Detecting OOB interactions in Sentinel
Florian Roth on Twitter posted a sigma_hq rule for detecting the use of public tools like interactsh, inspired by Matt Kelly. I adapted it for Sentinel and figured I'd share.
let Domains = dynamic([
".interact.sh",
".oast.pro",
".oast.live",
".oast.site",
".oast.online",
".oast.fun",
".oast.me",
".burpcollaborator.net",
".oastify.com",
".canarytokens.com",
".requestbin.net",
".dnslog.cn"]);
DnsEvents
| where Name has_any (Domains)
Hope it's useful!