RareDNSLookupWithDataTransfer

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Content Index

This query helps identify rare DNS connections and resulting data transfer to/from the associated domain. It can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download.

Attribute Value
Type Hunting Query
Solution Standalone Content
ID 06c52a66-fffe-4d3b-a05a-646ff65b7ec2
Tactics CommandAndControl, Exfiltration
Techniques T1071, T1048
Required Connectors DNS, PaloAltoNetworks, AzureMonitor(WireData), AzureMonitor(VMInsights)
Source View on GitHub

Tables Used

This content item queries data from the following tables:

Table Selection Criteria Transformations Ingestion API Lake-Only
CommonSecurityLog DeviceVendor == "Palo Alto Networks" ?
DnsEvents ?
VMConnection ? ?

Associated Connectors

The following connectors provide data for this content item:

Connector Solution
CefAma Common Event Format
CloudNSSAuditLogs_ccp Zscaler Internet Access
CloudNSSCASBActivityLogs_ccp Zscaler Internet Access
CloudNSSCASBCRMLogs_ccp Zscaler Internet Access
CloudNSSCASBCloudStorageLogs_ccp Zscaler Internet Access
CloudNSSCASBCollabLogs_ccp Zscaler Internet Access
CloudNSSCASBEmailLogs_ccp Zscaler Internet Access
CloudNSSCASBFileSharingLogs_ccp Zscaler Internet Access
CloudNSSCASBITSMLogs_ccp Zscaler Internet Access
CloudNSSCASBRepoLogs_ccp Zscaler Internet Access
CloudNSSDNSLogs_ccp Zscaler Internet Access
CloudNSSEmailDLPLogs_ccp Zscaler Internet Access
CloudNSSEndpointDLPLogs_ccp Zscaler Internet Access
CloudNSSFWLogs_ccp Zscaler Internet Access
CloudNSSTunnelLogs_ccp Zscaler Internet Access
CloudNSSWebLogs_ccp Zscaler Internet Access
DNS Windows Server DNS
VirtualMetricDirectorProxy VirtualMetric DataStream
VirtualMetricMSSentinelConnector VirtualMetric DataStream
VirtualMetricMSSentinelDataLakeConnector VirtualMetric DataStream

Solutions: Common Event Format, VirtualMetric DataStream, Windows Server DNS, Zscaler Internet Access

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Hunting Queries