Excessive NXDOMAIN DNS Queries ASIM DNS Schema

Back


Id	c3b11fb2-9201-4844-b7b9-6b7bf6d9b851
Rulename	Excessive NXDOMAIN DNS Queries (ASIM DNS Schema)
Description	This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses ASIM and supports any built-in or custom source that supports the ASIM DNS schema
Severity	Medium
Tactics	CommandAndControl
Techniques	T1568 T1008
Required data connectors	AzureFirewall CiscoUmbrellaDataConnector Corelight DNS GCPDNSDataConnector InfobloxNIOS NXLogDnsLogs Zscaler
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml
Version	1.3.4
Arm template	c3b11fb2-9201-4844-b7b9-6b7bf6d9b851.json

KQL

let threshold = 200;
_Im_Dns(responsecodename='NXDOMAIN')
| where isnotempty(DnsResponseCodeName)
//| where DnsResponseCodeName =~ "NXDOMAIN"
| summarize count() by SrcIpAddr, bin(TimeGenerated,15m)
| where count_ > threshold
| join kind=inner (_Im_Dns(responsecodename='NXDOMAIN')
    ) on SrcIpAddr

YAML

query: |
  let threshold = 200;
  _Im_Dns(responsecodename='NXDOMAIN')
  | where isnotempty(DnsResponseCodeName)
  //| where DnsResponseCodeName =~ "NXDOMAIN"
  | summarize count() by SrcIpAddr, bin(TimeGenerated,15m)
  | where count_ > threshold
  | join kind=inner (_Im_Dns(responsecodename='NXDOMAIN')
      ) on SrcIpAddr  
description: |
  'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. 
  This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema'  
id: c3b11fb2-9201-4844-b7b9-6b7bf6d9b851
requiredDataConnectors:
- dataTypes:
  - DnsEvents
  connectorId: DNS
- dataTypes:
  - AzureDiagnostics
  connectorId: AzureFirewall
- dataTypes:
  - CommonSecurityLog
  connectorId: Zscaler
- dataTypes:
  - Syslog
  connectorId: InfobloxNIOS
- dataTypes:
  - GCP_DNS_CL
  connectorId: GCPDNSDataConnector
- dataTypes:
  - NXLog_DNS_Server_CL
  connectorId: NXLogDnsLogs
- dataTypes:
  - Cisco_Umbrella_dns_CL
  connectorId: CiscoUmbrellaDataConnector
- dataTypes:
  - Corelight_CL
  connectorId: Corelight
name: Excessive NXDOMAIN DNS Queries (ASIM DNS Schema)
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml
kind: Scheduled
triggerOperator: gt
relevantTechniques:
- T1568
- T1008
version: 1.3.4
metadata:
  support:
    tier: Community
  categories:
    domains:
    - Security - Network
  source:
    kind: Community
  author:
    name: Yaron
tags:
- ParentAlert: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/InfobloxNIOS/ExcessiveNXDOMAINDNSQueries.yaml
  version: 1.0.0
- Schema: ASIMDns
  SchemaVersion: 0.1.1
queryFrequency: 1h
queryPeriod: 1h
entityMappings:
- fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
  entityType: IP
tactics:
- CommandAndControl
triggerThreshold: 0

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c3b11fb2-9201-4844-b7b9-6b7bf6d9b851')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c3b11fb2-9201-4844-b7b9-6b7bf6d9b851')]",
      "properties": {
        "alertRuleTemplateName": "c3b11fb2-9201-4844-b7b9-6b7bf6d9b851",
        "customDetails": null,
        "description": "'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. \nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema'\n",
        "displayName": "Excessive NXDOMAIN DNS Queries (ASIM DNS Schema)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml",
        "query": "let threshold = 200;\n_Im_Dns(responsecodename='NXDOMAIN')\n| where isnotempty(DnsResponseCodeName)\n//| where DnsResponseCodeName =~ \"NXDOMAIN\"\n| summarize count() by SrcIpAddr, bin(TimeGenerated,15m)\n| where count_ > threshold\n| join kind=inner (_Im_Dns(responsecodename='NXDOMAIN')\n    ) on SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "tags": [
          {
            "ParentAlert": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/InfobloxNIOS/ExcessiveNXDOMAINDNSQueries.yaml",
            "version": "1.0.0"
          },
          {
            "Schema": "ASIMDns",
            "SchemaVersion": "0.1.1"
          }
        ],
        "techniques": [
          "T1008",
          "T1568"
        ],
        "templateVersion": "1.3.4",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}