id: 1823db08-2ba4-4624-900f-9be0f950ea57 name: Google DNS - Unexpected top level domains description: | 'Query searches for unexpected TLDs.' severity: Medium requiredDataConnectors: - connectorId: GCPDNSDataConnector dataTypes: - GCPCloudDNS tactics: - CommandAndControl relevantTechniques: - T1095 query: | GCPCloudDNS | where TimeGenerated > ago(24h) | extend tld = extract(@'.*\.(\w+)\.$', 1, Query) | where strlen(tld) > 4 | extend IPCustomEntity = SrcIpAddr entityMappings: - entityType: IP fieldMappings: - identifier: Address columnName: IPCustomEntity