Potential DGADomain Generation Algorithm detected via Repetitive Failures - Static threshold based ASIM DNS Solution
| Id | 89ba52fa-96a7-4653-829a-ca49bb13336c |
| Rulename | Potential DGA(Domain Generation Algorithm) detected via Repetitive Failures - Static threshold based (ASIM DNS Solution) |
| Description | This rule identifies clients with a high NXDomain count, which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). An alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period). It utilizes ASIM normalization and is applied to any source that supports the ASIM DNS schema. |
| Severity | Medium |
| Tactics | CommandAndControl |
| Techniques | T1568 T1008 |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 10d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DNS Essentials/Analytic Rules/PotentialDGADetectedviaRepetitiveFailuresStaticThresholdBased.yaml |
| Version | 1.0.2 |
| Arm template | 89ba52fa-96a7-4653-829a-ca49bb13336c.json |
let threshold = 100;
let lookback = 10d;
let referenceendtime = 1d;
let nxDomainDnsEvents = (stime: datetime, etime: datetime) {
_Im_Dns(responsecodename='NXDOMAIN', starttime=stime, endtime=etime)
| where DnsQueryTypeName in ("A", "AAAA")
| where ipv4_is_match("127.0.0.1", SrcIpAddr) == False
| where DnsQuery !contains "/" and DnsQuery contains "."
};
nxDomainDnsEvents (stime=ago(referenceendtime), etime=now())
| summarize
StartTimeUtc = min(TimeGenerated),
EndTimeUtc = max(TimeGenerated),
DNSQueryCount=dcount(DnsQuery)
by SrcIpAddr
| where DNSQueryCount > threshold
// Filter out previously seen IPs
| join kind=leftanti (nxDomainDnsEvents (stime=ago(lookback), etime=ago(referenceendtime))
| summarize DNSQueryCount=dcount(DnsQuery) by SrcIpAddr, bin(TimeGenerated,1d)
| where DNSQueryCount > threshold)
on SrcIpAddr
// Pull out sample NXDomain responses for those remaining potentially infected IPs
| join kind = inner (nxDomainDnsEvents (stime=ago(lookback), etime=now())
| summarize by DnsQuery, SrcIpAddr)
on SrcIpAddr
| summarize
StartTimeUtc = min(StartTimeUtc),
EndTimeUtc = max(EndTimeUtc),
DNSQueries=make_list(DnsQuery, 100)
by SrcIpAddr, DNSQueryCount
| extend DNSQueryThreshold=threshold
query: |
let threshold = 100;
let lookback = 10d;
let referenceendtime = 1d;
let nxDomainDnsEvents = (stime: datetime, etime: datetime) {
_Im_Dns(responsecodename='NXDOMAIN', starttime=stime, endtime=etime)
| where DnsQueryTypeName in ("A", "AAAA")
| where ipv4_is_match("127.0.0.1", SrcIpAddr) == False
| where DnsQuery !contains "/" and DnsQuery contains "."
};
nxDomainDnsEvents (stime=ago(referenceendtime), etime=now())
| summarize
StartTimeUtc = min(TimeGenerated),
EndTimeUtc = max(TimeGenerated),
DNSQueryCount=dcount(DnsQuery)
by SrcIpAddr
| where DNSQueryCount > threshold
// Filter out previously seen IPs
| join kind=leftanti (nxDomainDnsEvents (stime=ago(lookback), etime=ago(referenceendtime))
| summarize DNSQueryCount=dcount(DnsQuery) by SrcIpAddr, bin(TimeGenerated,1d)
| where DNSQueryCount > threshold)
on SrcIpAddr
// Pull out sample NXDomain responses for those remaining potentially infected IPs
| join kind = inner (nxDomainDnsEvents (stime=ago(lookback), etime=now())
| summarize by DnsQuery, SrcIpAddr)
on SrcIpAddr
| summarize
StartTimeUtc = min(StartTimeUtc),
EndTimeUtc = max(EndTimeUtc),
DNSQueries=make_list(DnsQuery, 100)
by SrcIpAddr, DNSQueryCount
| extend DNSQueryThreshold=threshold
queryPeriod: 10d
queryFrequency: 1d
status: Available
id: 89ba52fa-96a7-4653-829a-ca49bb13336c
entityMappings:
- entityType: IP
fieldMappings:
- columnName: SrcIpAddr
identifier: Address
customDetails:
DNSQueryCount: DNSQueryCount
DNSQueries: DNSQueries
DNSQueryThreshold: DNSQueryThreshold
relevantTechniques:
- T1568
- T1008
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DNS Essentials/Analytic Rules/PotentialDGADetectedviaRepetitiveFailuresStaticThresholdBased.yaml
requiredDataConnectors: []
eventGroupingSettings:
aggregationKind: AlertPerResult
alertDetailsOverride:
alertDisplayNameFormat: "[Static threshold] Potential DGA (Domain Generation Algorithm) originating from client IP: '{{SrcIpAddr}}' has been detected."
alertDescriptionFormat: |-
Client has been identified with high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). This client is found to be communicating with multiple Domains which do not exist.
DGA DNS query count baseline is: '{{DNSQueryThreshold}}'
Current failed DNS query count from this client: '{{DNSQueryCount}}'
DNS queries requested by this client inlcude: '{{DNSQueries}}'
name: Potential DGA(Domain Generation Algorithm) detected via Repetitive Failures - Static threshold based (ASIM DNS Solution)
description: |
'This rule identifies clients with a high NXDomain count, which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). An alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period). It utilizes [ASIM](https://aka.ms/AboutASIM) normalization and is applied to any source that supports the ASIM DNS schema.'
tactics:
- CommandAndControl
tags:
- SchemaVersion: 0.1.6
Schema: ASimDns
severity: Medium
triggerThreshold: 0
version: 1.0.2
kind: Scheduled
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/89ba52fa-96a7-4653-829a-ca49bb13336c')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/89ba52fa-96a7-4653-829a-ca49bb13336c')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "Client has been identified with high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). This client is found to be communicating with multiple Domains which do not exist.\n\nDGA DNS query count baseline is: '{{DNSQueryThreshold}}'\n\nCurrent failed DNS query count from this client: '{{DNSQueryCount}}'\n\nDNS queries requested by this client inlcude: '{{DNSQueries}}'",
"alertDisplayNameFormat": "[Static threshold] Potential DGA (Domain Generation Algorithm) originating from client IP: '{{SrcIpAddr}}' has been detected."
},
"alertRuleTemplateName": "89ba52fa-96a7-4653-829a-ca49bb13336c",
"customDetails": {
"DNSQueries": "DNSQueries",
"DNSQueryCount": "DNSQueryCount",
"DNSQueryThreshold": "DNSQueryThreshold"
},
"description": "'This rule identifies clients with a high NXDomain count, which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). An alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period). It utilizes [ASIM](https://aka.ms/AboutASIM) normalization and is applied to any source that supports the ASIM DNS schema.'\n",
"displayName": "Potential DGA(Domain Generation Algorithm) detected via Repetitive Failures - Static threshold based (ASIM DNS Solution)",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SrcIpAddr",
"identifier": "Address"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DNS Essentials/Analytic Rules/PotentialDGADetectedviaRepetitiveFailuresStaticThresholdBased.yaml",
"query": "let threshold = 100;\nlet lookback = 10d;\nlet referenceendtime = 1d;\nlet nxDomainDnsEvents = (stime: datetime, etime: datetime) {\n _Im_Dns(responsecodename='NXDOMAIN', starttime=stime, endtime=etime)\n | where DnsQueryTypeName in (\"A\", \"AAAA\")\n | where ipv4_is_match(\"127.0.0.1\", SrcIpAddr) == False\n | where DnsQuery !contains \"/\" and DnsQuery contains \".\"\n};\nnxDomainDnsEvents (stime=ago(referenceendtime), etime=now())\n| summarize\n StartTimeUtc = min(TimeGenerated),\n EndTimeUtc = max(TimeGenerated),\n DNSQueryCount=dcount(DnsQuery)\n by SrcIpAddr\n| where DNSQueryCount > threshold\n// Filter out previously seen IPs\n| join kind=leftanti (nxDomainDnsEvents (stime=ago(lookback), etime=ago(referenceendtime))\n | summarize DNSQueryCount=dcount(DnsQuery) by SrcIpAddr, bin(TimeGenerated,1d)\n | where DNSQueryCount > threshold)\n on SrcIpAddr\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\n| join kind = inner (nxDomainDnsEvents (stime=ago(lookback), etime=now())\n | summarize by DnsQuery, SrcIpAddr)\n on SrcIpAddr\n| summarize\n StartTimeUtc = min(StartTimeUtc),\n EndTimeUtc = max(EndTimeUtc),\n DNSQueries=make_list(DnsQuery, 100)\n by SrcIpAddr, DNSQueryCount\n| extend DNSQueryThreshold=threshold\n",
"queryFrequency": "P1D",
"queryPeriod": "P10D",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl"
],
"tags": [
{
"Schema": "ASimDns",
"SchemaVersion": "0.1.6"
}
],
"techniques": [
"T1008",
"T1568"
],
"templateVersion": "1.0.2",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}