Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Detect excessive NXDOMAIN DNS queries - Static threshold based (ASIM DNS Solution)

Back
Id4ab8b09e-3c23-4974-afbe-7e653779eb2b
RulenameDetect excessive NXDOMAIN DNS queries - Static threshold based (ASIM DNS Solution)
DescriptionThis rule generates an alert when the configured threshold for DNS queries to non-existent domains is breached. This helps in identifying possible C2 communications. \n\nIt utilizes ASIM normalization and is applied to any source that supports the ASIM DNS schema.
SeverityMedium
TacticsCommandAndControl
TechniquesT1568
T1008
Required data connectorsAIVectraStream
ASimDnsActivityLogs
AzureFirewall
CiscoUmbrellaDataConnector
Corelight
DNS
GCPDNSDataConnector
InfobloxNIOS
ISCBind
NXLogDnsLogs
WindowsForwardedEvents
Zscaler
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DNS Essentials/Analytic Rules/ExcessiveNXDOMAINDNSQueriesStaticThresholdBased.yaml
Version1.0.0
Arm template4ab8b09e-3c23-4974-afbe-7e653779eb2b.json
Deploy To Azure
let lookback = 1h;
let threshold = materialize (_GetWatchlist('DNS_Solution_Monitoring_Configuration')
  | where wl_RuleName == 'Excessive NXDOMAIN DNS Queries'
      and wl_Type == 'Detection'
  | project threshold=toint(wl_Threshold));
_Im_Dns(starttime=ago(lookback), responsecodename='NXDOMAIN')
| summarize NXDOMAINCount=count() by SrcIpAddr, bin(TimeGenerated, 15m)
| where NXDOMAINCount > toscalar(threshold)
| join kind=inner (_Im_Dns(starttime=ago(lookback), responsecodename='NXDOMAIN')
  | summarize DNSQueries = makeset(DnsQuery) by SrcIpAddr)
  on SrcIpAddr
| extend NXDOMAINthreshold=toint(toscalar(threshold))
| project-away SrcIpAddr1
tactics:
- CommandAndControl
severity: Medium
requiredDataConnectors:
- connectorId: ASimDnsActivityLogs
  dataTypes:
  - ASimDnsActivityLogs
- connectorId: GCPDNSDataConnector
  dataTypes:
  - GCP_DNS_CL
- connectorId: AzureFirewall
  dataTypes:
  - AzureDiagnostics
- connectorId: CiscoUmbrellaDataConnector
  dataTypes:
  - Cisco_Umbrella_proxy_CL
- connectorId: Corelight
  dataTypes:
  - Corelight_CL
- connectorId: InfobloxNIOS
  dataTypes:
  - Syslog
- connectorId: NXLogDnsLogs
  dataTypes:
  - NXLog_DNS_Server_CL
- connectorId: DNS
  dataTypes:
  - DnsEvents
- connectorId: AIVectraStream
  dataTypes:
  - VectraStream_CL
- connectorId: WindowsForwardedEvents
  dataTypes:
  - WindowsEvents
- connectorId: Zscaler
  dataTypes:
  - CommonSecurityLog
- connectorId: ISCBind
  dataTypes:
  - Syslog
triggerOperator: gt
eventGroupingSettings:
  aggregationKind: AlertPerResult
alertDetailsOverride:
  alertDescriptionFormat: |-
    Client is generating excessive amount of DNS queries for non-existent domains. This can be an indication of possible C2 communications. 

    'NXDOMAIN' error count threshold: '{{NXDOMAINthreshold}}'

    Current 'NXDOMAIN' error count from this client: '{{NXDOMAINCount}}'

    DNS queries requested by the client include:

    '{{DNSQueries}}'    
  alertDisplayNameFormat: "[Static threshold] Excessive NXDOMAIN DNS Queries has been detected from client IP: '{{SrcIpAddr}}'"
query: |
  let lookback = 1h;
  let threshold = materialize (_GetWatchlist('DNS_Solution_Monitoring_Configuration')
    | where wl_RuleName == 'Excessive NXDOMAIN DNS Queries'
        and wl_Type == 'Detection'
    | project threshold=toint(wl_Threshold));
  _Im_Dns(starttime=ago(lookback), responsecodename='NXDOMAIN')
  | summarize NXDOMAINCount=count() by SrcIpAddr, bin(TimeGenerated, 15m)
  | where NXDOMAINCount > toscalar(threshold)
  | join kind=inner (_Im_Dns(starttime=ago(lookback), responsecodename='NXDOMAIN')
    | summarize DNSQueries = makeset(DnsQuery) by SrcIpAddr)
    on SrcIpAddr
  | extend NXDOMAINthreshold=toint(toscalar(threshold))
  | project-away SrcIpAddr1  
triggerThreshold: 0
name: Detect excessive NXDOMAIN DNS queries - Static threshold based (ASIM DNS Solution)
kind: Scheduled
version: 1.0.0
description: |
    'This rule generates an alert when the configured threshold for DNS queries to non-existent domains is breached. This helps in identifying possible C2 communications. \n\nIt utilizes [ASIM](https://aka.ms/AboutASIM) normalization and is applied to any source that supports the ASIM DNS schema.'
relevantTechniques:
- T1568
- T1008
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DNS Essentials/Analytic Rules/ExcessiveNXDOMAINDNSQueriesStaticThresholdBased.yaml
customDetails:
  NXDOMAINCount: NXDOMAINCount
  NXDOMAINthreshold: NXDOMAINthreshold
  DNSQueries: DNSQueries
tags:
- Schema: ASimDns
  SchemaVersion: 0.1.6
status: Available
queryFrequency: 1h
queryPeriod: 1h
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
id: 4ab8b09e-3c23-4974-afbe-7e653779eb2b
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4ab8b09e-3c23-4974-afbe-7e653779eb2b')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4ab8b09e-3c23-4974-afbe-7e653779eb2b')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Detect excessive NXDOMAIN DNS queries - Static threshold based (ASIM DNS Solution)",
        "description": "'This rule generates an alert when the configured threshold for DNS queries to non-existent domains is breached. This helps in identifying possible C2 communications. \\n\\nIt utilizes [ASIM](https://aka.ms/AboutASIM) normalization and is applied to any source that supports the ASIM DNS schema.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let lookback = 1h;\nlet threshold = materialize (_GetWatchlist('DNS_Solution_Monitoring_Configuration')\n  | where wl_RuleName == 'Excessive NXDOMAIN DNS Queries'\n      and wl_Type == 'Detection'\n  | project threshold=toint(wl_Threshold));\n_Im_Dns(starttime=ago(lookback), responsecodename='NXDOMAIN')\n| summarize NXDOMAINCount=count() by SrcIpAddr, bin(TimeGenerated, 15m)\n| where NXDOMAINCount > toscalar(threshold)\n| join kind=inner (_Im_Dns(starttime=ago(lookback), responsecodename='NXDOMAIN')\n  | summarize DNSQueries = makeset(DnsQuery) by SrcIpAddr)\n  on SrcIpAddr\n| extend NXDOMAINthreshold=toint(toscalar(threshold))\n| project-away SrcIpAddr1\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "techniques": [
          "T1568",
          "T1008"
        ],
        "alertRuleTemplateName": "4ab8b09e-3c23-4974-afbe-7e653779eb2b",
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Client is generating excessive amount of DNS queries for non-existent domains. This can be an indication of possible C2 communications. \n\n'NXDOMAIN' error count threshold: '{{NXDOMAINthreshold}}'\n\nCurrent 'NXDOMAIN' error count from this client: '{{NXDOMAINCount}}'\n\nDNS queries requested by the client include:\n\n'{{DNSQueries}}'",
          "alertDisplayNameFormat": "[Static threshold] Excessive NXDOMAIN DNS Queries has been detected from client IP: '{{SrcIpAddr}}'"
        },
        "customDetails": {
          "NXDOMAINCount": "NXDOMAINCount",
          "NXDOMAINthreshold": "NXDOMAINthreshold",
          "DNSQueries": "DNSQueries"
        },
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ],
            "entityType": "IP"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DNS Essentials/Analytic Rules/ExcessiveNXDOMAINDNSQueriesStaticThresholdBased.yaml",
        "templateVersion": "1.0.0",
        "status": "Available",
        "tags": [
          {
            "Schema": "ASimDns",
            "SchemaVersion": "0.1.6"
          }
        ]
      }
    }
  ]
}