25 строки
633 B
YAML
Executable File
25 строки
633 B
YAML
Executable File
id: 1823db08-2ba4-4624-900f-9be0f950ea57
|
|
name: Google DNS - Unexpected top level domains
|
|
description: |
|
|
'Query searches for unexpected TLDs.'
|
|
severity: Medium
|
|
requiredDataConnectors:
|
|
- connectorId: GCPDNSDataConnector
|
|
dataTypes:
|
|
- GCPCloudDNS
|
|
tactics:
|
|
- CommandAndControl
|
|
relevantTechniques:
|
|
- T1095
|
|
query: |
|
|
GCPCloudDNS
|
|
| where TimeGenerated > ago(24h)
|
|
| extend tld = extract(@'.*\.(\w+)\.$', 1, Query)
|
|
| where strlen(tld) > 4
|
|
| extend IPCustomEntity = SrcIpAddr
|
|
entityMappings:
|
|
- entityType: IP
|
|
fieldMappings:
|
|
- identifier: Address
|
|
columnName: IPCustomEntity
|