Rare client observed with high reverse DNS lookup count - Static threshold based (ASIM DNS Solution)
| Id | 77b7c820-5f60-4779-8bdb-f06e21add5f1 |
| Rulename | Rare client observed with high reverse DNS lookup count - Static threshold based (ASIM DNS Solution) |
| Description | This rule identifies clients with high reverse DNS counts, which could be carrying out reconnaissance or discovery activity. This helps in detecting the possible initial phases of an attack, like discovery and reconnaissance. \n\nIt utilizes ASIM normalization and is applied to any source that supports the ASIM DNS schema. |
| Severity | Medium |
| Tactics | Reconnaissance |
| Techniques | T1590 |
| Required data connectors | AIVectraStream ASimDnsActivityLogs AzureFirewall CiscoUmbrellaDataConnector Corelight DNS GCPDNSDataConnector InfobloxNIOS ISCBind NXLogDnsLogs WindowsForwardedEvents Zscaler |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 10d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DNS Essentials/Analytic Rules/RareClientObservedWithHighReverseDNSLookupCountStaticThresholdBased.yaml |
| Version | 1.0.0 |
| Arm template | 77b7c820-5f60-4779-8bdb-f06e21add5f1.json |
let threshold = materialize (_GetWatchlist('DNS_Solution_Monitoring_Configuration')
| where wl_RuleName == 'Rare client observed with high reverse DNS lookup'
and wl_Type == 'Detection'
| project toint(wl_Threshold));
let stime = 10d;
let etime = 1d;
let SearchDomain = dynamic(["in-addr.arpa"]);
_Im_Dns(starttime=ago(etime), domain_has_any=SearchDomain)
| summarize
StartTimeUtc = min(TimeGenerated),
EndTimeUtc = max(TimeGenerated),
DNSQueryCount=dcount(DnsQuery)
by SrcIpAddr
| where DNSQueryCount > toscalar(threshold)
| project StartTimeUtc, EndTimeUtc, SrcIpAddr, DNSQueryCount
| join kind=leftanti (_Im_Dns(starttime=ago(stime), endtime=ago(etime), domain_has_any=SearchDomain)
| summarize DNSQueryCount=dcount(DnsQuery) by SrcIpAddr, bin(TimeGenerated, 1d)
| where DNSQueryCount > toscalar(threshold)
| project SrcIpAddr, DNSQueryCount
)
on SrcIpAddr
| join kind=inner (_Im_Dns(starttime=ago(etime), domain_has_any=SearchDomain)
| summarize DNSQueries=make_set(DnsQuery, 1000) by SrcIpAddr)
on SrcIpAddr
| extend DNSQuerythreshold = toint(toscalar(threshold))
| project-away SrcIpAddr1
query: |
let threshold = materialize (_GetWatchlist('DNS_Solution_Monitoring_Configuration')
| where wl_RuleName == 'Rare client observed with high reverse DNS lookup'
and wl_Type == 'Detection'
| project toint(wl_Threshold));
let stime = 10d;
let etime = 1d;
let SearchDomain = dynamic(["in-addr.arpa"]);
_Im_Dns(starttime=ago(etime), domain_has_any=SearchDomain)
| summarize
StartTimeUtc = min(TimeGenerated),
EndTimeUtc = max(TimeGenerated),
DNSQueryCount=dcount(DnsQuery)
by SrcIpAddr
| where DNSQueryCount > toscalar(threshold)
| project StartTimeUtc, EndTimeUtc, SrcIpAddr, DNSQueryCount
| join kind=leftanti (_Im_Dns(starttime=ago(stime), endtime=ago(etime), domain_has_any=SearchDomain)
| summarize DNSQueryCount=dcount(DnsQuery) by SrcIpAddr, bin(TimeGenerated, 1d)
| where DNSQueryCount > toscalar(threshold)
| project SrcIpAddr, DNSQueryCount
)
on SrcIpAddr
| join kind=inner (_Im_Dns(starttime=ago(etime), domain_has_any=SearchDomain)
| summarize DNSQueries=make_set(DnsQuery, 1000) by SrcIpAddr)
on SrcIpAddr
| extend DNSQuerythreshold = toint(toscalar(threshold))
| project-away SrcIpAddr1
eventGroupingSettings:
aggregationKind: AlertPerResult
triggerThreshold: 0
customDetails:
DNSQuerythreshold: DNSQuerythreshold
DNSQueries: DNSQueries
DNSQueryCount: DNSQueryCount
queryFrequency: 1d
requiredDataConnectors:
- connectorId: ASimDnsActivityLogs
dataTypes:
- ASimDnsActivityLogs
- connectorId: GCPDNSDataConnector
dataTypes:
- GCP_DNS_CL
- connectorId: AzureFirewall
dataTypes:
- AzureDiagnostics
- connectorId: CiscoUmbrellaDataConnector
dataTypes:
- Cisco_Umbrella_proxy_CL
- connectorId: Corelight
dataTypes:
- Corelight_CL
- connectorId: InfobloxNIOS
dataTypes:
- Syslog
- connectorId: NXLogDnsLogs
dataTypes:
- NXLog_DNS_Server_CL
- connectorId: DNS
dataTypes:
- DnsEvents
- connectorId: AIVectraStream
dataTypes:
- VectraStream_CL
- connectorId: WindowsForwardedEvents
dataTypes:
- WindowsEvents
- connectorId: Zscaler
dataTypes:
- CommonSecurityLog
- connectorId: ISCBind
dataTypes:
- Syslog
id: 77b7c820-5f60-4779-8bdb-f06e21add5f1
version: 1.0.0
name: Rare client observed with high reverse DNS lookup count - Static threshold based (ASIM DNS Solution)
kind: Scheduled
status: Available
relevantTechniques:
- T1590
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DNS Essentials/Analytic Rules/RareClientObservedWithHighReverseDNSLookupCountStaticThresholdBased.yaml
queryPeriod: 10d
alertDetailsOverride:
alertDescriptionFormat: |-
Client identified as making high reverse DNS counts which could be carrying out reconnaissance or discovery activity.
Reverse DNS lookup threshold is: '{{DNSQuerythreshold}}'
Current reverse DNS lookup count from this client is : '{{DNSQueryCount}}'
DNS queries requested by this client inlcude: '{{DNSQueries}}'
alertDisplayNameFormat: "[Static threshold] Rare client has been observed as making high reverse DNS lookup count - client IP: '{{SrcIpAddr}}'"
severity: Medium
triggerOperator: gt
tactics:
- Reconnaissance
tags:
- Schema: ASimDns
SchemaVersion: 0.1.6
description: |
'This rule identifies clients with high reverse DNS counts, which could be carrying out reconnaissance or discovery activity. This helps in detecting the possible initial phases of an attack, like discovery and reconnaissance. \n\nIt utilizes [ASIM](https://aka.ms/AboutASIM) normalization and is applied to any source that supports the ASIM DNS schema.'
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/77b7c820-5f60-4779-8bdb-f06e21add5f1')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/77b7c820-5f60-4779-8bdb-f06e21add5f1')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "Rare client observed with high reverse DNS lookup count - Static threshold based (ASIM DNS Solution)",
"description": "'This rule identifies clients with high reverse DNS counts, which could be carrying out reconnaissance or discovery activity. This helps in detecting the possible initial phases of an attack, like discovery and reconnaissance. \\n\\nIt utilizes [ASIM](https://aka.ms/AboutASIM) normalization and is applied to any source that supports the ASIM DNS schema.'\n",
"severity": "Medium",
"enabled": true,
"query": "let threshold = materialize (_GetWatchlist('DNS_Solution_Monitoring_Configuration')\n | where wl_RuleName == 'Rare client observed with high reverse DNS lookup'\n and wl_Type == 'Detection'\n | project toint(wl_Threshold));\nlet stime = 10d;\nlet etime = 1d;\nlet SearchDomain = dynamic([\"in-addr.arpa\"]);\n_Im_Dns(starttime=ago(etime), domain_has_any=SearchDomain)\n| summarize\n StartTimeUtc = min(TimeGenerated),\n EndTimeUtc = max(TimeGenerated),\n DNSQueryCount=dcount(DnsQuery)\n by SrcIpAddr\n| where DNSQueryCount > toscalar(threshold)\n| project StartTimeUtc, EndTimeUtc, SrcIpAddr, DNSQueryCount \n| join kind=leftanti (_Im_Dns(starttime=ago(stime), endtime=ago(etime), domain_has_any=SearchDomain)\n | summarize DNSQueryCount=dcount(DnsQuery) by SrcIpAddr, bin(TimeGenerated, 1d)\n | where DNSQueryCount > toscalar(threshold)\n | project SrcIpAddr, DNSQueryCount\n )\n on SrcIpAddr\n| join kind=inner (_Im_Dns(starttime=ago(etime), domain_has_any=SearchDomain)\n | summarize DNSQueries=make_set(DnsQuery, 1000) by SrcIpAddr)\n on SrcIpAddr\n| extend DNSQuerythreshold = toint(toscalar(threshold))\n| project-away SrcIpAddr1\n",
"queryFrequency": "P1D",
"queryPeriod": "P10D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Reconnaissance"
],
"techniques": [
"T1590"
],
"alertRuleTemplateName": "77b7c820-5f60-4779-8bdb-f06e21add5f1",
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"alertDetailsOverride": {
"alertDescriptionFormat": "Client identified as making high reverse DNS counts which could be carrying out reconnaissance or discovery activity.\n\nReverse DNS lookup threshold is: '{{DNSQuerythreshold}}'\n\nCurrent reverse DNS lookup count from this client is : '{{DNSQueryCount}}'\n\nDNS queries requested by this client inlcude: '{{DNSQueries}}'",
"alertDisplayNameFormat": "[Static threshold] Rare client has been observed as making high reverse DNS lookup count - client IP: '{{SrcIpAddr}}'"
},
"customDetails": {
"DNSQuerythreshold": "DNSQuerythreshold",
"DNSQueries": "DNSQueries",
"DNSQueryCount": "DNSQueryCount"
},
"entityMappings": [
{
"fieldMappings": [
{
"columnName": "SrcIpAddr",
"identifier": "Address"
}
],
"entityType": "IP"
}
],
"tags": [
{
"Schema": "ASimDns",
"SchemaVersion": "0.1.6"
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DNS Essentials/Analytic Rules/RareClientObservedWithHighReverseDNSLookupCountStaticThresholdBased.yaml",
"templateVersion": "1.0.0",
"status": "Available"
}
}
]
}