Home
Mapping Frameworks
Azure Home
Azure DNS Analytics

Azure azure_dns_analytics

Azure DNS Analytics helps to identify clients that try to resolve malicious domain names, identify stale resource records, identify frequently queried domain names and talkative DNS clients, view request load on DNS servers, and view dynamic DNS registration failures. The solution collects, analyzes, and correlates Windows DNS analytic and audit logs and other related data from DNS servers.

Mappings

Capability ID	Capability Description	Category	Value	ATT&CK ID	ATT&CK Name	Notes
azure_dns_analytics	Azure DNS Analytics	detect	minimal	T1041	Exfiltration Over C2 Channel	Comments This control can potentially be used to forensically identify exfiltration via a DNS-based C2 channel. References https://learn.microsoft.com/en-us/previous-versions/azure/azure-monitor/insights/dns-analytics
azure_dns_analytics	Azure DNS Analytics	detect	minimal	T1048	Exfiltration Over Alternative Protocol	Comments This control can identify anomalous / high talker DNS clients, possibly related to exfil via DNS References https://learn.microsoft.com/en-us/previous-versions/azure/azure-monitor/insights/dns-analytics
azure_dns_analytics	Azure DNS Analytics	detect	minimal	T1048.003	Exfiltration Over Unencrypted Non-C2 Protocol	Comments This control can potentially be used to forensically identify exfiltration via DNS protocol. References https://learn.microsoft.com/en-us/previous-versions/azure/azure-monitor/insights/dns-analytics
azure_dns_analytics	Azure DNS Analytics	detect	minimal	T1071	Application Layer Protocol	Comments This control can be used forensically to identify clients that communicated with identified C2 hosts via DNS. References https://learn.microsoft.com/en-us/previous-versions/azure/azure-monitor/insights/dns-analytics
azure_dns_analytics	Azure DNS Analytics	detect	minimal	T1071.004	DNS	Comments This control can be used forensically to identify clients that communicated with identified C2 hosts. References https://learn.microsoft.com/en-us/previous-versions/azure/azure-monitor/insights/dns-analytics
azure_dns_analytics	Azure DNS Analytics	detect	minimal	T1566	Phishing	Comments This control can be used forensically to identify DNS queries to known malicious sites, which may be evidence of phishing. References https://learn.microsoft.com/en-us/previous-versions/azure/azure-monitor/insights/dns-analytics
azure_dns_analytics	Azure DNS Analytics	detect	minimal	T1566.002	Spearphishing Link	Comments This control can be used forensically to identify DNS queries to known malicious sites, which may be evidence of phishing. References https://learn.microsoft.com/en-us/previous-versions/azure/azure-monitor/insights/dns-analytics
azure_dns_analytics	Azure DNS Analytics	detect	minimal	T1568	Dynamic Resolution	Comments This control can be used for after-the-fact analysis of potential fast-flux DNS C2 References https://learn.microsoft.com/en-us/previous-versions/azure/azure-monitor/insights/dns-analytics
azure_dns_analytics	Azure DNS Analytics	detect	minimal	T1568.001	Fast Flux DNS	Comments This control can be used for after-the-fact analysis of potential fast-flux DNS C2 References https://learn.microsoft.com/en-us/previous-versions/azure/azure-monitor/insights/dns-analytics
azure_dns_analytics	Azure DNS Analytics	detect	minimal	T1568.002	Domain Generation Algorithms	Comments This control can be used for after-the-fact analysis of potential fast-flux DNS C2 References https://learn.microsoft.com/en-us/previous-versions/azure/azure-monitor/insights/dns-analytics