Blog Post

Microsoft Sentinel Blog
4 MIN READ

What’s New: Introducing Microsoft Sentinel DNS Essentials solutions.

kavishbakshi's avatar
kavishbakshi
Icon for Microsoft rankMicrosoft
Apr 24, 2023

After the recent public preview of our first ASIM based domain Network session essential solution today, we are announcing a new DNS Essentials solution in Public Preview. This is a domain-centric essentials solution based on Advanced Security Information Model (ASIM).   This solution provides a set of generic OOTB (out-of-the-box) content, specific to DNS security scenarios and supports 9 DNS products and services including Windows Server DNS, Cisco Firewall, GCP DNS, Zscaler Internet access (ZIA) and more. This means the same content from this solution can work with multiple DNS products deployed in your organization, hence delivering more value to protect your environment with less.  Learn more about domain solutions that leverage ASIM.  

Microsoft Sentinel has 285+ solutions in Content hub. These solutions enable customers to not only connect their data sources to ingest data in Microsoft Sentinel, but also provide out-of-the-box (OOTB) analytic rules, hunting queries, workbooks, playbooks, and more to help customers realize their E2E scenarios in Sentinel. Even though this approach enables customers to integrate different products in Microsoft Sentinel, there are certain challenges customers face. For example, there are multiple product solutions for the DNS domain category, like Windows server DNS, Cisco Firewall, GCP DNS, Zscaler, Infoblox NIOS. These have differing data ingest components by design, but there’s a certain pattern to the analytics, hunting, workbooks, etc. within the same category. To take a specific example, most of the major DNS products have a common basic set of DNS alerts that includes malicious domain requests from internal network. Currently, this analytic rule template is pretty much duplicated for each networking-DNS category of product solutions. Customers need to check and then configure multiple analytic rules individually if they are running multiple network products, which is inefficient. Furthermore, this results in alert fatigue when alerts do fire. With the OOTB content built using ASIM, the same alert rule can work across multiple DNS solutions deployed in your organization.   

  

Key value: -  

  1. Data normalization using ASIM schema  
  2. Query time parsing  
  3. At scale data / incident handling  
  4. Easier usecase deployment and incident handling  
  5. More value with less content to manage 
  6. Consolidated workbook views 
  7. Source agnostic content    

Prerequisites: -    

DNS Essentials solution like other Microsoft Sentinel domain solutions doesn’t include a data connector. It depends on the source specific connectors in respective Microsoft Sentinel product solutions to pull in the logs. Install one or more of the prerequisite product solutions listed below. Configure the respective data connectors to meet the underlying product dependency needs and to enable better usage of this solution content. 

  1. Windows Server DNS 
  2. Azure Firewall 
  3. Cisco Umbrella 
  4. Corelight Zeek 
  5. Google Cloud Platform DNS 
  6. Infoblox NIOS 
  7. SC Bind
  8. Vectra AI 
  9. Zscaler Internet Access 

Note: As the parser coverage for this solution increases, this list will also increase.   

  

OOTB content offered: -  

  This solution comes with eight anomaly and threshold based analytic rules, ten hunting queries, one playbook and one workbook, 

 Analytics rules:  

  • Detect DNSQueries reporting multiple errors (Anomaly based) 
  • Detect DNSQueries reporting multiple errors (Threshold based) 
  • Detect excessive NXDOMAIN DNS queries (Anomaly based) 
  • Detect excessive NXDOMAIN DNS queries (Threshold based) 
  • Potential Domain Generation Algorithm (DGA) detected via repetitive failures (Anomaly based) 
  • Potential Domain Generation Algorithm (DGA) detected via repetitive failures (Threshold based) 
  • Rare client observed with high DNS reverse lookup (Anomaly based)  
  • Rare client observed with high DNS reverse lookup (Threshold based) 

Hunting queries:  

  • Top 25 DNS queries with most failures  
  • Unexpected top-level domains  
  • CVE-2020-1350 (SIGRED) exploitation pattern 
  • Anomalous Increase in DNS activity by Client 
  • Top 25 Domains with large number of Subdomains 
  • Connection to Unpopular Website Detected 
  • Increase in DNS Requests by Client than the daily average count 
  • Top 25 Sources (Clients) with high number of errors in last 24 hours 
  • Potential beaconing activity 
  • Possible DNS Tunneling or Data Exfiltration Activity 

 Summarization playbook:    

The DNS essential domain solution is expected to handle data of very high events per second (EPS), and when we have content that is using such high EPS of data there can be some performance impact that can cause slow loading of workbooks or query results. To overcome this, we have created this summarization playbook, when enabled, summarizes the source logs and store it into a predefined table all the content of essential domain solutions does not query this table unless one has enabled the summarization playbook.  

Please be aware that after your ‘Summarize DNS Data’ playbook is deployed, you must authorize "Azure Monitor Logs" and "Azure Log Analytics Data Collector" API connections. The below screenshot depicts the API connection, which needs to be authorized post playbook installation. 

 

 

  

Note: Additional charges might apply for Azure Logic apps. For more information, see the Azure Logic Apps pricing page. Additional charges might also apply for storage of the summarized data.        

  

Workbook:   

This solution provides one workbook DNS solution workbook which covers details for the following listed events.  

  • DNS overview 
  • Top queries  
  • Investigate 

Getting started: -    

This solution is available on content hub like any other solution. Search the solution and click on install, make sure any of the below listed prerequisite source specific solution(s) are already installed and the respective data connector(s) configured, before installing this solution.  

 

 

 

 

 

    

All the content like analytical rule template, hunting query, playbook, workbook can be managed from content hub manage view and will also be available in respective content galleries. Let us know your feedback using any of the channels listed in the questions or feedback section.   

 

  

 

 
 

Updated Apr 24, 2023
Version 2.0