Azure-Sentinel/Solutions/Ubiquiti UniFi/Hunting Queries/UbiquitiDnsTimeOut.yaml

id: 1e55cd44-36ee-47c5-98e6-7d6bb5f9cb37
name: Ubiquiti - DNS requests timed out
description: |
  'Query shows failed DNS requests due to timeout.'  
severity: Medium
requiredDataConnectors:
  - connectorId: UbiquitiUnifi
    dataTypes:
      - UbiquitiAuditEvent
tactics:
  - CommandAndControl
  - Exfiltration
relevantTechniques:
  - T1572
  - T1041
  - T1071
query: |
  UbiquitiAuditEvent
  | where TimeGenerated > ago(24h)
  | where isnotempty(DnsQuery)
  | where EventMessage =~ 'DNS request timed out'
  | extend Name = DnsQuery  
entityMappings:
  - entityType: DNS
    fieldMappings:
      - identifier: DomainName
        columnName: Name