LoFP / dns zone modified and deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.

Techniques

• t1565
• t1565.001

Sample rules

Azure DNS Zone Modified or Deleted

• source: sigma
• technicques:
  • t1565
  • t1565.001

Description

Identifies when DNS zone is modified or deleted.

Detection logic

condition: selection
selection:
  operationName|endswith:
  - /WRITE
  - /DELETE
  operationName|startswith: MICROSOFT.NETWORK/DNSZONES