Aug 20 2020
- last edited on
Dec 23 2021
From last 2 weeks or so we have been getting a lot of DNS lookup queries and events are being generated since the endpoints are trying to connect to random suspicious domains via the DNS servers to the internet . The number of events started to change drastically from 7th of this month. In addition to that, we have been getting alerts from ASC on Sentinel saying that endpoints are trying to connect to random suspicious domains/sinkhole domains and at times we are also getting alerts saying that network intrusion signature activation has been detected. However there are no alerts from MDATP or any other tool related to this activity. We have tried troubleshooting this on our own and as well as with MS, till now we haven't found anything.
There was an article saying that the updates for the month of July contained 2 zero day vulnerabilities w.r.t to DNS servers and a registry change would be required, which we are in process of deployment.
We checked this internally as well and has been confirmed that no additional logging has been enabled for on DNS.
Has anyone here faced this issue? Any help would be appreciated.
Thanking in anticipation
Aug 23 2020 01:15 PM - edited Aug 25 2020 05:21 AM
I assume you meant for every KQL query executed in LA workspace there is DNS queries/activity observed, correct ?
What do the observed DNS lookup queries indicate in terms of FQDN/DNS records? and how did you establish that those DNS queries are related to queries executed in the Log Analytics workspace ?
Aug 25 2020 06:53 AM
That post was written in a hurry, let me try to post the exact scenario
1) Random requests are getting generated from endpoint machines trying to connect to random suspicious domains. This has caused a surge in the number of requests made by endpoints via DNS servers to internet.
2) These alerts are getting generated from ASC and since it is connected with Sentinel, alerts are getting replicated.
Using the DG algorithm we come across a new domain every time there is a new alert. Now the question here is we do not have alerts from any other security tools, we tried scanning the machines but the results came clean. Not all the alerts are from one location or one particular endpoint.
Just wanted to know, if anyone here has faced something of this kind or probably would have suggestions as to how we can tackle these alerts. If there were any changes that were recently made on ASC that we are not aware of.
Aug 25 2020 07:05 AM
Oct 08 2020 08:00 AM
I am just wondering when the DNS lookup was put into preview in ASC and thus reports into Sentinel. As per below - see alot of this associated with
1 - attempted communications with suspicious sinkholed domain
2 - network intrusion detections signature activated
they come hand in hand (as you would expect) but trying to establish the rationale for ASC reporting these and trying to establish the base for it is proving somewhat difficult. any suggestions would be great - tks all