, bin(TimeGenerated, 1d)
| where DNSQueryCount > threshold
| project SrcIpAddr, DNSQueryCount
)
on SrcIpAddr
| join kind=inner (_Im_Dns(starttime=ago(etime), domain_has_any=SearchDomain)
| summarize DNSQueries=make_set(DnsQuery, 1000) by SrcIpAddr)
on SrcIpAddr
| extend DNSQuerythreshold = threshold
| project-away SrcIpAddr1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DNS Essentials/Analytic Rules/RareClientObservedWithHighReverseDNSLookupCountStaticThresholdBased.yaml
query: |
let threshold = 10;
let stime = 10d;
let etime = 1d;
let SearchDomain = dynamic(["in-addr.arpa"]);
_Im_Dns(starttime=ago(etime), domain_has_any=SearchDomain)
| summarize
StartTimeUtc = min(TimeGenerated),
EndTimeUtc = max(TimeGenerated),
DNSQueryCount=dcount(DnsQuery)
by SrcIpAddr
| where DNSQueryCount > threshold
| project StartTimeUtc, EndTimeUtc, SrcIpAddr, DNSQueryCount
| join kind=leftanti (_Im_Dns(starttime=ago(stime), endtime=ago(etime), domain_has_any=SearchDomain)
| summarize DNSQueryCount=dcount(DnsQuery) by SrcIpAddr, bin(TimeGenerated, 1d)
| where DNSQueryCount > threshold
| project SrcIpAddr, DNSQueryCount
)
on SrcIpAddr
| join kind=inner (_Im_Dns(starttime=ago(etime), domain_has_any=SearchDomain)
| summarize DNSQueries=make_set(DnsQuery, 1000) by SrcIpAddr)
on SrcIpAddr
| extend DNSQuerythreshold = threshold
| project-away SrcIpAddr1
description: |
'This rule identifies clients with high reverse DNS counts, which could be carrying out reconnaissance or discovery activity. This helps in detecting the possible initial phases of an attack, like discovery and reconnaissance. It utilizes [ASIM](https://aka.ms/AboutASIM) normalization and is applied to any source that supports the ASIM DNS schema.'
severity: Medium
requiredDataConnectors: []
eventGroupingSettings:
aggregationKind: AlertPerResult
tags:
- Schema: ASimDns
SchemaVersion: 0.1.6
triggerThreshold: 0
version: 1.0.2
customDetails:
DNSQueryCount: DNSQueryCount
DNSQueries: DNSQueries
DNSQuerythreshold: DNSQuerythreshold
entityMappings:
- entityType: IP
fieldMappings:
- columnName: SrcIpAddr
identifier: Address
tactics:
- Reconnaissance
alertDetailsOverride:
alertDescriptionFormat: |-
Client identified as making high reverse DNS counts which could be carrying out reconnaissance or discovery activity.
Reverse DNS lookup threshold is: '{{DNSQuerythreshold}}'
Current reverse DNS lookup count from this client is : '{{DNSQueryCount}}'
DNS queries requested by this client inlcude: '{{DNSQueries}}'
alertDisplayNameFormat: "[Static threshold] Rare client has been observed as making high reverse DNS lookup count - client IP: '{{SrcIpAddr}}'"
relevantTechniques:
- T1590
triggerOperator: gt
name: Rare client observed with high reverse DNS lookup count - Static threshold based (ASIM DNS Solution)
id: 77b7c820-5f60-4779-8bdb-f06e21add5f1
status: Available
kind: Scheduled
queryFrequency: 1d
queryPeriod: 10d
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/77b7c820-5f60-4779-8bdb-f06e21add5f1')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/77b7c820-5f60-4779-8bdb-f06e21add5f1')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "Client identified as making high reverse DNS counts which could be carrying out reconnaissance or discovery activity.\n\nReverse DNS lookup threshold is: '{{DNSQuerythreshold}}'\n\nCurrent reverse DNS lookup count from this client is : '{{DNSQueryCount}}'\n\nDNS queries requested by this client inlcude: '{{DNSQueries}}'",
"alertDisplayNameFormat": "[Static threshold] Rare client has been observed as making high reverse DNS lookup count - client IP: '{{SrcIpAddr}}'"
},
"alertRuleTemplateName": "77b7c820-5f60-4779-8bdb-f06e21add5f1",
"customDetails": {
"DNSQueries": "DNSQueries",
"DNSQueryCount": "DNSQueryCount",
"DNSQuerythreshold": "DNSQuerythreshold"
},
"description": "'This rule identifies clients with high reverse DNS counts, which could be carrying out reconnaissance or discovery activity. This helps in detecting the possible initial phases of an attack, like discovery and reconnaissance. It utilizes [ASIM](https://aka.ms/AboutASIM) normalization and is applied to any source that supports the ASIM DNS schema.'\n",
"displayName": "Rare client observed with high reverse DNS lookup count - Static threshold based (ASIM DNS Solution)",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SrcIpAddr",
"identifier": "Address"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DNS Essentials/Analytic Rules/RareClientObservedWithHighReverseDNSLookupCountStaticThresholdBased.yaml",
"query": "let threshold = 10;\nlet stime = 10d;\nlet etime = 1d;\nlet SearchDomain = dynamic([\"in-addr.arpa\"]);\n_Im_Dns(starttime=ago(etime), domain_has_any=SearchDomain)\n| summarize\n StartTimeUtc = min(TimeGenerated),\n EndTimeUtc = max(TimeGenerated),\n DNSQueryCount=dcount(DnsQuery)\n by SrcIpAddr\n| where DNSQueryCount > threshold\n| project StartTimeUtc, EndTimeUtc, SrcIpAddr, DNSQueryCount \n| join kind=leftanti (_Im_Dns(starttime=ago(stime), endtime=ago(etime), domain_has_any=SearchDomain)\n | summarize DNSQueryCount=dcount(DnsQuery) by SrcIpAddr, bin(TimeGenerated, 1d)\n | where DNSQueryCount > threshold\n | project SrcIpAddr, DNSQueryCount\n )\n on SrcIpAddr\n| join kind=inner (_Im_Dns(starttime=ago(etime), domain_has_any=SearchDomain)\n | summarize DNSQueries=make_set(DnsQuery, 1000) by SrcIpAddr)\n on SrcIpAddr\n| extend DNSQuerythreshold = threshold\n| project-away SrcIpAddr1\n",
"queryFrequency": "P1D",
"queryPeriod": "P10D",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Reconnaissance"
],
"tags": [
{
"Schema": "ASimDns",
"SchemaVersion": "0.1.6"
}
],
"techniques": [
"T1590"
],
"templateVersion": "1.0.2",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}