Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Detect excessive NXDOMAIN DNS queries - Static threshold based ASIM DNS Solution

Detect excessive NXDOMAIN DNS queries - Static threshold based ASIM DNS Solution

Back
Id4ab8b09e-3c23-4974-afbe-7e653779eb2b
RulenameDetect excessive NXDOMAIN DNS queries - Static threshold based (ASIM DNS Solution)
DescriptionThis rule generates an alert when the configured threshold for DNS queries to non-existent domains is breached. This helps in identifying possible C2 communications. It utilizes ASIM normalization and is applied to any source that supports the ASIM DNS schema.
SeverityMedium
TacticsCommandAndControl
TechniquesT1568
T1008
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DNS Essentials/Analytic Rules/ExcessiveNXDOMAINDNSQueriesStaticThresholdBased.yaml
Version1.0.2
Arm template4ab8b09e-3c23-4974-afbe-7e653779eb2b.json
Deploy To Azure
let lookback = 1h;
let threshold = 200;
_Im_Dns(starttime=ago(lookback), responsecodename='NXDOMAIN')
| summarize NXDOMAINCount=count() by SrcIpAddr, bin(TimeGenerated, 15m)
| where NXDOMAINCount > threshold
| join kind=inner (_Im_Dns(starttime=ago(lookback), responsecodename='NXDOMAIN')
  | summarize DNSQueries = makeset(DnsQuery) by SrcIpAddr)
  on SrcIpAddr
| extend NXDOMAINthreshold=threshold
| project-away SrcIpAddr1

query: |
  let lookback = 1h;
  let threshold = 200;
  _Im_Dns(starttime=ago(lookback), responsecodename='NXDOMAIN')
  | summarize NXDOMAINCount=count() by SrcIpAddr, bin(TimeGenerated, 15m)
  | where NXDOMAINCount > threshold
  | join kind=inner (_Im_Dns(starttime=ago(lookback), responsecodename='NXDOMAIN')
    | summarize DNSQueries = makeset(DnsQuery) by SrcIpAddr)
    on SrcIpAddr
  | extend NXDOMAINthreshold=threshold
  | project-away SrcIpAddr1  
queryPeriod: 1h
queryFrequency: 1h
status: Available
id: 4ab8b09e-3c23-4974-afbe-7e653779eb2b
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
customDetails:
  DNSQueries: DNSQueries
  NXDOMAINthreshold: NXDOMAINthreshold
  NXDOMAINCount: NXDOMAINCount
relevantTechniques:
- T1568
- T1008
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DNS Essentials/Analytic Rules/ExcessiveNXDOMAINDNSQueriesStaticThresholdBased.yaml
requiredDataConnectors: []
eventGroupingSettings:
  aggregationKind: AlertPerResult
alertDetailsOverride:
  alertDisplayNameFormat: "[Static threshold] Excessive NXDOMAIN DNS Queries has been detected from client IP: '{{SrcIpAddr}}'"
  alertDescriptionFormat: |-
    Client is generating excessive amount of DNS queries for non-existent domains. This can be an indication of possible C2 communications. 

    'NXDOMAIN' error count threshold: '{{NXDOMAINthreshold}}'

    Current 'NXDOMAIN' error count from this client: '{{NXDOMAINCount}}'

    DNS queries requested by the client include:

    '{{DNSQueries}}'    
name: Detect excessive NXDOMAIN DNS queries - Static threshold based (ASIM DNS Solution)
description: |
    'This rule generates an alert when the configured threshold for DNS queries to non-existent domains is breached. This helps in identifying possible C2 communications. It utilizes [ASIM](https://aka.ms/AboutASIM) normalization and is applied to any source that supports the ASIM DNS schema.'
tactics:
- CommandAndControl
tags:
- SchemaVersion: 0.1.6
  Schema: ASimDns
severity: Medium
triggerThreshold: 0
version: 1.0.2
kind: Scheduled
triggerOperator: gt

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4ab8b09e-3c23-4974-afbe-7e653779eb2b')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4ab8b09e-3c23-4974-afbe-7e653779eb2b')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Client is generating excessive amount of DNS queries for non-existent domains. This can be an indication of possible C2 communications. \n\n'NXDOMAIN' error count threshold: '{{NXDOMAINthreshold}}'\n\nCurrent 'NXDOMAIN' error count from this client: '{{NXDOMAINCount}}'\n\nDNS queries requested by the client include:\n\n'{{DNSQueries}}'",
          "alertDisplayNameFormat": "[Static threshold] Excessive NXDOMAIN DNS Queries has been detected from client IP: '{{SrcIpAddr}}'"
        },
        "alertRuleTemplateName": "4ab8b09e-3c23-4974-afbe-7e653779eb2b",
        "customDetails": {
          "DNSQueries": "DNSQueries",
          "NXDOMAINCount": "NXDOMAINCount",
          "NXDOMAINthreshold": "NXDOMAINthreshold"
        },
        "description": "'This rule generates an alert when the configured threshold for DNS queries to non-existent domains is breached. This helps in identifying possible C2 communications. It utilizes [ASIM](https://aka.ms/AboutASIM) normalization and is applied to any source that supports the ASIM DNS schema.'\n",
        "displayName": "Detect excessive NXDOMAIN DNS queries - Static threshold based (ASIM DNS Solution)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DNS Essentials/Analytic Rules/ExcessiveNXDOMAINDNSQueriesStaticThresholdBased.yaml",
        "query": "let lookback = 1h;\nlet threshold = 200;\n_Im_Dns(starttime=ago(lookback), responsecodename='NXDOMAIN')\n| summarize NXDOMAINCount=count() by SrcIpAddr, bin(TimeGenerated, 15m)\n| where NXDOMAINCount > threshold\n| join kind=inner (_Im_Dns(starttime=ago(lookback), responsecodename='NXDOMAIN')\n  | summarize DNSQueries = makeset(DnsQuery) by SrcIpAddr)\n  on SrcIpAddr\n| extend NXDOMAINthreshold=threshold\n| project-away SrcIpAddr1\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "tags": [
          {
            "Schema": "ASimDns",
            "SchemaVersion": "0.1.6"
          }
        ],
        "techniques": [
          "T1008",
          "T1568"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}