Detection rules › Kusto Query Language
Rare client observed with high reverse DNS lookup count - Static threshold based (ASIM DNS Solution)
'This rule identifies clients with high reverse DNS counts, which could be carrying out reconnaissance or discovery activity. This helps in detecting the possible initial phases of an attack, like discovery and reconnaissance. It utilizes ASIM normalization and is applied to any source that supports the ASIM DNS schema.'
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Reconnaissance | T1590 Gather Victim Network Information |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 22 | DNSEvent (DNS query) |
Stages and Predicates
Stage 1: source
_Im_Dns
Stage 2: summarize
Stage 3: where
DNSQueryCount gt "threshold"
Stage 4: project
Stage 5: join
Stage 6: join
Stage 7: extend
Stage 8: project-away
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
DNSQueryCount | gt |
|