cloudflare/Azure-Sentinel
Publicmirrored fromhttps://github.com/cloudflare/Azure-Sentinel
Exploration Queries/DnsEvents/LeastPrevClientIP-DNSNameQueryToIP.txt
27lines · modecode
7 years ago
| 1 | // Name: DNS Name Lookup Query from least prevalent ClientIP to remote IP Address |
| 2 | // Description: Summary of Bottom 10 Client IP and Domain Names for a given remote IPAddress from DnsEvent Lookup Query data. |
| 3 | // |
| 4 | // Entity: IPAddress |
| 5 | // Input: IPAddress |
| 6 | // Output: ClientIP |
| 7 | // |
| 8 | // QueryPeriod: +-3h |
| 9 | // |
| 10 | // Data Source: #DnsEvents |
| 11 | // |
| 12 | // Techniques: #CommandAndControl, #Exfiltration |
| 13 | // |
| 14 | let GetAllIPByClientIP = (suspiciousEventTime:datetime, v_IPAddress:string){ |
| 15 | let v_StartTime = suspiciousEventTime-3h; |
| 16 | let v_EndTime = suspiciousEventTime+3h; |
| 17 | DnsEvents |
| 18 | | where TimeGenerated between (v_StartTime .. v_EndTime) |
| 19 | | where SubType == "LookupQuery" |
| 20 | | where IPAddresses contains v_IPAddress |
| 21 | | summarize min(TimeGenerated), max(TimeGenerated), makeset(Name), count() by ClientIP, IPAddresses |
| 22 | | project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, ClientIP, DomainNames = set_Name, IPAddresses, count_ |
| 23 | | top 10 by count_ asc nulls last |
| 24 | | project StartTimeUtc, EndTimeUtc, ClientIP, IPAddresses, DomainNames |
| 25 | }; |
| 26 | // change datetime value and <ipaddress> value below |
| 27 | GetAllIPByClientIP(datetime('2019-02-05T10:36:07Z'), "<ipaddress>") |