cloudflare/Azure-Sentinel

Public

mirrored fromhttps://github.com/cloudflare/Azure-Sentinel

Watch0 Fork0 Star0

Code Commits Issues Pull requests Actions Insights Security

master

Find a branch or tag

Branches

master

Clone

HTTPS

Download ZIP

Azure-Sentinel/Hunting Queries/DnsEvents

Hunting Queries/DnsEvents/DNS_HighReverseDNSCount.yaml

25lines · modepreview

Raw Download

Latest commit unavailable.

unknown

id: fda90754-4e22-4bb1-8b99-2bb49a991eae
name: High reverse DNS count by host
description: |
  'Clients with a high reverse DNS count could be carrying out reconnaissance or discovery activity.'
requiredDataConnectors:
  - connectorId: DNS
    dataTypes:
      - DnsEvents
tactics:
  - Discovery
relevantTechniques:
  - T1046
query: |

  let threshold = 10;
  DnsEvents 
  | where Name has "in-addr.arpa" 
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NameCount = dcount(Name), Names = make_set(Name), ClientIPCount = count() by ClientIP
  | where NameCount > threshold
  | extend timestamp = StartTime, IPCustomEntity = ClientIP
entityMappings:
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: ClientIP

cloudflare/Azure-Sentinel

Branches

Tags

Clone