39 строки
1.1 KiB
YAML
39 строки
1.1 KiB
YAML
id: b8266f81-2715-41a6-9062-42486cbc9c73
|
|
name: Excessive NXDOMAIN DNS Queries
|
|
description: |
|
|
'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains.'
|
|
severity: Medium
|
|
requiredDataConnectors:
|
|
- connectorId: InfobloxNIOS
|
|
dataTypes:
|
|
- Syslog
|
|
queryFrequency: 1h
|
|
queryPeriod: 1h
|
|
triggerOperator: gt
|
|
triggerThreshold: 0
|
|
tactics:
|
|
- CommandAndControl
|
|
relevantTechniques:
|
|
- T1568
|
|
- T1008
|
|
query: |
|
|
|
|
let threshold = 200;
|
|
InfobloxNIOS
|
|
| where ProcessName =~ "named" and Log_Type =~ "client"
|
|
| where isnotempty(ResponseCode)
|
|
| where ResponseCode =~ "NXDOMAIN"
|
|
| summarize count() by Client_IP, bin(TimeGenerated,15m)
|
|
| where count_ > threshold
|
|
| join kind=inner (InfobloxNIOS
|
|
| where ProcessName =~ "named" and Log_Type =~ "client"
|
|
| where isnotempty(ResponseCode)
|
|
| where ResponseCode =~ "NXDOMAIN"
|
|
) on Client_IP
|
|
| extend timestamp = TimeGenerated, IPCustomEntity = Client_IP
|
|
entityMappings:
|
|
- entityType: IP
|
|
fieldMappings:
|
|
- identifier: Address
|
|
columnName: IPCustomEntity
|
|
version: 1.0.0 |