Merge pull request #11504 from Azure/v-shukore/DNS-Essentials-bug---A…

…nalytic-Rule-Issue

Packaged solution to resolve analytic rule bug

Solutions/DNS Essentials/Analytic Rules/MultipleErrorsReportedForSameDNSQueryStaticThresholdBased.yaml

@@ -35,7 +35,7 @@ query: |
     | mv-expand ResourceIds  
     | extend ResourceId = tostring(ResourceIds)  
     | extend Dvc = strcat(split(Dvc, ".")[0])
-    | summarize Start=min(TimeGenerated), End=max(TimeGenerated) by SrcIP, Dvc, ResourceId, DnsQuery, DomainName
+    | summarize Start=min(TimeGenerated), End=max(TimeGenerated) by SrcIP, Dvc, ResourceId, DnsQuery, DomainName, SrcIPs = tostring(SrcIPs), IPCountthreshold = threshold, TotalIPs
     | extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
     | extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
 entityMappings: 
@@ -70,5 +70,5 @@ customDetails:
 alertDetailsOverride:
   alertDisplayNameFormat: "[Static threshold] Multiple errors for the same DNS query has been detected - '{{DnsQuery}}'"
   alertDescriptionFormat: "Multiple errors were detected on different clients for the same DNS query. These unsuccessful responses can be an indication of C2 communication. \n\nThreshold for total clients reporting errors: '{{IPCountthreshold}}'\n\nCurrent count of clients reporting errors for this DNS query: '{{TotalIPs}}'\n\nClients requesting this DNSQuery include:\n\n'{{SrcIPs}}'"
-version: 1.0.3
+version: 1.0.4
 kind: Scheduled

Solutions/DNS Essentials/Data/Solution_DNS.json

@@ -33,7 +33,7 @@
     "Hunting Queries/UnexpectedTopLevelDomains.yaml"
   ],
   "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\DNS Essentials",
-  "Version": "3.0.2",
+  "Version": "3.0.3",
   "Metadata": "SolutionMetadata.json",
   "TemplateSpec": true,
   "Is1PConnector": false