Nov 15 2021 04:53 AM - edited Nov 15 2021 04:54 AM
Trying to generate alert where more than 10 txt request has been sent in 5 min or where bas64 encoded data has been sent in txt or AAAA record of DNS
| where (count_ >= 10 and TimeSpan <= timespan(00:05:00) and RecordType == "TXT") or
where [(Domain matches regex "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$")
and strlen(Domain)>40 and where (RecordType == "TXT" or RecordType == "AAAA")]
Nov 16 2021 01:46 AM
Maybe something like this?
let fakeCount = 10;
DnsEvents
| where
(fakeCount <= 10 and TimeGenerated < ago(5m) and QueryType =='AAAA')
or
(Name matches regex "[A-Za-z0-9]$" and strlen(Name)>10 and QueryType in ('AAAA','TXT'))