diff --git a/Solutions/DNS Essentials/Analytic Rules/MultipleErrorsReportedForSameDNSQueryStaticThresholdBased.yaml b/Solutions/DNS Essentials/Analytic Rules/MultipleErrorsReportedForSameDNSQueryStaticThresholdBased.yaml index 41219861b86..df989d23b3a 100644 --- a/Solutions/DNS Essentials/Analytic Rules/MultipleErrorsReportedForSameDNSQueryStaticThresholdBased.yaml +++ b/Solutions/DNS Essentials/Analytic Rules/MultipleErrorsReportedForSameDNSQueryStaticThresholdBased.yaml @@ -35,7 +35,7 @@ query: | | mv-expand ResourceIds | extend ResourceId = tostring(ResourceIds) | extend Dvc = strcat(split(Dvc, ".")[0]) - | summarize Start=min(TimeGenerated), End=max(TimeGenerated) by SrcIP, Dvc, ResourceId, DnsQuery, DomainName + | summarize Start=min(TimeGenerated), End=max(TimeGenerated) by SrcIP, Dvc, ResourceId, DnsQuery, DomainName, SrcIPs = tostring(SrcIPs), IPCountthreshold = threshold, TotalIPs | extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.')) | extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc) entityMappings: @@ -70,5 +70,5 @@ customDetails: alertDetailsOverride: alertDisplayNameFormat: "[Static threshold] Multiple errors for the same DNS query has been detected - '{{DnsQuery}}'" alertDescriptionFormat: "Multiple errors were detected on different clients for the same DNS query. These unsuccessful responses can be an indication of C2 communication. \n\nThreshold for total clients reporting errors: '{{IPCountthreshold}}'\n\nCurrent count of clients reporting errors for this DNS query: '{{TotalIPs}}'\n\nClients requesting this DNSQuery include:\n\n'{{SrcIPs}}'" -version: 1.0.3 +version: 1.0.4 kind: Scheduled \ No newline at end of file diff --git a/Solutions/DNS Essentials/Data/Solution_DNS.json b/Solutions/DNS Essentials/Data/Solution_DNS.json index 8f737b2e233..dff7103c4ea 100644 --- a/Solutions/DNS Essentials/Data/Solution_DNS.json +++ b/Solutions/DNS Essentials/Data/Solution_DNS.json @@ -33,7 +33,7 @@ "Hunting Queries/UnexpectedTopLevelDomains.yaml" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\DNS Essentials", - "Version": "3.0.2", + "Version": "3.0.3", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1PConnector": false diff --git a/Solutions/DNS Essentials/Package/3.0.3.zip b/Solutions/DNS Essentials/Package/3.0.3.zip new file mode 100644 index 00000000000..ad0af40767a Binary files /dev/null and b/Solutions/DNS Essentials/Package/3.0.3.zip differ diff --git a/Solutions/DNS Essentials/Package/mainTemplate.json b/Solutions/DNS Essentials/Package/mainTemplate.json index fbb2e386f35..a6c3286dac2 100644 --- a/Solutions/DNS Essentials/Package/mainTemplate.json +++ b/Solutions/DNS Essentials/Package/mainTemplate.json @@ -41,7 +41,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "DNS Essentials", - "_solutionVersion": "3.0.2", + "_solutionVersion": "3.0.3", "solutionId": "azuresentinel.azure-sentinel-solution-dns-domain", "_solutionId": "[variables('solutionId')]", "workbookVersion1": "1.0.0", @@ -184,7 +184,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DNSSolutionWorkbook Workbook with template version 3.0.2", + "description": "DNSSolutionWorkbook Workbook with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -259,7 +259,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExcessiveNXDOMAINDNSQueriesAnomalyBased_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "ExcessiveNXDOMAINDNSQueriesAnomalyBased_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -285,6 +285,7 @@ "triggerOperator": "GreaterThan", "triggerThreshold": 0, "status": "Available", + "requiredDataConnectors": [], "tactics": [ "CommandAndControl" ], @@ -294,23 +295,23 @@ ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { - "columnName": "SrcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIpAddr" } - ], - "entityType": "IP" + ] } ], "eventGroupingSettings": { "aggregationKind": "AlertPerResult" }, "customDetails": { - "Total": "Total", - "AnomalyScore": "score", "baseline": "baseline", - "DNSQueries": "DNSQueries" + "DNSQueries": "DNSQueries", + "Total": "Total", + "AnomalyScore": "score" }, "alertDetailsOverride": { "alertDescriptionFormat": "This client is generating excessive amount of DNS queries for non-existent domains. This can be an indication of possible C2 communications.\n\nBaseline for 'NXDOMAIN' error count for this client: '{{baseline}}'\n\nCurrent 'NXDOMAIN' error count for this client: '{{Total}}'\n\nDNS queries requested by the client include:\n\n'{{DNSQueries}}'", @@ -369,7 +370,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExcessiveNXDOMAINDNSQueriesStaticThresholdBased_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "ExcessiveNXDOMAINDNSQueriesStaticThresholdBased_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -395,6 +396,7 @@ "triggerOperator": "GreaterThan", "triggerThreshold": 0, "status": "Available", + "requiredDataConnectors": [], "tactics": [ "CommandAndControl" ], @@ -404,21 +406,21 @@ ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { - "columnName": "SrcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIpAddr" } - ], - "entityType": "IP" + ] } ], "eventGroupingSettings": { "aggregationKind": "AlertPerResult" }, "customDetails": { - "NXDOMAINCount": "NXDOMAINCount", "NXDOMAINthreshold": "NXDOMAINthreshold", + "NXDOMAINCount": "NXDOMAINCount", "DNSQueries": "DNSQueries" }, "alertDetailsOverride": { @@ -478,7 +480,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MultipleErrorsReportedForSameDNSQueryAnomalyBased_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "MultipleErrorsReportedForSameDNSQueryAnomalyBased_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -504,6 +506,7 @@ "triggerOperator": "GreaterThan", "triggerThreshold": 0, "status": "Available", + "requiredDataConnectors": [], "tactics": [ "CommandAndControl" ], @@ -514,23 +517,23 @@ ], "entityMappings": [ { + "entityType": "DNS", "fieldMappings": [ { - "columnName": "DnsQuery", - "identifier": "DomainName" + "identifier": "DomainName", + "columnName": "DnsQuery" } - ], - "entityType": "DNS" + ] } ], "eventGroupingSettings": { "aggregationKind": "AlertPerResult" }, "customDetails": { - "AnomalyScore": "score", "baseline": "baseline", + "TotalIPs": "TotalIPs", "SrcIps": "SrcIps", - "TotalIPs": "TotalIPs" + "AnomalyScore": "score" }, "alertDetailsOverride": { "alertDescriptionFormat": "Multiple errors were detected on different clients for the same DNS query. These unsuccessful responses can be an indication of C2 communication. \n\nBaseline for total clients reporting errors for this DNS query: '{{baseline}}'\n\nCurrent count of clients reporting errors for this DNS query: '{{TotalIPs}}'\n\nClients requesting this DNS query include:\n'{{SrcIps}}'", @@ -589,7 +592,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MultipleErrorsReportedForSameDNSQueryStaticThresholdBased_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "MultipleErrorsReportedForSameDNSQueryStaticThresholdBased_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -606,7 +609,7 @@ "description": "This rule creates an alert when multiple clients report errors for the same DNS query. This helps in identifying possible similar C2 communications originating from different clients. It utilizes [ASIM](https://aka.ms/AboutASIM) normalization and is applied to any source that supports the ASIM DNS schema.", "displayName": "Detect DNS queries reporting multiple errors from different clients - Static threshold based (ASIM DNS Solution)", "enabled": false, - "query": "let lookback=1h;\nlet threshold = 2;\nlet errors = dynamic(['NXDOMAIN', 'SERVFAIL', 'REFUSED']); \n_Im_Dns(starttime=ago(lookback)) \n | where EventResultDetails has_any (errors) \n | summarize SrcIPs = make_set(SrcIpAddr, 100), Dvcs = make_set(Dvc, 100), ResourceIds = make_set(_ResourceId, 100) by DnsQuery, bin(TimeGenerated, 10min) \n | where array_length(SrcIPs) >= threshold \n | extend TotalIPs = array_length(SrcIPs),IPCountthreshold = threshold \n | extend DomainName = strcat(split(DnsQuery, \".\")[1], \".\", split(DnsQuery, \".\")[2]) \n | mv-expand SrcIPs \n | extend SrcIP = tostring(SrcIPs) \n | mv-expand Dvcs \n | extend Dvc = tostring(Dvcs) \n | mv-expand ResourceIds \n | extend ResourceId = tostring(ResourceIds) \n | extend Dvc = strcat(split(Dvc, \".\")[0])\n | summarize Start=min(TimeGenerated), End=max(TimeGenerated) by SrcIP, Dvc, ResourceId, DnsQuery, DomainName\n | extend HostName = tostring(split(Dvc, \".\")[0]), DomainIndex = toint(indexof(Dvc, '.'))\n | extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\n", + "query": "let lookback=1h;\nlet threshold = 2;\nlet errors = dynamic(['NXDOMAIN', 'SERVFAIL', 'REFUSED']); \n_Im_Dns(starttime=ago(lookback)) \n | where EventResultDetails has_any (errors) \n | summarize SrcIPs = make_set(SrcIpAddr, 100), Dvcs = make_set(Dvc, 100), ResourceIds = make_set(_ResourceId, 100) by DnsQuery, bin(TimeGenerated, 10min) \n | where array_length(SrcIPs) >= threshold \n | extend TotalIPs = array_length(SrcIPs),IPCountthreshold = threshold \n | extend DomainName = strcat(split(DnsQuery, \".\")[1], \".\", split(DnsQuery, \".\")[2]) \n | mv-expand SrcIPs \n | extend SrcIP = tostring(SrcIPs) \n | mv-expand Dvcs \n | extend Dvc = tostring(Dvcs) \n | mv-expand ResourceIds \n | extend ResourceId = tostring(ResourceIds) \n | extend Dvc = strcat(split(Dvc, \".\")[0])\n | summarize Start=min(TimeGenerated), End=max(TimeGenerated) by SrcIP, Dvc, ResourceId, DnsQuery, DomainName, SrcIPs = tostring(SrcIPs), IPCountthreshold = threshold, TotalIPs\n | extend HostName = tostring(split(Dvc, \".\")[0]), DomainIndex = toint(indexof(Dvc, '.'))\n | extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\n", "queryFrequency": "PT1H", "queryPeriod": "PT1H", "severity": "Medium", @@ -615,6 +618,7 @@ "triggerOperator": "GreaterThan", "triggerThreshold": 0, "status": "Available", + "requiredDataConnectors": [], "tactics": [ "CommandAndControl" ], @@ -625,62 +629,62 @@ ], "entityMappings": [ { + "entityType": "DNS", "fieldMappings": [ { - "columnName": "DnsQuery", - "identifier": "DomainName" + "identifier": "DomainName", + "columnName": "DnsQuery" } - ], - "entityType": "DNS" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "SrcIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIP" } - ], - "entityType": "IP" + ] }, { + "entityType": "AzureResource", "fieldMappings": [ { - "columnName": "ResourceId", - "identifier": "ResourceId" + "identifier": "ResourceId", + "columnName": "ResourceId" } - ], - "entityType": "AzureResource" + ] }, { + "entityType": "Url", "fieldMappings": [ { - "columnName": "DnsQuery", - "identifier": "Url" + "identifier": "Url", + "columnName": "DnsQuery" } - ], - "entityType": "Url" + ] }, { + "entityType": "Host", "fieldMappings": [ { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "HostNameDomain", - "identifier": "NTDomain" + "identifier": "NTDomain", + "columnName": "HostNameDomain" } - ], - "entityType": "Host" + ] } ], "eventGroupingSettings": { "aggregationKind": "SingleAlert" }, "customDetails": { - "IPCountthreshold": "IPCountthreshold", + "TotalIPs": "TotalIPs", "SrcIPs": "SrcIPs", - "TotalIPs": "TotalIPs" + "IPCountthreshold": "IPCountthreshold" }, "alertDetailsOverride": { "alertDescriptionFormat": "Multiple errors were detected on different clients for the same DNS query. These unsuccessful responses can be an indication of C2 communication. \n\nThreshold for total clients reporting errors: '{{IPCountthreshold}}'\n\nCurrent count of clients reporting errors for this DNS query: '{{TotalIPs}}'\n\nClients requesting this DNSQuery include:\n\n'{{SrcIPs}}'", @@ -739,7 +743,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PotentialDGADetectedviaRepetitiveFailuresAnomalyBased_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "PotentialDGADetectedviaRepetitiveFailuresAnomalyBased_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -765,6 +769,7 @@ "triggerOperator": "GreaterThan", "triggerThreshold": 0, "status": "Available", + "requiredDataConnectors": [], "tactics": [ "CommandAndControl" ], @@ -774,23 +779,23 @@ ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { - "columnName": "SrcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIpAddr" } - ], - "entityType": "IP" + ] } ], "eventGroupingSettings": { "aggregationKind": "AlertPerResult" }, "customDetails": { - "Total": "Total", - "AnomalyScore": "score", "baseline": "baseline", - "DNSQueries": "DNSQueries" + "DNSQueries": "DNSQueries", + "Total": "Total", + "AnomalyScore": "score" }, "alertDetailsOverride": { "alertDescriptionFormat": "Client has been identified with high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). This client is found to be communicating with multiple Domains which do not exist.\n\nBaseline Domain or DNS query count from this client: '{{baseline}}'\n\nCurrent Domain or DNS query count from this client: '{{Total}}'\n\nDNS queries requested by this client inlcude: '{{DNSQueries}}'", @@ -849,7 +854,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PotentialDGADetectedviaRepetitiveFailuresStaticThresholdBased_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "PotentialDGADetectedviaRepetitiveFailuresStaticThresholdBased_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -875,6 +880,7 @@ "triggerOperator": "GreaterThan", "triggerThreshold": 0, "status": "Available", + "requiredDataConnectors": [], "tactics": [ "CommandAndControl" ], @@ -884,22 +890,22 @@ ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { - "columnName": "SrcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIpAddr" } - ], - "entityType": "IP" + ] } ], "eventGroupingSettings": { "aggregationKind": "AlertPerResult" }, "customDetails": { - "DNSQueryCount": "DNSQueryCount", + "DNSQueryThreshold": "DNSQueryThreshold", "DNSQueries": "DNSQueries", - "DNSQueryThreshold": "DNSQueryThreshold" + "DNSQueryCount": "DNSQueryCount" }, "alertDetailsOverride": { "alertDescriptionFormat": "Client has been identified with high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). This client is found to be communicating with multiple Domains which do not exist.\n\nDGA DNS query count baseline is: '{{DNSQueryThreshold}}'\n\nCurrent failed DNS query count from this client: '{{DNSQueryCount}}'\n\nDNS queries requested by this client inlcude: '{{DNSQueries}}'", @@ -958,7 +964,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RareClientObservedWithHighReverseDNSLookupCountAnomalyBased_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "RareClientObservedWithHighReverseDNSLookupCountAnomalyBased_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -984,6 +990,7 @@ "triggerOperator": "GreaterThan", "triggerThreshold": 0, "status": "Available", + "requiredDataConnectors": [], "tactics": [ "Reconnaissance" ], @@ -992,23 +999,23 @@ ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { - "columnName": "SrcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIpAddr" } - ], - "entityType": "IP" + ] } ], "eventGroupingSettings": { "aggregationKind": "AlertPerResult" }, "customDetails": { - "Total": "Total", - "AnomalyScore": "score", "baseline": "baseline", - "DNSQueries": "DNSQueries" + "DNSQueries": "DNSQueries", + "Total": "Total", + "AnomalyScore": "score" }, "alertDetailsOverride": { "alertDescriptionFormat": "Client has been identified as making high reverse DNS counts which could be carrying out reconnaissance or discovery activity.\n\nReverse DNS lookup count baseline for this client: '{{baseline}}'\n\nCurrent reverse DNS lookup count by this client showing as: '{{Total}}'\n\nDNS queries requested by this client inlcude: '{{DNSQueries}}'", @@ -1067,7 +1074,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RareClientObservedWithHighReverseDNSLookupCountStaticThresholdBased_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "RareClientObservedWithHighReverseDNSLookupCountStaticThresholdBased_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", @@ -1093,6 +1100,7 @@ "triggerOperator": "GreaterThan", "triggerThreshold": 0, "status": "Available", + "requiredDataConnectors": [], "tactics": [ "Reconnaissance" ], @@ -1101,22 +1109,22 @@ ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { - "columnName": "SrcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIpAddr" } - ], - "entityType": "IP" + ] } ], "eventGroupingSettings": { "aggregationKind": "AlertPerResult" }, "customDetails": { - "DNSQueryCount": "DNSQueryCount", + "DNSQuerythreshold": "DNSQuerythreshold", "DNSQueries": "DNSQueries", - "DNSQuerythreshold": "DNSQuerythreshold" + "DNSQueryCount": "DNSQueryCount" }, "alertDetailsOverride": { "alertDescriptionFormat": "Client identified as making high reverse DNS counts which could be carrying out reconnaissance or discovery activity.\n\nReverse DNS lookup threshold is: '{{DNSQuerythreshold}}'\n\nCurrent reverse DNS lookup count from this client is : '{{DNSQueryCount}}'\n\nDNS queries requested by this client inlcude: '{{DNSQueries}}'", @@ -1175,7 +1183,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NgrokReverseProxyOnNetwork_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "NgrokReverseProxyOnNetwork_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", @@ -1201,6 +1209,7 @@ "triggerOperator": "GreaterThan", "triggerThreshold": 0, "status": "Available", + "requiredDataConnectors": [], "tactics": [ "CommandAndControl" ], @@ -1211,22 +1220,22 @@ ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { - "columnName": "SrcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIpAddr" } - ], - "entityType": "IP" + ] }, { + "entityType": "DNS", "fieldMappings": [ { - "columnName": "Domain", - "identifier": "DomainName" + "identifier": "DomainName", + "columnName": "Domain" } - ], - "entityType": "DNS" + ] } ], "eventGroupingSettings": { @@ -1285,7 +1294,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SummarizeDNSData_DNSEssentials Playbook with template version 3.0.2", + "description": "SummarizeDNSData_DNSEssentials Playbook with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion1')]", @@ -1794,7 +1803,7 @@ "Initial version" ] }, - "lastUpdateTime": "2024-07-29T12:53:56.062Z" + "lastUpdateTime": "2024-11-28T15:50:54.325Z" } }, "packageKind": "Solution", @@ -1819,7 +1828,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AnomalousIncreaseInDNSActivityByClients_HuntingQueries Hunting Query with template version 3.0.2", + "description": "AnomalousIncreaseInDNSActivityByClients_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -1904,7 +1913,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ConnectionToUnpopularWebsiteDetected_HuntingQueries Hunting Query with template version 3.0.2", + "description": "ConnectionToUnpopularWebsiteDetected_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -1989,7 +1998,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CVE-2020-1350 (SIGRED)ExploitationPattern_HuntingQueries Hunting Query with template version 3.0.2", + "description": "CVE-2020-1350 (SIGRED)ExploitationPattern_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -2074,7 +2083,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DNSQueryWithFailuresInLast24Hours_HuntingQueries Hunting Query with template version 3.0.2", + "description": "DNSQueryWithFailuresInLast24Hours_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -2159,7 +2168,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainsWithLargeNumberOfSubDomains_HuntingQueries Hunting Query with template version 3.0.2", + "description": "DomainsWithLargeNumberOfSubDomains_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", @@ -2244,7 +2253,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IncreaseInDNSRequestsByClientThanTheDailyAverageCount_HuntingQueries Hunting Query with template version 3.0.2", + "description": "IncreaseInDNSRequestsByClientThanTheDailyAverageCount_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", @@ -2329,7 +2338,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PossibleDNSTunnelingOrDataExfiltrationActivity_HuntingQueries Hunting Query with template version 3.0.2", + "description": "PossibleDNSTunnelingOrDataExfiltrationActivity_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", @@ -2414,7 +2423,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PotentialBeaconingActivity_HuntingQueries Hunting Query with template version 3.0.2", + "description": "PotentialBeaconingActivity_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]", @@ -2499,7 +2508,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Sources(Clients)WithHighNumberOfErrors_HuntingQueries Hunting Query with template version 3.0.2", + "description": "Sources(Clients)WithHighNumberOfErrors_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]", @@ -2584,7 +2593,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UnexpectedTopLevelDomains_HuntingQueries Hunting Query with template version 3.0.2", + "description": "UnexpectedTopLevelDomains_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]", @@ -2665,7 +2674,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.2", + "version": "3.0.3", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "DNS Essentials", diff --git a/Solutions/DNS Essentials/ReleaseNotes.md b/Solutions/DNS Essentials/ReleaseNotes.md index a0bbded51f1..85d58c17ef0 100644 --- a/Solutions/DNS Essentials/ReleaseNotes.md +++ b/Solutions/DNS Essentials/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| +| 3.0.3 | 28-11-2024 | Update **Analytic Rule** MultipleErrorsReportedForSameDNSQueryStaticThresholdBased.yaml to fix bug | | 3.0.2 | 29-07-2024 | Update **Hunting Queries** to fix TTP | | 3.0.1 | 31-01-2023 | Updated the solution to fix **Analytic Rules** deployment issue | | 3.0.2 | 12-03-2024 | Added new **Analytic rule** and repackaged solution |