"DNS Analytics helps you to: identify clients that try to resolve malicious domain names, identify stale resource records, identify frequently queried domain names and talkative DNS clients, view request load on DNS servers, and view dynamic DNS registration failures. The solution collects, analyzes, and correlates Windows DNS analytic and audit logs and other related data from your DNS servers."
| Capability ID | Capability Description | Category | Value | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|---|
| azure_dns_analytics | Azure DNS Analytics | detect | minimal | T1071 | Application Layer Protocol |
Comments
This control can be used forensically to identify clients that communicated with identified C2 hosts via DNS.
References
|
| azure_dns_analytics | Azure DNS Analytics | detect | minimal | T1071.004 | DNS |
Comments
This control can be used forensically to identify clients that communicated with identified C2 hosts.
References
|
| azure_dns_analytics | Azure DNS Analytics | detect | minimal | T1568 | Dynamic Resolution |
Comments
This control can be used for after-the-fact analysis of potential fast-flux DNS C2
References
|
| azure_dns_analytics | Azure DNS Analytics | detect | minimal | T1568.001 | Fast Flux DNS |
Comments
This control can be used for after-the-fact analysis of potential fast-flux DNS C2
References
|
| azure_dns_analytics | Azure DNS Analytics | detect | minimal | T1568.002 | Domain Generation Algorithms |
Comments
This control can be used for after-the-fact analysis of potential fast-flux DNS C2
References
|
| azure_dns_analytics | Azure DNS Analytics | detect | minimal | T1048 | Exfiltration Over Alternative Protocol |
Comments
This control can identify anomalous / high talker DNS clients, possibly related to exfil via DNS
References
|
| azure_dns_analytics | Azure DNS Analytics | detect | minimal | T1048.003 | Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
Comments
This control can potentially be used to forensically identify exfiltration via DNS protocol.
References
|
| azure_dns_analytics | Azure DNS Analytics | detect | minimal | T1041 | Exfiltration Over C2 Channel |
Comments
This control can potentially be used to forensically identify exfiltration via a DNS-based C2 channel.
References
|
| azure_dns_analytics | Azure DNS Analytics | detect | minimal | T1566 | Phishing |
Comments
This control can be used forensically to identify DNS queries to known malicious sites, which may be evidence of phishing.
References
|
| azure_dns_analytics | Azure DNS Analytics | detect | minimal | T1566.002 | Spearphishing Link |
Comments
This control can be used forensically to identify DNS queries to known malicious sites, which may be evidence of phishing.
References
|