Excessive NXDOMAIN DNS Queries ASIM DNS Schema

Back


Id	c3b11fb2-9201-4844-b7b9-6b7bf6d9b851
Rulename	Excessive NXDOMAIN DNS Queries (ASIM DNS Schema)
Description	This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses ASIM and supports any built-in or custom source that supports the ASIM DNS schema
Severity	Medium
Tactics	CommandAndControl
Techniques	T1568 T1008
Required data connectors	AzureFirewall CiscoUmbrellaDataConnector Corelight DNS GCPDNSDataConnector InfobloxNIOS NXLogDnsLogs Zscaler
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml
Version	1.3.4
Arm template	c3b11fb2-9201-4844-b7b9-6b7bf6d9b851.json

KQL

let threshold = 200;
_Im_Dns(responsecodename='NXDOMAIN')
| where isnotempty(DnsResponseCodeName)
//| where DnsResponseCodeName =~ "NXDOMAIN"
| summarize count() by SrcIpAddr, bin(TimeGenerated,15m)
| where count_ > threshold
| join kind=inner (_Im_Dns(responsecodename='NXDOMAIN')
    ) on SrcIpAddr

YAML

relevantTechniques:
- T1568
- T1008
name: Excessive NXDOMAIN DNS Queries (ASIM DNS Schema)
requiredDataConnectors:
- dataTypes:
  - DnsEvents
  connectorId: DNS
- dataTypes:
  - AzureDiagnostics
  connectorId: AzureFirewall
- dataTypes:
  - CommonSecurityLog
  connectorId: Zscaler
- dataTypes:
  - Syslog
  connectorId: InfobloxNIOS
- dataTypes:
  - GCP_DNS_CL
  connectorId: GCPDNSDataConnector
- dataTypes:
  - NXLog_DNS_Server_CL
  connectorId: NXLogDnsLogs
- dataTypes:
  - Cisco_Umbrella_dns_CL
  connectorId: CiscoUmbrellaDataConnector
- dataTypes:
  - Corelight_CL
  connectorId: Corelight
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
  entityType: IP
triggerThreshold: 0
id: c3b11fb2-9201-4844-b7b9-6b7bf6d9b851
tactics:
- CommandAndControl
version: 1.3.4
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml
queryPeriod: 1h
kind: Scheduled
tags:
- version: 1.0.0
  ParentAlert: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/InfobloxNIOS/ExcessiveNXDOMAINDNSQueries.yaml
- Schema: ASIMDns
  SchemaVersion: 0.1.1
metadata:
  categories:
    domains:
    - Security - Network
  author:
    name: Yaron
  support:
    tier: Community
  source:
    kind: Community
queryFrequency: 1h
severity: Medium
description: |
  'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. 
  This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema'  
query: |
  let threshold = 200;
  _Im_Dns(responsecodename='NXDOMAIN')
  | where isnotempty(DnsResponseCodeName)
  //| where DnsResponseCodeName =~ "NXDOMAIN"
  | summarize count() by SrcIpAddr, bin(TimeGenerated,15m)
  | where count_ > threshold
  | join kind=inner (_Im_Dns(responsecodename='NXDOMAIN')
      ) on SrcIpAddr  
triggerOperator: gt

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c3b11fb2-9201-4844-b7b9-6b7bf6d9b851')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c3b11fb2-9201-4844-b7b9-6b7bf6d9b851')]",
      "properties": {
        "alertRuleTemplateName": "c3b11fb2-9201-4844-b7b9-6b7bf6d9b851",
        "customDetails": null,
        "description": "'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. \nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema'\n",
        "displayName": "Excessive NXDOMAIN DNS Queries (ASIM DNS Schema)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml",
        "query": "let threshold = 200;\n_Im_Dns(responsecodename='NXDOMAIN')\n| where isnotempty(DnsResponseCodeName)\n//| where DnsResponseCodeName =~ \"NXDOMAIN\"\n| summarize count() by SrcIpAddr, bin(TimeGenerated,15m)\n| where count_ > threshold\n| join kind=inner (_Im_Dns(responsecodename='NXDOMAIN')\n    ) on SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "tags": [
          {
            "ParentAlert": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/InfobloxNIOS/ExcessiveNXDOMAINDNSQueries.yaml",
            "version": "1.0.0"
          },
          {
            "Schema": "ASIMDns",
            "SchemaVersion": "0.1.1"
          }
        ],
        "techniques": [
          "T1008",
          "T1568"
        ],
        "templateVersion": "1.3.4",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}