Azure-Sentinel/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml

id: c3b11fb2-9201-4844-b7b9-6b7bf6d9b851
name: Excessive NXDOMAIN DNS Queries (Normalized DNS)
description: |
  'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. 
  To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)'  
severity: Medium
requiredDataConnectors: []
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
  - CommandAndControl
relevantTechniques:
  - T1568
  - T1008
tags:
  - Id: b8266f81-2715-41a6-9062-42486cbc9c73
    version: 1.0.0
  - Schema: ASIMDns
    SchemaVersion: 0.1.1
query: |
  let threshold = 200;
  union isfuzzy=true
  (datatable(TimeGenerated:datetime)[]),
  (imDns
  | where isnotempty(DnsResponseCodeName)
  | where DnsResponseCodeName =~ "NXDOMAIN"
  | summarize count() by SrcIpAddr, bin(TimeGenerated,15m)
  | where count_ > threshold
  | join kind=inner (imDns
      | where isnotempty(DnsResponseCodeName)
      | where DnsResponseCodeName =~ "NXDOMAIN"
      ) on SrcIpAddr
  | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr)  
entityMappings:
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
version: 1.1.0