Azure-Sentinel/Solutions/GoogleCloudPlatformDNS/Analytic Rules/GCPDNSDataExfiltration.yaml

id: 705bed63-668f-4508-9d2d-26faf4010700
name: Google DNS - Possible data exfiltration
description: |
  'Detects possible data exfiltration.'  
severity: High
requiredDataConnectors:
  - connectorId: GCPDNSDataConnector
    dataTypes:
      - GCPCloudDNS
queryFrequency: 15m
queryPeriod: 15m
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Exfiltration
relevantTechniques:
  - T1567
query: |
  GCPCloudDNS
  | where Query has 'webhook.site'
  | extend DNSCustomEntity = Query, IPCustomEntity = SrcIpAddr  
entityMappings:
  - entityType: DNS
    fieldMappings:
      - identifier: DomainName
        columnName: DNSCustomEntity
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
version: 1.0.0
kind: Scheduled