security-content/detections/dns_amplification_any_query.yml at develop · jwindley-splunk/security-content · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
asset_type: DNS Servers
confidence: high
creation_date: '2016-08-24'
data_metadata:
  data_models:
    - Network_Resolution
  data_source:
    - DNS
  providing_technologies:
    - Splunk Stream
    - Bro
description: The search is used to identify attempts to use your DNS Infrastructure
  for DDoS purposes via a DNS amplification attack leveraging ANY queries.
detect:
  splunk:
    correlation_rule:
      notable:
        nes_fields: dest
        rule_description: The search is used to identify attempts to use your DNS
          Infrastructure for DDoS purposes via a DNS amplification attack leveraging
          ANY queries.
        rule_title: Large Volume of DNS ANY Queries
      risk:
        risk_object: dest
        risk_object_type:
          - system
        risk_score: 60
      schedule:
        cron_schedule: '*/5 * * * *'
        earliest_time: -15m@m
        latest_time: -10m@m
      search: '| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where
        nodename=DNS "DNS.message_type"="QUERY" "DNS.record_type"="ANY" by "DNS.dest"
        | `drop_dm_object_name("DNS")` | where count>200'
      suppress:
        suppress_fields: dest
        suppress_period: 7200s
eli5: This search counts the number of DNS ANY queries received in 5 minutes, and
  generates a Notable Event if the count exceeds a predefined threshold. The search
  returns the count, the first time, and the last time a DNS packet was observed with
  the ANY flag set.
entities:
  - dest
how_to_implement: To successfully implement this search you must ensure that DNS data
  is populating the Network_Resolution data model.
id: 8fa891f7-a533-4b3c-af85-5aa2e7c1f1eb
investigations:
  - id: 3d6c3213-5fff-4a1e-b57d-b24c262171e7
    name: Get Notable History
    type: splunk
  - id: f3fb4d1b-5f33-4b01-b541-c7af9534c242
    name: Get Notable Info
    type: splunk
  - id: fdcfb369-1725-4c24-824a-22972d7f0d65
    name: Get Risk Modifiers For Endpoint
    type: splunk
  - id: fdcfb369-1725-4c24-824a-22972d7f0d55
    name: Get Risk Modifiers For User
    type: splunk
known_false_positives: Legitimate ANY requests may trigger this search, however it
  is unusual to see a large volume of them under typical circumstances. You may modify
  the threshold in the search to better suit your environment.
maintainers:
  - company: Splunk
    email: bpatel@splunk.com
    name: Bhavin Patel
mappings:
  cis20:
    - CIS 11
    - CIS 12
  kill_chain_phases:
    - Actions on Objectives
  nist:
    - PR.PT
    - DE.AE
    - PR.IP
modification_date: '2017-09-20'
name: Large Volume of DNS ANY Queries
original_authors:
  - company: Splunk
    email: bpatel@splunk.com
    name: Bhavin Patel
references: []
security_domain: network
spec_version: 2
type: splunk
version: '1.0'