cloudflare/Azure-Sentinel
Publicmirrored fromhttps://github.com/cloudflare/Azure-Sentinel
Hunting Queries/DnsEvents/DNS_FullNameAnomalousLookupIncrease.txt
35lines · modecode
folder restructure for hunting queries, exploration queries, and built-in alerts aka detections. (#12)38faeb1
7 years ago
| 1 | // Name: DNS Full Name anomalous lookup increase |
| 2 | |
| 3 | // Description: |
| 4 | // Checking for a threefold increase or more of Full Name lookup per ClientIP for today based on daily average for the previous week. |
| 5 | // This can potentially identify excessive traffic to a given location that could be indicative of data transfer out of your network. |
| 6 | // This is only Name lookups, so it would be recommended to review the Firewall\Webproxy logs in relation to the ClientIP making the interesting requests. |
| 7 | |
| 8 | // Data Source: DNS Events |
| 9 | |
| 10 | // Tags: #C2, #Exfiltration |
| 11 | |
| 12 | DnsEvents |
| 13 | | where TimeGenerated >= startofday(ago(8d)) and TimeGenerated <= startofday(ago(1d)) //setting to 00:00:00 for the given days ago |
| 14 | | where SubType == "LookupQuery" |
| 15 | | extend DayNumberofWeek = tostring(dayofweek(TimeGenerated)) //getting the associated number of the day of the week so we can map to a given day for later parsing if needed |
| 16 | | extend DayofWeek = iff(DayNumberofWeek == "00:00:00", "Sunday", //Setting the Day of the week value so that certain days could be excluded if needed |
| 17 | (iff(DayNumberofWeek == "1.00:00:00", "Monday", |
| 18 | (iff(DayNumberofWeek == "2.00:00:00", "Tuesday", |
| 19 | (iff(DayNumberofWeek == "3.00:00:00", "Wednesday", |
| 20 | (iff(DayNumberofWeek == "4.00:00:00", "Thursday", |
| 21 | (iff(DayNumberofWeek == "5.00:00:00", "Friday", |
| 22 | (iff(DayNumberofWeek == "6.00:00:00", "Saturday", DayNumberofWeek))))))))))))) |
| 23 | | where DayofWeek !in ("Saturday", "Sunday") //example of excluding Saturday and Sunday in Average as those are potentially low volume and decrease the average, feel free to change |
| 24 | | summarize count() by ClientIP, Name |
| 25 | | project ClientIP, FullNameLookup = Name, DailyAvgLookupCountOverLastWeek = count_ /5 // average is across 5 days as we are dropping weekends, change as needed |
| 26 | | join ( DnsEvents |
| 27 | | where TimeGenerated >= startofday(ago(1d)) |
| 28 | | where SubType == "LookupQuery" |
| 29 | | summarize count() by ClientIP, FullNameLookup = Name |
| 30 | | project ClientIP, LookupCountToday = count_, FullNameLookup |
| 31 | ) |
| 32 | on ClientIP, FullNameLookup |
| 33 | | where LookupCountToday > ( DailyAvgLookupCountOverLastWeek * 3) and LookupCountToday >= 1000 // limit to over 1000 lookups somewhat random but helps focus in on higher lookups, change as needed |
| 34 | | project ClientIP , LookupCountToday , DailyAvgLookupCountOverLastWeek, FullNameLookup |
| 35 | | order by LookupCountToday desc nulls last |