Detect excessive NXDOMAIN DNS queries - Anomaly based (ASIM DNS Solution)
| Id | 02f23312-1a33-4390-8b80-f7cd4df4dea0 |
| Rulename | Detect excessive NXDOMAIN DNS queries - Anomaly based (ASIM DNS Solution) |
| Description | This rule makes use of the series decompose anomaly method to generate an alert when client requests excessive amount of DNS queries to non-existent domains. This helps in identifying possible C2 communications. \n\nIt utilizes ASIM normalization and is applied to any source that supports the ASIM DNS schema. |
| Severity | Medium |
| Tactics | CommandAndControl |
| Techniques | T1568 T1008 |
| Required data connectors | AIVectraStream ASimDnsActivityLogs AzureFirewall CiscoUmbrellaDataConnector Corelight DNS GCPDNSDataConnector InfobloxNIOS ISCBind NXLogDnsLogs WindowsForwardedEvents Zscaler |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 14d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DNS Essentials/Analytic Rules/ExcessiveNXDOMAINDNSQueriesAnomalyBased.yaml |
| Version | 1.0.0 |
| Arm template | 02f23312-1a33-4390-8b80-f7cd4df4dea0.json |
let threshold = materialize (_GetWatchlist('DNS_Solution_Monitoring_Configuration')
| where wl_RuleName == 'Anomaly - Excessive NXDOMAIN DNS Queries'
and wl_Type == 'Detection'
| project todouble(wl_AnomalyThreshold));
let min_t = ago(14d);
let max_t = now();
let dt = 1d;
let summarizationexist = (
union isfuzzy=true
(
DNS_Summarized_Logs_ip_CL
| where EventTime_t > ago(1d)
| project v = int(2)
),
(
print int(1)
| project v = print_0
)
| summarize maxv = max(v)
| extend sumexist = (maxv > 1)
);
let allData = union isfuzzy=true
(
(datatable(exists: int, sumexist: bool)[1, false]
| join (summarizationexist) on sumexist)
| join (
_Im_Dns(responsecodename='NXDOMAIN', starttime=todatetime(min_t), endtime=max_t)
| summarize Count=count() by SrcIpAddr, bin(TimeGenerated, 1h)
| extend EventTime = TimeGenerated, Count = toint(Count), exists=int(1)
)
on exists
| project-away exists, maxv, sum*
),
(
DNS_Summarized_Logs_ip_CL
| where EventTime_t > min_t and EventResultDetails_s == 'NXDOMAIN'
| summarize Count=toint(sum(count__d)) by SrcIpAddr=SrcIpAddr_s, bin(EventTime=EventTime_t, 1h)
);
allData
| make-series EventCount=sum(Count) on EventTime from min_t to max_t step dt by SrcIpAddr
| extend (anomalies, score, baseline) = series_decompose_anomalies(EventCount, toscalar(threshold), -1, 'linefit')
| mv-expand anomalies, score, baseline, EventTime, EventCount
| extend
anomalies = toint(anomalies),
score = toint(score),
baseline = toint(baseline),
EventTime = todatetime(EventTime),
Total = tolong(EventCount)
| where EventTime >= ago(dt)
| where score >= (toscalar(threshold) * 2)
| join kind=inner(_Im_Dns(responsecodename='NXDOMAIN', starttime=ago(dt), endtime=max_t)
| summarize DNSQueries = make_set(DnsQuery) by SrcIpAddr)
on SrcIpAddr
| project-away SrcIpAddr1
queryFrequency: 1d
alertDetailsOverride:
alertDisplayNameFormat: "[Anomaly] Excessive NXDOMAIN DNS Queries has been detected from client IP: '{{SrcIpAddr}}'"
alertDescriptionFormat: |-
This client is generating excessive amount of DNS queries for non-existent domains. This can be an indication of possible C2 communications.
Baseline for 'NXDOMAIN' error count for this client: '{{baseline}}'
Current 'NXDOMAIN' error count for this client: '{{Total}}'
DNS queries requested by the client include:
'{{DNSQueries}}'
triggerOperator: gt
tactics:
- CommandAndControl
description: |
'This rule makes use of the series decompose anomaly method to generate an alert when client requests excessive amount of DNS queries to non-existent domains. This helps in identifying possible C2 communications. \n\nIt utilizes [ASIM](https://aka.ms/AboutASIM) normalization and is applied to any source that supports the ASIM DNS schema.'
eventGroupingSettings:
aggregationKind: AlertPerResult
status: Available
relevantTechniques:
- T1568
- T1008
name: Detect excessive NXDOMAIN DNS queries - Anomaly based (ASIM DNS Solution)
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DNS Essentials/Analytic Rules/ExcessiveNXDOMAINDNSQueriesAnomalyBased.yaml
severity: Medium
triggerThreshold: 0
version: 1.0.0
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr
tags:
- Schema: ASimDns
SchemaVersion: 0.1.6
customDetails:
baseline: baseline
DNSQueries: DNSQueries
AnomalyScore: score
Total: Total
id: 02f23312-1a33-4390-8b80-f7cd4df4dea0
requiredDataConnectors:
- connectorId: ASimDnsActivityLogs
dataTypes:
- ASimDnsActivityLogs
- connectorId: GCPDNSDataConnector
dataTypes:
- GCP_DNS_CL
- connectorId: AzureFirewall
dataTypes:
- AzureDiagnostics
- connectorId: CiscoUmbrellaDataConnector
dataTypes:
- Cisco_Umbrella_proxy_CL
- connectorId: Corelight
dataTypes:
- Corelight_CL
- connectorId: InfobloxNIOS
dataTypes:
- Syslog
- connectorId: NXLogDnsLogs
dataTypes:
- NXLog_DNS_Server_CL
- connectorId: DNS
dataTypes:
- DnsEvents
- connectorId: AIVectraStream
dataTypes:
- VectraStream_CL
- connectorId: WindowsForwardedEvents
dataTypes:
- WindowsEvents
- connectorId: Zscaler
dataTypes:
- CommonSecurityLog
- connectorId: ISCBind
dataTypes:
- Syslog
kind: Scheduled
query: |
let threshold = materialize (_GetWatchlist('DNS_Solution_Monitoring_Configuration')
| where wl_RuleName == 'Anomaly - Excessive NXDOMAIN DNS Queries'
and wl_Type == 'Detection'
| project todouble(wl_AnomalyThreshold));
let min_t = ago(14d);
let max_t = now();
let dt = 1d;
let summarizationexist = (
union isfuzzy=true
(
DNS_Summarized_Logs_ip_CL
| where EventTime_t > ago(1d)
| project v = int(2)
),
(
print int(1)
| project v = print_0
)
| summarize maxv = max(v)
| extend sumexist = (maxv > 1)
);
let allData = union isfuzzy=true
(
(datatable(exists: int, sumexist: bool)[1, false]
| join (summarizationexist) on sumexist)
| join (
_Im_Dns(responsecodename='NXDOMAIN', starttime=todatetime(min_t), endtime=max_t)
| summarize Count=count() by SrcIpAddr, bin(TimeGenerated, 1h)
| extend EventTime = TimeGenerated, Count = toint(Count), exists=int(1)
)
on exists
| project-away exists, maxv, sum*
),
(
DNS_Summarized_Logs_ip_CL
| where EventTime_t > min_t and EventResultDetails_s == 'NXDOMAIN'
| summarize Count=toint(sum(count__d)) by SrcIpAddr=SrcIpAddr_s, bin(EventTime=EventTime_t, 1h)
);
allData
| make-series EventCount=sum(Count) on EventTime from min_t to max_t step dt by SrcIpAddr
| extend (anomalies, score, baseline) = series_decompose_anomalies(EventCount, toscalar(threshold), -1, 'linefit')
| mv-expand anomalies, score, baseline, EventTime, EventCount
| extend
anomalies = toint(anomalies),
score = toint(score),
baseline = toint(baseline),
EventTime = todatetime(EventTime),
Total = tolong(EventCount)
| where EventTime >= ago(dt)
| where score >= (toscalar(threshold) * 2)
| join kind=inner(_Im_Dns(responsecodename='NXDOMAIN', starttime=ago(dt), endtime=max_t)
| summarize DNSQueries = make_set(DnsQuery) by SrcIpAddr)
on SrcIpAddr
| project-away SrcIpAddr1
queryPeriod: 14d
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/02f23312-1a33-4390-8b80-f7cd4df4dea0')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/02f23312-1a33-4390-8b80-f7cd4df4dea0')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "Detect excessive NXDOMAIN DNS queries - Anomaly based (ASIM DNS Solution)",
"description": "'This rule makes use of the series decompose anomaly method to generate an alert when client requests excessive amount of DNS queries to non-existent domains. This helps in identifying possible C2 communications. \\n\\nIt utilizes [ASIM](https://aka.ms/AboutASIM) normalization and is applied to any source that supports the ASIM DNS schema.'\n",
"severity": "Medium",
"enabled": true,
"query": "let threshold = materialize (_GetWatchlist('DNS_Solution_Monitoring_Configuration')\n | where wl_RuleName == 'Anomaly - Excessive NXDOMAIN DNS Queries'\n and wl_Type == 'Detection'\n | project todouble(wl_AnomalyThreshold));\nlet min_t = ago(14d);\nlet max_t = now();\nlet dt = 1d;\nlet summarizationexist = (\n union isfuzzy=true \n (\n DNS_Summarized_Logs_ip_CL\n | where EventTime_t > ago(1d) \n | project v = int(2)\n ),\n (\n print int(1) \n | project v = print_0\n )\n | summarize maxv = max(v)\n | extend sumexist = (maxv > 1)\n );\nlet allData = union isfuzzy=true\n (\n (datatable(exists: int, sumexist: bool)[1, false]\n | join (summarizationexist) on sumexist)\n | join (\n _Im_Dns(responsecodename='NXDOMAIN', starttime=todatetime(min_t), endtime=max_t)\n | summarize Count=count() by SrcIpAddr, bin(TimeGenerated, 1h)\n | extend EventTime = TimeGenerated, Count = toint(Count), exists=int(1)\n )\n on exists\n | project-away exists, maxv, sum*\n ),\n (\n DNS_Summarized_Logs_ip_CL\n | where EventTime_t > min_t and EventResultDetails_s == 'NXDOMAIN'\n | summarize Count=toint(sum(count__d)) by SrcIpAddr=SrcIpAddr_s, bin(EventTime=EventTime_t, 1h)\n );\nallData\n| make-series EventCount=sum(Count) on EventTime from min_t to max_t step dt by SrcIpAddr\n| extend (anomalies, score, baseline) = series_decompose_anomalies(EventCount, toscalar(threshold), -1, 'linefit')\n| mv-expand anomalies, score, baseline, EventTime, EventCount\n| extend\n anomalies = toint(anomalies),\n score = toint(score),\n baseline = toint(baseline),\n EventTime = todatetime(EventTime),\n Total = tolong(EventCount)\n| where EventTime >= ago(dt)\n| where score >= (toscalar(threshold) * 2)\n| join kind=inner(_Im_Dns(responsecodename='NXDOMAIN', starttime=ago(dt), endtime=max_t)\n | summarize DNSQueries = make_set(DnsQuery) by SrcIpAddr)\n on SrcIpAddr\n| project-away SrcIpAddr1\n",
"queryFrequency": "P1D",
"queryPeriod": "P14D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl"
],
"techniques": [
"T1568",
"T1008"
],
"alertRuleTemplateName": "02f23312-1a33-4390-8b80-f7cd4df4dea0",
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"alertDetailsOverride": {
"alertDisplayNameFormat": "[Anomaly] Excessive NXDOMAIN DNS Queries has been detected from client IP: '{{SrcIpAddr}}'",
"alertDescriptionFormat": "This client is generating excessive amount of DNS queries for non-existent domains. This can be an indication of possible C2 communications.\n\nBaseline for 'NXDOMAIN' error count for this client: '{{baseline}}'\n\nCurrent 'NXDOMAIN' error count for this client: '{{Total}}'\n\nDNS queries requested by the client include:\n\n'{{DNSQueries}}'"
},
"customDetails": {
"baseline": "baseline",
"DNSQueries": "DNSQueries",
"AnomalyScore": "score",
"Total": "Total"
},
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "SrcIpAddr"
}
]
}
],
"status": "Available",
"templateVersion": "1.0.0",
"tags": [
{
"Schema": "ASimDns",
"SchemaVersion": "0.1.6"
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DNS Essentials/Analytic Rules/ExcessiveNXDOMAINDNSQueriesAnomalyBased.yaml"
}
}
]
}