ACN_CD_InfobloxUpdate (#879)

* modified parser * parser update * revert changes * updated Type to Log_Type * feedback updates
2020-07-24 11:54:35 -07:00 · 2020-07-24 11:54:35 -07:00 · b916801572
--- a/Detections/InfobloxNIOS/ExcessiveNXDOMAINDNSQueries.yaml
+++ b/Detections/InfobloxNIOS/ExcessiveNXDOMAINDNSQueries.yaml
@ -18,13 +18,19 @@ relevantTechniques:
  - T1008
 query: |

-  let timeframe = ago(1h);
+  let timeframe = 1h;
  let threshold = 200;
  InfobloxNIOS
-  | where TimeGenerated >= timeframe
-  | where LogType =~ "named" and Type =~ "client"
+  | where TimeGenerated >= ago(timeframe)
+  | where ProcessName =~ "named" and Log_Type =~ "client"
  | where isnotempty(ResponseCode)
  | where ResponseCode =~ "NXDOMAIN"
  | summarize count() by Client_IP, bin(TimeGenerated,15m)
  | where count_ > threshold
+  | join kind=inner (InfobloxNIOS
+      | where TimeGenerated >= ago(timeframe)
+      | where ProcessName =~ "named" and Log_Type =~ "client"
+      | where isnotempty(ResponseCode)
+      | where ResponseCode =~ "NXDOMAIN"
+      ) on Client_IP
  | extend timestamp = TimeGenerated, extend IPCustomEntity = Client_IP
--- a/Detections/InfobloxNIOS/PotentialDHCPStarvationAttack.yaml
+++ b/Detections/InfobloxNIOS/PotentialDHCPStarvationAttack.yaml
@ -17,11 +17,15 @@ relevantTechniques:
  - T1200
 query: |

-  let timeframe = ago(1h);
+  let timeframe = 1h;
  let threshold = 1000;
  InfobloxNIOS
-  | where TimeGenerated >= timeframe
-  | where LogType =~ "dhcpd" and Type =~ "DHCPREQUEST"
+  | where TimeGenerated >= ago(timeframe)
+  | where ProcessName =~ "dhcpd" and Log_Type =~ "DHCPREQUEST"
  | summarize count() by ServerIP, bin(TimeGenerated,5m)
  | where count_ > threshold
-  | extend timestamp = TimeGenerated, HostCustomEntity = ServerIP
+  | join kind=inner (InfobloxNIOS
+      | where ProcessName =~ "dhcpd" and Log_Type =~ "DHCPREQUEST"
+      | where TimeGenerated >= ago(timeframe)
+      ) on ServerIP
+  | extend timestamp = TimeGenerated, IPCustomEntity = ServerIP
--- a/Workbooks/InfobloxNIOS.json
+++ b/Workbooks/InfobloxNIOS.json
@ -235,7 +235,7 @@
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
-        "query": "InfobloxNIOS\r\n| where Computer in ({InfobloxDevice}) or '*' in ({InfobloxDevice})\r\n| where Type == \"DHCPDISCOVER\"\r\n| summarize count() by Client_MAC_Address\r\n| top 10 by count_",
+        "query": "InfobloxNIOS\r\n| where Computer in ({InfobloxDevice}) or '*' in ({InfobloxDevice})\r\n| where Log_Type == \"DHCPDISCOVER\"\r\n| summarize count() by Client_MAC_Address\r\n| top 10 by count_",
        "size": 0,
        "title": "Top 10 Clients by Requests",
        "timeContext": {
@ -279,7 +279,7 @@
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
-        "query": "InfobloxNIOS\r\n| where LogType == \"dhcpd\"\r\n| summarize count() by Network\r\n| distinct Network\r\n\r\n",
+        "query": "InfobloxNIOS\r\n| where ProcessName == \"dhcpd\"\r\n| summarize count() by Network\r\n| distinct Network\r\n\r\n",
        "size": 0,
        "title": "Top 10 Clients by Requests",
        "timeContext": {
@ -313,7 +313,7 @@
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
-        "query": "InfobloxNIOS \r\n| where LogType == \"named\"\r\n| where Computer in ({InfobloxDevice}) or '*' in ({InfobloxDevice})\r\n| summarize count() by Computer, bin(TimeGenerated,15m)",
+        "query": "InfobloxNIOS \r\n| where ProcessName == \"named\"\r\n| where Computer in ({InfobloxDevice}) or '*' in ({InfobloxDevice})\r\n| summarize count() by Computer, bin(TimeGenerated,15m)",
        "size": 0,
        "showAnnotations": true,
        "title": "DNS Activity by Server",
@ -337,7 +337,7 @@
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
-        "query": "InfobloxNIOS \r\n| where LogType == \"named\" and Type == \"client\"\r\n| where Computer in ({InfobloxDevice}) or '*' in ({InfobloxDevice})\r\n| summarize Response = countif(isnotempty(ResponseCode)), Request = countif(isnotempty(QueryDomainName) and isempty(ResponseCode)), count() by bin(TimeGenerated, {TimeRange:grain})\r\n| project-away count_",
+        "query": "InfobloxNIOS \r\n| where ProcessName == \"named\" and Log_Type == \"client\"\r\n| where Computer in ({InfobloxDevice}) or '*' in ({InfobloxDevice})\r\n| summarize Response = countif(isnotempty(ResponseCode)), Request = countif(isnotempty(QueryDomainName) and isempty(ResponseCode)), count() by bin(TimeGenerated, {TimeRange:grain})\r\n| project-away count_",
        "size": 0,
        "showAnnotations": true,
        "title": "DNS Requests vs Responses",
@ -365,7 +365,7 @@
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
-        "query": "InfobloxNIOS \r\n| where LogType == \"named\" and Type == \"client\"\r\n| where Computer in ({InfobloxDevice}) or '*' in ({InfobloxDevice})\r\n| where isnotempty(ResponseCode)\r\n| summarize count() by ResponseCode, bin(TimeGenerated, {TimeRange:grain})\r\n",
+        "query": "InfobloxNIOS \r\n| where ProcessName == \"named\" and Log_Type == \"client\"\r\n| where Computer in ({InfobloxDevice}) or '*' in ({InfobloxDevice})\r\n| where isnotempty(ResponseCode)\r\n| summarize count() by ResponseCode, bin(TimeGenerated, {TimeRange:grain})\r\n",
        "size": 0,
        "title": "DNS Response Code",
        "timeContext": {
@ -408,7 +408,7 @@
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
-        "query": "InfobloxNIOS \r\n| where LogType == \"named\" and Type == \"client\"\r\n| where Computer in ({InfobloxDevice}) or '*' in ({InfobloxDevice})\r\n| where isempty(ResponseCode) and isnotempty(QueryDomainName)\r\n| summarize count() by Client_IP\r\n| top 10 by count_",
+        "query": "InfobloxNIOS \r\n| where ProcessName == \"named\" and Log_Type == \"client\"\r\n| where Computer in ({InfobloxDevice}) or '*' in ({InfobloxDevice})\r\n| where isempty(ResponseCode) and isnotempty(QueryDomainName)\r\n| summarize count() by Client_IP\r\n| top 10 by count_",
        "size": 0,
        "title": "Top 10 DNS Request Clients",
        "timeContext": {
@ -454,7 +454,7 @@
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
-        "query": "InfobloxNIOS \r\n| where LogType == \"named\" and Type == \"client\"\r\n| where Computer in ({InfobloxDevice}) or '*' in ({InfobloxDevice})\r\n| where isempty(ResponseCode) and isnotempty(QueryDomainName)\r\n| summarize count() by QueryDomainName\r\n| top 10 by count_",
+        "query": "InfobloxNIOS \r\n| where ProcessName == \"named\" and Log_Type == \"client\"\r\n| where Computer in ({InfobloxDevice}) or '*' in ({InfobloxDevice})\r\n| where isempty(ResponseCode) and isnotempty(QueryDomainName)\r\n| summarize count() by QueryDomainName\r\n| top 10 by count_",
        "size": 0,
        "title": "Top 10 DNS Request Domains",
        "timeContext": {