1. Home
  2. Mapping Frameworks
  3. Azure Home
  4. Alerts for DNS

Azure alerts_for_dns

Alerts for DNS detect and alert on suspicious or anomalous DNS activity in Azure resources. These alerts help identify potential threats like malware communicating with command and control servers, phishing attempts, or data exfiltration through DNS.

Mappings

Capability ID Capability Description Category Value ATT&CK ID ATT&CK Name Notes
alerts_for_dns Alerts for DNS detect minimal T1048 Exfiltration Over Alternative Protocol
Comments
Can detect anomalous use of DNS. Because this detection is specific to DNS, its coverage score is Minimal resulting in an overall Minimal score.
References
  1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-dns
alerts_for_dns Alerts for DNS detect minimal T1071 Application Layer Protocol
Comments
Can detect potential DNS protocol misuse/anomalies. Technique coverage is restricted to DNS and therefore results in a Minimal score.
References
  1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-dns
alerts_for_dns Alerts for DNS detect minimal T1090 Proxy
Comments
Can detect DNS activity to anonymity networks e.g. TOR. Because this detection is specific to DNS, its coverage score is Minimal resulting in an overall Minimal score.
References
  1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-dns
alerts_for_dns Alerts for DNS detect minimal T1572 Protocol Tunneling
Comments
Can identify protocol misuse/anomalies in DNS. Because this detection is specific to DNS, its coverage score is Minimal resulting in an overall Minimal score.
References
  1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-dns
alerts_for_dns Alerts for DNS detect partial T1568 Dynamic Resolution
Comments
Can identify "random" DNS occurences which can be associated with domain generation algorithm or Fast Flux sub-techniques. Partial for coverage and accuracy (potential for false positive/benign).
References
  1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-dns
alerts_for_dns Alerts for DNS detect partial T1568.001 Fast Flux DNS
Comments
Detects "random" DNS name occurences, potentially indicative of Fast Flux or DGA. Potential false positives from benign "random" DNS names.
References
  1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-dns
alerts_for_dns Alerts for DNS detect partial T1568.002 Domain Generation Algorithms
Comments
Detects "random" DNS name occurences, potentially indicative of Fast Flux or DGA. Potential false positives from benign "random" DNS names.
References
  1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-dns
alerts_for_dns Alerts for DNS detect significant T1071.004 DNS
Comments
Can alert on anomalies and misuse of the DNS protocol.
References
  1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-dns