1. Home
  2. Mapping Frameworks
  3. Azure Home
  4. Azure DNS Analytics

Azure azure_dns_analytics Mappings

"DNS Analytics helps you to: identify clients that try to resolve malicious domain names, identify stale resource records, identify frequently queried domain names and talkative DNS clients, view request load on DNS servers, and view dynamic DNS registration failures. The solution collects, analyzes, and correlates Windows DNS analytic and audit logs and other related data from your DNS servers."

Mappings

Capability ID Capability Description Category Value ATT&CK ID ATT&CK Name Notes
azure_dns_analytics Azure DNS Analytics detect minimal T1071 Application Layer Protocol
Comments
This control can be used forensically to identify clients that communicated with identified C2 hosts via DNS.
References
  1. https://docs.microsoft.com/en-us/azure/azure-monitor/insights/dns-analytics
azure_dns_analytics Azure DNS Analytics detect minimal T1071.004 DNS
Comments
This control can be used forensically to identify clients that communicated with identified C2 hosts.
References
    azure_dns_analytics Azure DNS Analytics detect minimal T1568 Dynamic Resolution
    Comments
    This control can be used for after-the-fact analysis of potential fast-flux DNS C2
    References
    1. https://docs.microsoft.com/en-us/azure/azure-monitor/insights/dns-analytics
    azure_dns_analytics Azure DNS Analytics detect minimal T1568.001 Fast Flux DNS
    Comments
    This control can be used for after-the-fact analysis of potential fast-flux DNS C2
    References
      azure_dns_analytics Azure DNS Analytics detect minimal T1568.002 Domain Generation Algorithms
      Comments
      This control can be used for after-the-fact analysis of potential fast-flux DNS C2
      References
        azure_dns_analytics Azure DNS Analytics detect minimal T1048 Exfiltration Over Alternative Protocol
        Comments
        This control can identify anomalous / high talker DNS clients, possibly related to exfil via DNS
        References
        1. https://docs.microsoft.com/en-us/azure/azure-monitor/insights/dns-analytics
        azure_dns_analytics Azure DNS Analytics detect minimal T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
        Comments
        This control can potentially be used to forensically identify exfiltration via DNS protocol.
        References
          azure_dns_analytics Azure DNS Analytics detect minimal T1041 Exfiltration Over C2 Channel
          Comments
          This control can potentially be used to forensically identify exfiltration via a DNS-based C2 channel.
          References
          1. https://docs.microsoft.com/en-us/azure/azure-monitor/insights/dns-analytics
          azure_dns_analytics Azure DNS Analytics detect minimal T1566 Phishing
          Comments
          This control can be used forensically to identify DNS queries to known malicious sites, which may be evidence of phishing.
          References
          1. https://docs.microsoft.com/en-us/azure/azure-monitor/insights/dns-analytics
          azure_dns_analytics Azure DNS Analytics detect minimal T1566.002 Spearphishing Link
          Comments
          This control can be used forensically to identify DNS queries to known malicious sites, which may be evidence of phishing.
          References