Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Potential DGA detected

Potential DGA detected

Back
Ida0907abe-6925-4d90-af2b-c7e89dc201a6
RulenamePotential DGA detected
DescriptionIdentifies clients with a high NXDomain count, which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live).

Alerts are generated when a new IP address is seen (based on not being associated with NXDomain records in the prior 10-day baseline period).
SeverityMedium
TacticsCommandAndControl
TechniquesT1568
T1008
Required data connectorsDNS
KindScheduled
Query frequency1d
Query period10d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Server DNS/Analytic Rules/DNS_HighNXDomainCount_detection.yaml
Version1.0.3
Arm templatea0907abe-6925-4d90-af2b-c7e89dc201a6.json
Deploy To Azure
let starttime = 10d;
let endtime = 1d;
let threshold = 100;
let nxDomainDnsEvents = DnsEvents
// ResultCode 3 => 'NXDOMAIN'
| where ResultCode == 3
| where QueryType in~ ("A", "AAAA")
| where ipv4_is_match("127.0.0.1", ClientIP) == False
| where Name !has "/"
| where Name has ".";
nxDomainDnsEvents
| where TimeGenerated > ago(endtime)
// sld = Second Level Domain
| extend sld = tostring(split(Name, ".")[-2])
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld), sampleNXDomainList=make_set(Name, 100) by ClientIP
| where dcount_sld > threshold
// Filter out previously seen IPs
// Returns all the records from the left side that don't have matches from the right
| join kind=leftanti (nxDomainDnsEvents
    | where TimeGenerated between(ago(starttime)..ago(endtime))
    | extend sld = tostring(split(Name, ".")[-2])
    | summarize dcount(sld) by ClientIP, bin(TimeGenerated,1d)
    | where dcount_sld > threshold
    ) on ClientIP
    | order by dcount_sld desc

relevantTechniques:
- T1568
- T1008
name: Potential DGA detected
requiredDataConnectors:
- dataTypes:
  - DnsEvents
  connectorId: DNS
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: ClientIP
  entityType: IP
triggerThreshold: 0
id: a0907abe-6925-4d90-af2b-c7e89dc201a6
tactics:
- CommandAndControl
version: 1.0.3
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Server DNS/Analytic Rules/DNS_HighNXDomainCount_detection.yaml
queryPeriod: 10d
kind: Scheduled
queryFrequency: 1d
severity: Medium
status: Available
description: |
  'Identifies clients with a high NXDomain count, which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live).
  Alerts are generated when a new IP address is seen (based on not being associated with NXDomain records in the prior 10-day baseline period).'  
query: |
  let starttime = 10d;
  let endtime = 1d;
  let threshold = 100;
  let nxDomainDnsEvents = DnsEvents
  // ResultCode 3 => 'NXDOMAIN'
  | where ResultCode == 3
  | where QueryType in~ ("A", "AAAA")
  | where ipv4_is_match("127.0.0.1", ClientIP) == False
  | where Name !has "/"
  | where Name has ".";
  nxDomainDnsEvents
  | where TimeGenerated > ago(endtime)
  // sld = Second Level Domain
  | extend sld = tostring(split(Name, ".")[-2])
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld), sampleNXDomainList=make_set(Name, 100) by ClientIP
  | where dcount_sld > threshold
  // Filter out previously seen IPs
  // Returns all the records from the left side that don't have matches from the right
  | join kind=leftanti (nxDomainDnsEvents
      | where TimeGenerated between(ago(starttime)..ago(endtime))
      | extend sld = tostring(split(Name, ".")[-2])
      | summarize dcount(sld) by ClientIP, bin(TimeGenerated,1d)
      | where dcount_sld > threshold
      ) on ClientIP
      | order by dcount_sld desc  
triggerOperator: gt

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a0907abe-6925-4d90-af2b-c7e89dc201a6')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a0907abe-6925-4d90-af2b-c7e89dc201a6')]",
      "properties": {
        "alertRuleTemplateName": "a0907abe-6925-4d90-af2b-c7e89dc201a6",
        "customDetails": null,
        "description": "'Identifies clients with a high NXDomain count, which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live).\nAlerts are generated when a new IP address is seen (based on not being associated with NXDomain records in the prior 10-day baseline period).'\n",
        "displayName": "Potential DGA detected",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "ClientIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Server DNS/Analytic Rules/DNS_HighNXDomainCount_detection.yaml",
        "query": "let starttime = 10d;\nlet endtime = 1d;\nlet threshold = 100;\nlet nxDomainDnsEvents = DnsEvents\n// ResultCode 3 => 'NXDOMAIN'\n| where ResultCode == 3\n| where QueryType in~ (\"A\", \"AAAA\")\n| where ipv4_is_match(\"127.0.0.1\", ClientIP) == False\n| where Name !has \"/\"\n| where Name has \".\";\nnxDomainDnsEvents\n| where TimeGenerated > ago(endtime)\n// sld = Second Level Domain\n| extend sld = tostring(split(Name, \".\")[-2])\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld), sampleNXDomainList=make_set(Name, 100) by ClientIP\n| where dcount_sld > threshold\n// Filter out previously seen IPs\n// Returns all the records from the left side that don't have matches from the right\n| join kind=leftanti (nxDomainDnsEvents\n    | where TimeGenerated between(ago(starttime)..ago(endtime))\n    | extend sld = tostring(split(Name, \".\")[-2])\n    | summarize dcount(sld) by ClientIP, bin(TimeGenerated,1d)\n    | where dcount_sld > threshold\n    ) on ClientIP\n    | order by dcount_sld desc\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P10D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "techniques": [
          "T1008",
          "T1568"
        ],
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}