security-content/detections/brand_abuse_dns.yml at develop · jwindley-splunk/security-content · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
asset_type: Endpoint
baselines:
  - id: 19f7d2ec-6028-4d01-bcdb-bda9a034c17f
    name: DNSTwist Domain Names
    type: splunk
confidence: high
creation_date: '2017-06-01'
data_metadata:
  data_models:
    - Network_Resolution
  data_source:
    - DNS
  providing_technologies:
    - Splunk Stream
    - Bro
description: This search looks for DNS requests for faux domains similar to the domains
  that you want to have monitored for abuse.
detect:
  splunk:
    correlation_rule:
      notable:
        nes_fields: src, query
        rule_description: The host $src$ issued a DNS request for a domain to that
          which you are monitoring for brand abuse.
        rule_title: DNS Query Brand Abuse from $src$
      risk:
        risk_object: src
        risk_object_type:
          - system
        risk_score: 40
      schedule:
        cron_schedule: 0 * * * *
        earliest_time: -70m@m
        latest_time: -10m@m
      search: '| tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time) as firstTime
        from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name("DNS")`
        | `security_content_ctime(firstTime)`| `brand_abuse_dns`'
      suppress:
        suppress_fields: src,query
        suppress_period: 14400s
eli5: This search gathers all the answers to each system's DNS query, then filters
  out all queries that do not appear on the list of faux "look-a-like" domains that
  have been generated from the brand abuse domains you are monitoring.
entities:
  - src
how_to_implement: You need to ingest data from your DNS logs. Specifically you must
  ingest the domain that is being queried and the IP of the host originating the request.
  Ideally, you should also be ingesting the answer to the query and the query type.
  This approach allows you to also create your own localized passive DNS capability
  which can aid you in future investigations. You also need to have run the search
  "ESCU - DNSTwist Domain Names", which creates the permutations of the domain that
  will be checked for.
id: 24dd17b1-e2fb-4c31-878c-d4f746595bfa
investigations:
  - id: 910e6512-edc9-4f93-ba24-5b786f47a672
    name: Get Process Responsible For The DNS Traffic
    type: splunk
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd76
    name: Get Authentication Logs For Endpoint
    type: splunk
  - id: fdcfb369-1725-4c24-824a-22972d7f0d55
    name: Get Risk Modifiers For User
    type: splunk
  - id: 3d6c3213-5fff-4a1e-b57d-b24c262171e7
    name: Get Notable History
    type: splunk
  - id: f3fb4d1b-5f33-4b01-b541-c7af9534c242
    name: Get Notable Info
    type: splunk
  - id: fdcfb369-1725-4c24-824a-22972d7f0d65
    name: Get Risk Modifiers For Endpoint
    type: splunk
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd74
    name: Get User Information from Identity Table
    type: splunk
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd22
    name: Investigate Web Activity From Host
    type: splunk
known_false_positives: None at this time
maintainers:
  - company: Splunk
    email: davidd@splunk.com
    name: David Dorsey
mappings:
  kill_chain_phases:
    - Delivery
    - Actions on Objectives
modification_date: '2017-09-23'
name: Monitor DNS For Brand Abuse
original_authors:
  - company: Splunk
    email: davidd@splunk.com
    name: David Dorsey
references: []
security_domain: network
spec_version: 2
type: splunk
version: '1.0'