28 строки
730 B
YAML
Executable File
28 строки
730 B
YAML
Executable File
id: 53b91d17-f6a7-4439-8d9a-0aebf0abeea2
|
|
name: Google DNS - Requests to TOR resources
|
|
description: |
|
|
'Query searches for requests to TOR resources.'
|
|
severity: Medium
|
|
requiredDataConnectors:
|
|
- connectorId: GCPDNSDataConnector
|
|
dataTypes:
|
|
- GCPCloudDNS
|
|
tactics:
|
|
- CommandAndControl
|
|
relevantTechniques:
|
|
- T1095
|
|
query: |
|
|
GCPCloudDNS
|
|
| where TimeGenerated > ago(24h)
|
|
| where Query endswith '.onion'
|
|
| extend DNSCustomEntity = Query, IPCustomEntity = SrcIpAddr
|
|
entityMappings:
|
|
- entityType: DNS
|
|
fieldMappings:
|
|
- identifier: DomainName
|
|
columnName: DNSCustomEntity
|
|
- entityType: IP
|
|
fieldMappings:
|
|
- identifier: Address
|
|
columnName: IPCustomEntity
|