Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Excessive NXDOMAIN DNS Queries (ASIM DNS Schema)

Back
Idc3b11fb2-9201-4844-b7b9-6b7bf6d9b851
RulenameExcessive NXDOMAIN DNS Queries (ASIM DNS Schema)
DescriptionThis creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains.

This analytic rule uses ASIM and supports any built-in or custom source that supports the ASIM DNS schema
SeverityMedium
TacticsCommandAndControl
TechniquesT1568
T1008
Required data connectorsAzureFirewall
CiscoUmbrellaDataConnector
Corelight
DNS
GCPDNSDataConnector
InfobloxNIOS
NXLogDnsLogs
Zscaler
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml
Version1.3.3
Arm templatec3b11fb2-9201-4844-b7b9-6b7bf6d9b851.json
Deploy To Azure
let threshold = 200;
_Im_Dns(responsecodename='NXDOMAIN')
| where isnotempty(DnsResponseCodeName)
//| where DnsResponseCodeName =~ "NXDOMAIN"
| summarize count() by SrcIpAddr, bin(TimeGenerated,15m)
| where count_ > threshold
| join kind=inner (_Im_Dns(responsecodename='NXDOMAIN')
    ) on SrcIpAddr
| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr
queryFrequency: 1h
metadata:
  author:
    name: Yaron
  source:
    kind: Community
  categories:
    domains:
    - Security - Network
  support:
    tier: Community
triggerOperator: gt
tactics:
- CommandAndControl
description: |
  'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. 
  This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema'  
relevantTechniques:
- T1568
- T1008
name: Excessive NXDOMAIN DNS Queries (ASIM DNS Schema)
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml
severity: Medium
triggerThreshold: 0
version: 1.3.3
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
tags:
- version: 1.0.0
  ParentAlert: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/InfobloxNIOS/ExcessiveNXDOMAINDNSQueries.yaml
- Schema: ASIMDns
  SchemaVersion: 0.1.1
id: c3b11fb2-9201-4844-b7b9-6b7bf6d9b851
requiredDataConnectors:
- connectorId: DNS
  dataTypes:
  - DnsEvents
- connectorId: AzureFirewall
  dataTypes:
  - AzureDiagnostics
- connectorId: Zscaler
  dataTypes:
  - CommonSecurityLog
- connectorId: InfobloxNIOS
  dataTypes:
  - Syslog
- connectorId: GCPDNSDataConnector
  dataTypes:
  - GCP_DNS_CL
- connectorId: NXLogDnsLogs
  dataTypes:
  - NXLog_DNS_Server_CL
- connectorId: CiscoUmbrellaDataConnector
  dataTypes:
  - Cisco_Umbrella_dns_CL
- connectorId: Corelight
  dataTypes:
  - Corelight_CL
kind: Scheduled
query: |
  let threshold = 200;
  _Im_Dns(responsecodename='NXDOMAIN')
  | where isnotempty(DnsResponseCodeName)
  //| where DnsResponseCodeName =~ "NXDOMAIN"
  | summarize count() by SrcIpAddr, bin(TimeGenerated,15m)
  | where count_ > threshold
  | join kind=inner (_Im_Dns(responsecodename='NXDOMAIN')
      ) on SrcIpAddr
  | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr  
queryPeriod: 1h
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c3b11fb2-9201-4844-b7b9-6b7bf6d9b851')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c3b11fb2-9201-4844-b7b9-6b7bf6d9b851')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Excessive NXDOMAIN DNS Queries (ASIM DNS Schema)",
        "description": "'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. \nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let threshold = 200;\n_Im_Dns(responsecodename='NXDOMAIN')\n| where isnotempty(DnsResponseCodeName)\n//| where DnsResponseCodeName =~ \"NXDOMAIN\"\n| summarize count() by SrcIpAddr, bin(TimeGenerated,15m)\n| where count_ > threshold\n| join kind=inner (_Im_Dns(responsecodename='NXDOMAIN')\n    ) on SrcIpAddr\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "techniques": [
          "T1568",
          "T1008"
        ],
        "alertRuleTemplateName": "c3b11fb2-9201-4844-b7b9-6b7bf6d9b851",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IPCustomEntity"
              }
            ]
          }
        ],
        "templateVersion": "1.3.3",
        "tags": [
          {
            "ParentAlert": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/InfobloxNIOS/ExcessiveNXDOMAINDNSQueries.yaml",
            "version": "1.0.0"
          },
          {
            "Schema": "ASIMDns",
            "SchemaVersion": "0.1.1"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml"
      }
    }
  ]
}