1. Home
  2. Mapping Frameworks
  3. Azure Home
  4. Alerts for DNS

Azure alerts_for_dns Mappings

Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources and running advanced security analytics to alert you about suspicious activity

Mappings

Capability ID Capability Description Category Value ATT&CK ID ATT&CK Name Notes
alerts_for_dns Alerts for DNS detect partial T1568 Dynamic Resolution
Comments
Can identify "random" DNS occurences which can be associated with domain generation algorithm or Fast Flux sub-techniques. Partial for coverage and accuracy (potential for false positive/benign).
References
  1. https://docs.microsoft.com/en-us/azure/security-center/defender-for-dns-introduction
  2. https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-dns
alerts_for_dns Alerts for DNS detect partial T1568.001 Fast Flux DNS
Comments
Detects "random" DNS name occurences, potentially indicative of Fast Flux or DGA. Potential false positives from benign "random" DNS names.
References
    alerts_for_dns Alerts for DNS detect partial T1568.002 Domain Generation Algorithms
    Comments
    Detects "random" DNS name occurences, potentially indicative of Fast Flux or DGA. Potential false positives from benign "random" DNS names.
    References
      alerts_for_dns Alerts for DNS detect minimal T1071 Application Layer Protocol
      Comments
      Can detect potential DNS protocol misuse/anomalies. Technique coverage is restricted to DNS and therefore results in a Minimal score.
      References
      1. https://docs.microsoft.com/en-us/azure/security-center/defender-for-dns-introduction
      2. https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-dns
      alerts_for_dns Alerts for DNS detect significant T1071.004 DNS
      Comments
      Can alert on anomalies and misuse of the DNS protocol.
      References
        alerts_for_dns Alerts for DNS detect minimal T1572 Protocol Tunneling
        Comments
        Can identify protocol misuse/anomalies in DNS. Because this detection is specific to DNS, its coverage score is Minimal resulting in an overall Minimal score.
        References
        1. https://docs.microsoft.com/en-us/azure/security-center/defender-for-dns-introduction
        2. https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-dns
        alerts_for_dns Alerts for DNS detect minimal T1090 Proxy
        Comments
        Can detect DNS activity to anonymity networks e.g. TOR. Because this detection is specific to DNS, its coverage score is Minimal resulting in an overall Minimal score.
        References
        1. https://docs.microsoft.com/en-us/azure/security-center/defender-for-dns-introduction
        2. https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-dns
        alerts_for_dns Alerts for DNS detect minimal T1048 Exfiltration Over Alternative Protocol
        Comments
        Can detect anomalous use of DNS. Because this detection is specific to DNS, its coverage score is Minimal resulting in an overall Minimal score.
        References
        1. https://docs.microsoft.com/en-us/azure/security-center/defender-for-dns-introduction
        2. https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-dns