Validating Microsoft Defender for DNS Alerts

Published Mar 22 2021 08:41 AM 4,776 Views
Microsoft

This document is provided “as is.” MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.  This document does not provide you with any legal rights to any intellectual property in any Microsoft product.  You may copy and use this document for your internal, reference purposes.

 

Microsoft Defender for DNS plan provides threat detection for azure resources connected to the Azure DNS, the intent is to detect malicious communication from an Azure resource and malicious DNS servers trying to compromise with an Azure resource. To learn more about Azure Defender for DNS, read our official documentation. You can enable Microsoft Defender for DNS on your subscription via Microsoft Defer for Cloud environment settings, select the subscription, change the plan to ON (as shown below) and click Save to commit the change.

 

DNSplan.jpg

 

Now that you have this plan set to ON, you can use the steps below to validate this threat detection:

  1. Provision a new VM and keep the default TCP/IP configuration (by default all VMs will connect to Azure DNS).
  2. Connect to this machine using RDP.
  3. Create a file on this machine called DNSAlertSim.ps1 and paste the content below in this file:

 

 

Resolve-DnsName bbcnewsv2vjtpsuy.onion.to
Resolve-DnsName all.mainnet.ethdisco.net
Resolve-DnsName micros0ft.com 
Resolve-DnsName 164e9408d12a701d91d206c6ab192994.info 

For($i=0; $i -le 150; $i++) {
$rand = -join ((97..122) | Get-Random -Count 32 | % {[char]$_})
Resolve-DnsName "$rand.com"
}

$rand = -join ((97..122) | Get-Random -Count 63 | % {[char]$_})
Resolve-DnsName "$rand.contoso.com"

For($i=0; $i -le 1000; $i++) {

$rand = -join ((97..122) | Get-Random -Count 63 | % {[char]$_})
Resolve-DnsName "$rand.contoso.com"
}

Resolve-DnsName reseed.i2p-projekt.de 

Write-Host -NoNewLine 'Press any key to continue...';
$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');

 

 

  1. Save this file
  2. Execute DNSAlertSim.ps1

After some minutes you should see Microsoft Defender for DNS alerts showing up on your dashboard, similar to the one below:

 

Fig2.JPG

 

For a complete list of all analytics available for Microsoft Defender for DNS, read this documentation.

 

Reviewers

Tal Rosler, Program Manager

Script by John Booth, Senior Software Engineer

 

1 Comment
%3CLINGO-SUB%20id%3D%22lingo-sub-2540329%22%20slang%3D%22en-US%22%3ERe%3A%20Validating%20Azure%20Defender%20for%20DNS%20Alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2540329%22%20slang%3D%22en-US%22%3E%3CP%3E%40Sakariye2333%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1081915%22%20target%3D%22_blank%22%3E%40lajaceloowgamicrosoftcom%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1077522%22%20target%3D%22_blank%22%3E%40zakisinaiisamsungcom%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F124214%22%20target%3D%22_blank%22%3E%40Yuri%20Diogenes%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1045153%22%20target%3D%22_blank%22%3E%40lajacelowga-samsung%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F282024%22%20target%3D%22_blank%22%3E%40Godaddy65%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F772901%22%20target%3D%22_blank%22%3E%40AZGOD%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F260341%22%20target%3D%22_blank%22%3E%40uc2go_wordpresscom%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F79817%22%20target%3D%22_blank%22%3E%40microsoft%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F73893%22%20target%3D%22_blank%22%3E%40azure%3C%2FA%3E.com%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2227845%22%20slang%3D%22en-US%22%3EValidating%20Microsoft%20Defender%20for%20DNS%20Alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2227845%22%20slang%3D%22en-US%22%3E%3CTABLE%20border%3D%221%22%20width%3D%22100%25%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22100%25%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3E%3CEM%3EThis%20document%20is%20provided%20%E2%80%9Cas%20is.%E2%80%9D%20MICROSOFT%20MAKES%20NO%20WARRANTIES%2C%20EXPRESS%20OR%20IMPLIED%2C%20IN%20THIS%20DOCUMENT.%26nbsp%3B%20This%20document%20does%20not%20provide%20you%20with%20any%20legal%20rights%20to%20any%20intellectual%20property%20in%20any%20Microsoft%20product.%26nbsp%3B%20You%20may%20copy%20and%20use%20this%20document%20for%20your%20internal%2C%20reference%20purposes.%3C%2FEM%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMicrosoft%20Defender%20for%20DNS%20plan%20provides%20threat%20detection%20for%20azure%20resources%20connected%20to%20the%20Azure%20DNS%2C%20the%20intent%20is%20to%20detect%20malicious%20communication%20from%20an%20Azure%20resource%20and%20malicious%20DNS%20servers%20trying%20to%20compromise%20with%20an%20Azure%20resource.%20To%20learn%20more%20about%20Azure%20Defender%20for%20DNS%2C%20read%20our%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fdefender-for-dns-introduction%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Eofficial%20documentation%3C%2FA%3E.%20You%20can%20enable%20Microsoft%20Defender%20for%20DNS%20on%20your%20subscription%20via%20Microsoft%20Defer%20for%20Cloud%20environment%20settings%2C%20select%20the%20subscription%2C%20change%20the%20plan%20to%20%3CEM%3EON%3C%2FEM%3E%20(as%20shown%20below)%20and%20click%20%3CEM%3ESave%3C%2FEM%3E%20to%20commit%20the%20change.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22DNSplan.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F319503iF83E3BB2311D90F8%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22DNSplan.jpg%22%20alt%3D%22DNSplan.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENow%20that%20you%20have%20this%20plan%20set%20to%20ON%2C%20you%20can%20use%20the%20steps%20below%20to%20validate%20this%20threat%20detection%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EProvision%20a%20new%20VM%20and%20keep%20the%20default%20TCP%2FIP%20configuration%20(by%20default%20all%20VMs%20will%20connect%20to%20Azure%20DNS).%3C%2FLI%3E%0A%3CLI%3EConnect%20to%20this%20machine%20using%20RDP.%3C%2FLI%3E%0A%3CLI%3ECreate%20a%20file%20on%20this%20machine%20called%20DNSAlertSim.ps1%20and%20paste%20the%20content%20below%20in%20this%20file%3A%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3EResolve-DnsName%20bbcnewsv2vjtpsuy.onion.to%0AResolve-DnsName%20all.mainnet.ethdisco.net%0AResolve-DnsName%20micros0ft.com%20%0AResolve-DnsName%20164e9408d12a701d91d206c6ab192994.info%20%0A%0AFor(%24i%3D0%3B%20%24i%20-le%20150%3B%20%24i%2B%2B)%20%7B%0A%24rand%20%3D%20-join%20((97..122)%20%7C%20Get-Random%20-Count%2032%20%7C%20%25%20%7B%5Bchar%5D%24_%7D)%0AResolve-DnsName%20%22%24rand.com%22%0A%7D%0A%0A%24rand%20%3D%20-join%20((97..122)%20%7C%20Get-Random%20-Count%2063%20%7C%20%25%20%7B%5Bchar%5D%24_%7D)%0AResolve-DnsName%20%22%24rand.contoso.com%22%0A%0AFor(%24i%3D0%3B%20%24i%20-le%201000%3B%20%24i%2B%2B)%20%7B%0A%0A%24rand%20%3D%20-join%20((97..122)%20%7C%20Get-Random%20-Count%2063%20%7C%20%25%20%7B%5Bchar%5D%24_%7D)%0AResolve-DnsName%20%22%24rand.contoso.com%22%0A%7D%0A%0AResolve-DnsName%20reseed.i2p-projekt.de%20%0A%0AWrite-Host%20-NoNewLine%20'Press%20any%20key%20to%20continue...'%3B%0A%24null%20%3D%20%24Host.UI.RawUI.ReadKey('NoEcho%2CIncludeKeyDown')%3B%0A%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%20start%3D%224%22%3E%0A%3CLI%3ESave%20this%20file%3C%2FLI%3E%0A%3CLI%3EExecute%20DNSAlertSim.ps1%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EAfter%20some%20minutes%20you%20should%20see%20Microsoft%20Defender%20for%20DNS%20alerts%20showing%20up%20on%20your%20dashboard%2C%20similar%20to%20the%20one%20below%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Fig2.JPG%22%20style%3D%22width%3A%20920px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F266063i58B9673444893BCB%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Fig2.JPG%22%20alt%3D%22Fig2.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20a%20complete%20list%20of%20all%20analytics%20available%20for%20Microsoft%20Defender%20for%20DNS%2C%20read%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Falerts-reference%23alerts-dns%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ethis%20documentation%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EReviewers%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3ETal%20Rosler%2C%20Program%20Manager%3C%2FP%3E%0A%3CP%3EScript%20by%20John%20Booth%2C%20Senior%20Software%20Engineer%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2227845%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Fig2.JPG%22%20style%3D%22width%3A%20920px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F266065iEEB796F911014A5D%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Fig2.JPG%22%20alt%3D%22Fig2.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E
Co-Authors
Version history
Last update:
‎Oct 24 2021 01:56 AM
Updated by: