Azure DNS Zone Modified or Deleted
Identifies when DNS zone is modified or deleted.
Sigma rule (View on GitHub)
1title: Azure DNS Zone Modified or Deleted
2id: af6925b0-8826-47f1-9324-337507a0babd
3status: test
4description: Identifies when DNS zone is modified or deleted.
5references:
6 - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
7author: Austin Songer @austinsonger
8date: 2021-08-08
9modified: 2022-08-23
10tags:
11 - attack.impact
12 - attack.t1565.001
13logsource:
14 product: azure
15 service: activitylogs
16detection:
17 selection:
18 operationName|startswith: 'MICROSOFT.NETWORK/DNSZONES'
19 operationName|endswith:
20 - '/WRITE'
21 - '/DELETE'
22 condition: selection
23falsepositives:
24 - DNS zone modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
25 - DNS zone modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
26level: medium
References
Related rules
- Azure Device or Configuration Modified or Deleted
- Cisco Denial of Service
- Commands to Clear or Remove the Syslog - Builtin
- History File Deletion
- Potential Suspicious Change To Sensitive/Critical Files