Detection rules › Panther
Malicious SSO DNS Lookup
The rule looks for DNS requests to sites potentially posing as SSO domains.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1566 Phishing |
Rule body yaml
AnalysisType: rule
Filename: malicious_sso_dns_lookup.py
RuleID: "Standard.MaliciousSSODNSLookup"
DedupPeriodMinutes: 1440 # dedup & threshold is high to prevent alert storms from FPs
DisplayName: "Malicious SSO DNS Lookup"
Enabled: false
LogTypes:
- CiscoUmbrella.DNS
- Crowdstrike.DNSRequest
- Crowdstrike.FDREvent
- Suricata.DNS
- Zeek.DNS
Severity: Medium
Threshold: 1000 # dedup & threshold is high to prevent alert storms from FPs
Tags:
- Configuration Required
Reports:
MITRE ATT&CK:
- TA0001:T1566
Description: The rule looks for DNS requests to sites potentially posing as SSO domains.
Runbook: Verify if the destination domain is owned by your organization.
Reference: https://www.cloudns.net/wiki/article/254/#:~:text=A%20DNS%20query%20(also%20known,associated%20with%20a%20domain%20name
SummaryAttributes:
- p_any_ip_addresses
Tests:
- Name: Known Good SSO Domain
ExpectedResult: False
Log:
{
"ContextProcessId": "440890253753908704",
"ContextThreadId": "0",
"ContextTimeStamp": "2022-08-31 07:03:48.879",
"DomainName": "company_name_here.okta.com",
"EffectiveTransmissionClass": 2,
"Entitlements": "15",
"RequestType": "1",
"event_platform": "Mac",
"event_simpleName": "DnsRequest",
"name": "DnsRequestMacV2",
"p_any_domain_names": ["company_name_here.okta.com"],
"timestamp": "2022-08-31 07:03:49.195",
}
- Name: Potentially Malicious SSO Domain
ExpectedResult: True
Log:
{
"ContextProcessId": "440890253753908704",
"ContextThreadId": "0",
"ContextTimeStamp": "2022-08-31 07:03:48.879",
"DomainName": "company_name_here-okta.com",
"EffectiveTransmissionClass": 2,
"Entitlements": "15",
"RequestType": "1",
"event_platform": "Mac",
"event_simpleName": "DnsRequest",
"name": "DnsRequestMacV2",
"p_any_domain_names": ["company_name_here-okta.com"],
"timestamp": "2022-08-31 07:03:49.195",
}
- Name: No Domain
ExpectedResult: False
Log:
{
"ContextProcessId": "440890253753908704",
"ContextThreadId": "0",
"ContextTimeStamp": "2022-08-31 07:03:48.879",
"EffectiveTransmissionClass": 2,
"Entitlements": "15",
"RequestType": "1",
"event_platform": "Mac",
"event_simpleName": "DnsRequest",
"name": "DnsRequestMacV2",
"p_any_domain_names": [],
"timestamp": "2022-08-31 07:03:49.195",
}
- Name: Known good and malicious domain
ExpectedResult: True
Log:
{
"ContextProcessId": "440890253753908704",
"ContextThreadId": "0",
"ContextTimeStamp": "2022-08-31 07:03:48.879",
"EffectiveTransmissionClass": 2,
"Entitlements": "15",
"RequestType": "1",
"event_platform": "Mac",
"event_simpleName": "DnsRequest",
"name": "DnsRequestMacV2",
"p_any_domain_names":
["company_name_here.okta.com", "company_name_here-maokta.com"],
"timestamp": "2022-08-31 07:03:49.195",
}
- Name: Known good and malicious domain with Crowdstrike.FDREvent
ExpectedResult: True
Log:
{
"event_simpleName": "DnsRequest",
"name": "DnsRequestMacV1",
"aid": "00000000000000000000000000000001",
"aip": "111.111.111.111",
"cid": "00000000000000000000000000000002",
"id": "11111111-0000-1111-0000-111111111111",
"event":
{
"aid": "00000000000000000000000000000001",
"event_simpleName": "DnsRequest",
"name": "DnsRequestMacV1",
"aip": "111.111.111.111",
"cid": "00000000000000000000000000000002",
"id": "11111111-0000-1111-0000-111111111111",
"event_platform": "Mac",
"timestamp": "2021-10-01 00:00:00.000Z",
"ConfigBuild": "1007.4.0014301.11",
"ConfigStateHash": "507116305",
"Entitlements": "15",
"ContextThreadId": "0",
"ContextTimeStamp": "2021-10-08 19:55:04.448Z",
"ContextProcessId": "111111111111111111",
"EffectiveTransmissionClass": 2,
"DomainName": "gooddomain.com",
"RequestType": "1",
},
"event_platform": "Mac",
"fdr_event_type": "DnsRequest",
"timestamp": "2021-10-01 00:00:00.000Z",
"ConfigBuild": "1007.4.0014301.11",
"ConfigStateHash": "507116305",
"Entitlements": "15",
"ContextThreadId": "0",
"ContextTimeStamp": "2021-10-08 19:55:04.448Z",
"ContextProcessId": "111111111111111111",
"EffectiveTransmissionClass": 2,
"RequestType": "1",
"p_event_time": "2021-10-08 19:55:04.448Z",
"p_parse_time": "2021-10-08 20:09:41.933Z",
"p_log_type": "Crowdstrike.FDREvent",
"p_row_id": "2ed00000000000000000000000000001",
"p_source_id": "11111111-1111-1111-1111-111111111111",
"p_source_label": "Crowdstrike",
"p_any_ip_addresses": ["111.111.111.111"],
"p_any_domain_names":
["company_name_here.okta.com", "company_name_here-maokta.com"],
"p_any_trace_ids":
[
"00000000000000000000000000000001",
"00000000000000000000000000000002",
],
}
- Name: non DnsRequest Crowdstrike.FDREvent event
ExpectedResult: False
Log:
{
"event_simpleName": "something else",
"event":
{
"aid": "00000000000000000000000000000001",
"event_simpleName": "something else",
"ContextTimeStamp": "2021-10-08 19:55:04.448Z",
"ContextProcessId": "111111111111111111",
"EffectiveTransmissionClass": 2,
"DomainName": "gooddomain.com",
"RequestType": "1",
},
"event_platform": "Mac",
"fdr_event_type": "something else",
"ContextProcessId": "111111111111111111",
"EffectiveTransmissionClass": 2,
"RequestType": "1",
"p_event_time": "2021-10-08 19:55:04.448Z",
"p_parse_time": "2021-10-08 20:09:41.933Z",
"p_log_type": "Crowdstrike.FDREvent",
"p_row_id": "2ed00000000000000000000000000001",
"p_source_id": "11111111-1111-1111-1111-111111111111",
"p_source_label": "Crowdstrike",
"p_any_ip_addresses": ["111.111.111.111"],
"p_any_domain_names":
["company_name_here.okta.com", "company_name_here-maokta.com"],
"p_any_trace_ids":
[
"00000000000000000000000000000001",
"00000000000000000000000000000002",
],
}
Detection logic
Condition
not (p_log_type eq "Crowdstrike.FDREvent" and fdr_event_type ne "DnsRequest")
This rule also runs imperative logic the parser cannot express as a filter; the conditions above are the structured part it could extract.
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
fdr_event_type | ne | DnsRequest |
p_log_type | eq | Crowdstrike.FDREvent |
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field |
|---|
p_any_domain_names |