Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources and running advanced security analytics to alert you about suspicious activity
Capability ID | Capability Description | Category | Value | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|---|
alerts_for_dns | Alerts for DNS | detect | partial | T1568 | Dynamic Resolution |
Comments
Can identify "random" DNS occurences which can be associated with domain generation algorithm or Fast Flux sub-techniques. Partial for coverage and accuracy (potential for false positive/benign).
References
|
alerts_for_dns | Alerts for DNS | detect | partial | T1568.001 | Fast Flux DNS |
Comments
Detects "random" DNS name occurences, potentially indicative of Fast Flux or DGA. Potential false positives from benign "random" DNS names.
References
|
alerts_for_dns | Alerts for DNS | detect | partial | T1568.002 | Domain Generation Algorithms |
Comments
Detects "random" DNS name occurences, potentially indicative of Fast Flux or DGA. Potential false positives from benign "random" DNS names.
References
|
alerts_for_dns | Alerts for DNS | detect | minimal | T1071 | Application Layer Protocol |
Comments
Can detect potential DNS protocol misuse/anomalies. Technique coverage is restricted to DNS and therefore results in a Minimal score.
References
|
alerts_for_dns | Alerts for DNS | detect | significant | T1071.004 | DNS |
Comments
Can alert on anomalies and misuse of the DNS protocol.
References
|
alerts_for_dns | Alerts for DNS | detect | minimal | T1572 | Protocol Tunneling |
Comments
Can identify protocol misuse/anomalies in DNS. Because this detection is specific to DNS, its coverage score is Minimal resulting in an overall Minimal score.
References
|
alerts_for_dns | Alerts for DNS | detect | minimal | T1090 | Proxy |
Comments
Can detect DNS activity to anonymity networks e.g. TOR. Because this detection is specific to DNS, its coverage score is Minimal resulting in an overall Minimal score.
References
|
alerts_for_dns | Alerts for DNS | detect | minimal | T1048 | Exfiltration Over Alternative Protocol |
Comments
Can detect anomalous use of DNS. Because this detection is specific to DNS, its coverage score is Minimal resulting in an overall Minimal score.
References
|