After the recent public preview of our first ASIM based domain Network session essential solution today, we are announcing a new DNS Essentials solution in Public Preview. This is a domain-centric essentials solution based on Advanced Security Information Model (ASIM). This solution provides a set of generic OOTB (out-of-the-box) content, specific to DNS security scenarios and supports 9 DNS products and services including Windows Server DNS, Cisco Firewall, GCP DNS, Zscaler Internet access (ZIA) and more. This means the same content from this solution can work with multiple DNS products deployed in your organization, hence delivering more value to protect your environment with less. Learn more about domain solutions that leverage ASIM.
Microsoft Sentinel has 285+ solutions in Content hub. These solutions enable customers to not only connect their data sources to ingest data in Microsoft Sentinel, but also provide out-of-the-box (OOTB) analytic rules, hunting queries, workbooks, playbooks, and more to help customers realize their E2E scenarios in Sentinel. Even though this approach enables customers to integrate different products in Microsoft Sentinel, there are certain challenges customers face. For example, there are multiple product solutions for the DNS domain category, like Windows server DNS, Cisco Firewall, GCP DNS, Zscaler, Infoblox NIOS. These have differing data ingest components by design, but there’s a certain pattern to the analytics, hunting, workbooks, etc. within the same category. To take a specific example, most of the major DNS products have a common basic set of DNS alerts that includes malicious domain requests from internal network. Currently, this analytic rule template is pretty much duplicated for each networking-DNS category of product solutions. Customers need to check and then configure multiple analytic rules individually if they are running multiple network products, which is inefficient. Furthermore, this results in alert fatigue when alerts do fire. With the OOTB content built using ASIM, the same alert rule can work across multiple DNS solutions deployed in your organization.
DNS Essentials solution like other Microsoft Sentinel domain solutions doesn’t include a data connector. It depends on the source specific connectors in respective Microsoft Sentinel product solutions to pull in the logs. Install one or more of the prerequisite product solutions listed below. Configure the respective data connectors to meet the underlying product dependency needs and to enable better usage of this solution content.
Note: As the parser coverage for this solution increases, this list will also increase.
This solution comes with eight anomaly and threshold based analytic rules, ten hunting queries, one playbook and one workbook,
The DNS essential domain solution is expected to handle data of very high events per second (EPS), and when we have content that is using such high EPS of data there can be some performance impact that can cause slow loading of workbooks or query results. To overcome this, we have created this summarization playbook, when enabled, summarizes the source logs and store it into a predefined table all the content of essential domain solutions does not query this table unless one has enabled the summarization playbook.
Please be aware that after your ‘Summarize DNS Data’ playbook is deployed, you must authorize "Azure Monitor Logs" and "Azure Log Analytics Data Collector" API connections. The below screenshot depicts the API connection, which needs to be authorized post playbook installation.
Note: Additional charges might apply for Azure Logic apps. For more information, see the Azure Logic Apps pricing page. Additional charges might also apply for storage of the summarized data.
This solution provides one workbook DNS solution workbook which covers details for the following listed events.
This solution is available on content hub like any other solution. Search the solution and click on install, make sure any of the below listed prerequisite source specific solution(s) are already installed and the respective data connector(s) configured, before installing this solution.
All the content like analytical rule template, hunting query, playbook, workbook can be managed from content hub manage view and will also be available in respective content galleries. Let us know your feedback using any of the channels listed in the questions or feedback section.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.