Detect excessive NXDOMAIN DNS queries - Static threshold based (ASIM DNS Solution)
| Id | 4ab8b09e-3c23-4974-afbe-7e653779eb2b |
| Rulename | Detect excessive NXDOMAIN DNS queries - Static threshold based (ASIM DNS Solution) |
| Description | This rule generates an alert when the configured threshold for DNS queries to non-existent domains is breached. This helps in identifying possible C2 communications. \n\nIt utilizes ASIM normalization and is applied to any source that supports the ASIM DNS schema. |
| Severity | Medium |
| Tactics | CommandAndControl |
| Techniques | T1568 T1008 |
| Required data connectors | AIVectraStream ASimDnsActivityLogs AzureFirewall CiscoUmbrellaDataConnector Corelight DNS GCPDNSDataConnector InfobloxNIOS ISCBind NXLogDnsLogs WindowsForwardedEvents Zscaler |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DNS Essentials/Analytic Rules/ExcessiveNXDOMAINDNSQueriesStaticThresholdBased.yaml |
| Version | 1.0.0 |
| Arm template | 4ab8b09e-3c23-4974-afbe-7e653779eb2b.json |
let lookback = 1h;
let threshold = materialize (_GetWatchlist('DNS_Solution_Monitoring_Configuration')
| where wl_RuleName == 'Excessive NXDOMAIN DNS Queries'
and wl_Type == 'Detection'
| project threshold=toint(wl_Threshold));
_Im_Dns(starttime=ago(lookback), responsecodename='NXDOMAIN')
| summarize NXDOMAINCount=count() by SrcIpAddr, bin(TimeGenerated, 15m)
| where NXDOMAINCount > toscalar(threshold)
| join kind=inner (_Im_Dns(starttime=ago(lookback), responsecodename='NXDOMAIN')
| summarize DNSQueries = makeset(DnsQuery) by SrcIpAddr)
on SrcIpAddr
| extend NXDOMAINthreshold=toint(toscalar(threshold))
| project-away SrcIpAddr1
tactics:
- CommandAndControl
severity: Medium
requiredDataConnectors:
- connectorId: ASimDnsActivityLogs
dataTypes:
- ASimDnsActivityLogs
- connectorId: GCPDNSDataConnector
dataTypes:
- GCP_DNS_CL
- connectorId: AzureFirewall
dataTypes:
- AzureDiagnostics
- connectorId: CiscoUmbrellaDataConnector
dataTypes:
- Cisco_Umbrella_proxy_CL
- connectorId: Corelight
dataTypes:
- Corelight_CL
- connectorId: InfobloxNIOS
dataTypes:
- Syslog
- connectorId: NXLogDnsLogs
dataTypes:
- NXLog_DNS_Server_CL
- connectorId: DNS
dataTypes:
- DnsEvents
- connectorId: AIVectraStream
dataTypes:
- VectraStream_CL
- connectorId: WindowsForwardedEvents
dataTypes:
- WindowsEvents
- connectorId: Zscaler
dataTypes:
- CommonSecurityLog
- connectorId: ISCBind
dataTypes:
- Syslog
triggerOperator: gt
eventGroupingSettings:
aggregationKind: AlertPerResult
alertDetailsOverride:
alertDescriptionFormat: |-
Client is generating excessive amount of DNS queries for non-existent domains. This can be an indication of possible C2 communications.
'NXDOMAIN' error count threshold: '{{NXDOMAINthreshold}}'
Current 'NXDOMAIN' error count from this client: '{{NXDOMAINCount}}'
DNS queries requested by the client include:
'{{DNSQueries}}'
alertDisplayNameFormat: "[Static threshold] Excessive NXDOMAIN DNS Queries has been detected from client IP: '{{SrcIpAddr}}'"
query: |
let lookback = 1h;
let threshold = materialize (_GetWatchlist('DNS_Solution_Monitoring_Configuration')
| where wl_RuleName == 'Excessive NXDOMAIN DNS Queries'
and wl_Type == 'Detection'
| project threshold=toint(wl_Threshold));
_Im_Dns(starttime=ago(lookback), responsecodename='NXDOMAIN')
| summarize NXDOMAINCount=count() by SrcIpAddr, bin(TimeGenerated, 15m)
| where NXDOMAINCount > toscalar(threshold)
| join kind=inner (_Im_Dns(starttime=ago(lookback), responsecodename='NXDOMAIN')
| summarize DNSQueries = makeset(DnsQuery) by SrcIpAddr)
on SrcIpAddr
| extend NXDOMAINthreshold=toint(toscalar(threshold))
| project-away SrcIpAddr1
triggerThreshold: 0
name: Detect excessive NXDOMAIN DNS queries - Static threshold based (ASIM DNS Solution)
kind: Scheduled
version: 1.0.0
description: |
'This rule generates an alert when the configured threshold for DNS queries to non-existent domains is breached. This helps in identifying possible C2 communications. \n\nIt utilizes [ASIM](https://aka.ms/AboutASIM) normalization and is applied to any source that supports the ASIM DNS schema.'
relevantTechniques:
- T1568
- T1008
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DNS Essentials/Analytic Rules/ExcessiveNXDOMAINDNSQueriesStaticThresholdBased.yaml
customDetails:
NXDOMAINCount: NXDOMAINCount
NXDOMAINthreshold: NXDOMAINthreshold
DNSQueries: DNSQueries
tags:
- Schema: ASimDns
SchemaVersion: 0.1.6
status: Available
queryFrequency: 1h
queryPeriod: 1h
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr
id: 4ab8b09e-3c23-4974-afbe-7e653779eb2b
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4ab8b09e-3c23-4974-afbe-7e653779eb2b')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4ab8b09e-3c23-4974-afbe-7e653779eb2b')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "Detect excessive NXDOMAIN DNS queries - Static threshold based (ASIM DNS Solution)",
"description": "'This rule generates an alert when the configured threshold for DNS queries to non-existent domains is breached. This helps in identifying possible C2 communications. \\n\\nIt utilizes [ASIM](https://aka.ms/AboutASIM) normalization and is applied to any source that supports the ASIM DNS schema.'\n",
"severity": "Medium",
"enabled": true,
"query": "let lookback = 1h;\nlet threshold = materialize (_GetWatchlist('DNS_Solution_Monitoring_Configuration')\n | where wl_RuleName == 'Excessive NXDOMAIN DNS Queries'\n and wl_Type == 'Detection'\n | project threshold=toint(wl_Threshold));\n_Im_Dns(starttime=ago(lookback), responsecodename='NXDOMAIN')\n| summarize NXDOMAINCount=count() by SrcIpAddr, bin(TimeGenerated, 15m)\n| where NXDOMAINCount > toscalar(threshold)\n| join kind=inner (_Im_Dns(starttime=ago(lookback), responsecodename='NXDOMAIN')\n | summarize DNSQueries = makeset(DnsQuery) by SrcIpAddr)\n on SrcIpAddr\n| extend NXDOMAINthreshold=toint(toscalar(threshold))\n| project-away SrcIpAddr1\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl"
],
"techniques": [
"T1568",
"T1008"
],
"alertRuleTemplateName": "4ab8b09e-3c23-4974-afbe-7e653779eb2b",
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"alertDetailsOverride": {
"alertDescriptionFormat": "Client is generating excessive amount of DNS queries for non-existent domains. This can be an indication of possible C2 communications. \n\n'NXDOMAIN' error count threshold: '{{NXDOMAINthreshold}}'\n\nCurrent 'NXDOMAIN' error count from this client: '{{NXDOMAINCount}}'\n\nDNS queries requested by the client include:\n\n'{{DNSQueries}}'",
"alertDisplayNameFormat": "[Static threshold] Excessive NXDOMAIN DNS Queries has been detected from client IP: '{{SrcIpAddr}}'"
},
"customDetails": {
"NXDOMAINCount": "NXDOMAINCount",
"NXDOMAINthreshold": "NXDOMAINthreshold",
"DNSQueries": "DNSQueries"
},
"entityMappings": [
{
"fieldMappings": [
{
"columnName": "SrcIpAddr",
"identifier": "Address"
}
],
"entityType": "IP"
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DNS Essentials/Analytic Rules/ExcessiveNXDOMAINDNSQueriesStaticThresholdBased.yaml",
"templateVersion": "1.0.0",
"status": "Available",
"tags": [
{
"Schema": "ASimDns",
"SchemaVersion": "0.1.6"
}
]
}
}
]
}