23 строки
738 B
YAML
23 строки
738 B
YAML
id: fda90754-4e22-4bb1-8b99-2bb49a991eae
|
|
name: High reverse DNS count by host
|
|
description: |
|
|
'Clients with a high reverse DNS count could be carrying out reconnaissance or discovery activity.'
|
|
requiredDataConnectors:
|
|
- connectorId: DNS
|
|
dataTypes:
|
|
- DnsEvents
|
|
tactics:
|
|
- Discovery
|
|
relevantTechniques:
|
|
- T1046
|
|
query: |
|
|
|
|
let timeframe = 1d;
|
|
let threshold = 10;
|
|
DnsEvents
|
|
| where TimeGenerated >= ago(timeframe)
|
|
| where Name contains "in-addr.arpa"
|
|
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), NameCount = dcount(Name), Names = make_set(Name), ClientIPCount = count() by ClientIP
|
|
| where NameCount > threshold
|
|
| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP
|