Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Excessive NXDOMAIN DNS Queries

Excessive NXDOMAIN DNS Queries

Back
Idb8266f81-2715-41a6-9062-42486cbc9c73
RulenameExcessive NXDOMAIN DNS Queries
DescriptionThis creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains.
SeverityMedium
TacticsCommandAndControl
TechniquesT1568
T1008
Required data connectorsSyslogAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox NIOS/Analytic Rules/ExcessiveNXDOMAINDNSQueries.yaml
Version1.0.5
Arm templateb8266f81-2715-41a6-9062-42486cbc9c73.json
Deploy To Azure
let threshold = 200;
Infoblox_dnsclient
| where isnotempty(DnsResponseCode)
| where DnsResponseCode =~ "NXDOMAIN"
| summarize count() by SrcIpAddr, bin(TimeGenerated,15m)
| where count_ > threshold
| join kind=inner (Infoblox_dnsclient
    | where isnotempty(DnsResponseCode)
    | where DnsResponseCode =~ "NXDOMAIN"
    ) on SrcIpAddr

description: |
    'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains.'
kind: Scheduled
tactics:
- CommandAndControl
requiredDataConnectors:
- connectorId: SyslogAma
  datatypes:
  - Syslog
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox NIOS/Analytic Rules/ExcessiveNXDOMAINDNSQueries.yaml
severity: Medium
name: Excessive NXDOMAIN DNS Queries
triggerThreshold: 0
queryPeriod: 1h
query: |
  let threshold = 200;
  Infoblox_dnsclient
  | where isnotempty(DnsResponseCode)
  | where DnsResponseCode =~ "NXDOMAIN"
  | summarize count() by SrcIpAddr, bin(TimeGenerated,15m)
  | where count_ > threshold
  | join kind=inner (Infoblox_dnsclient
      | where isnotempty(DnsResponseCode)
      | where DnsResponseCode =~ "NXDOMAIN"
      ) on SrcIpAddr  
relevantTechniques:
- T1568
- T1008
id: b8266f81-2715-41a6-9062-42486cbc9c73
queryFrequency: 1h
status: Available
triggerOperator: gt
version: 1.0.5
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address