forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathdns_query_length_with_high_standard_deviation.yml
More file actions
112 lines (112 loc) · 3.64 KB
/
dns_query_length_with_high_standard_deviation.yml
File metadata and controls
112 lines (112 loc) · 3.64 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
asset_type: Endpoint
confidence: medium
creation_date: '2016-09-13'
data_metadata:
data_models:
- Network_Resolution
data_source:
- DNS
providing_technologies:
- Splunk Stream
- Bro
description: This search allows you to identify DNS requests and compute the standard
deviation on the length of the names being resolved, then filter on two times the
standard deviation to show you those queries that are unusually large for your environment.
detect:
splunk:
correlation_rule:
notable:
nes_fields: src
rule_description: Filter DNS requests and compute the standard deviation then
filter on 2 times the standard deviation
rule_title: DNS query length with high standard deviation
risk:
risk_object: src
risk_object_type:
- system
risk_score: 40
schedule:
cron_schedule: 0 * * * *
earliest_time: -70m@m
latest_time: -10m@m
search: '| tstats `security_content_summariesonly` count from datamodel=Network_Resolution by
DNS.query DNS.record_type | `drop_dm_object_name("DNS")` | eval query_length
= len(query) | table query query_length record_type count | eventstats stdev(query_length)
AS stdev avg(query_length) AS avg p50(query_length) AS p50| where query_length>(avg+stdev*2)
| eval z_score=(query_length-avg)/stdev'
suppress:
suppress_fields: query
suppress_period: 43200s
eli5: Attackers often use random, long domain names for their attack infrastructure.
This search looks at all the queries observed over the search time frame, and identifies
any domains being resolved with names that are greater that 2 times the standard
deviation.
entities:
- src
how_to_implement: To successfully implement this search, you will need to ensure that
DNS data is populating the Network_Resolution data model.
id: 1a67f15a-f4ff-4170-84e9-08cf6f75d6f5
investigations:
- id: 910e6512-edc9-4f93-ba24-5b786f47a672
name: Get Process Responsible For The DNS Traffic
type: splunk
- id: bc91a8cf-35e7-4bb2-8140-e756cc06fd76
name: Get Authentication Logs For Endpoint
type: splunk
- id: bc91a8cf-35e7-4bb2-8140-e756cc06fd73
name: Get DNS traffic ratio
type: splunk
- id: bc91a8cf-35e7-4bb2-8140-e756cc06fd72
name: Get DNS Server History for a host
type: splunk
- id: fecf2918-670d-4f1c-872b-3d7317a41bf9
name: Get Parent Process Info
type: splunk
- id: fdcfb369-1725-4c24-824a-22972d7f0d55
name: Get Risk Modifiers For User
type: splunk
- id: bc91a8cf-35e7-4bb2-8140-e756cc06fd71
name: Get Process Info
type: splunk
- id: 3d6c3213-5fff-4a1e-b57d-b24c262171e7
name: Get Notable History
type: splunk
- id: f3fb4d1b-5f33-4b01-b541-c7af9534c242
name: Get Notable Info
type: splunk
- id: fdcfb369-1725-4c24-824a-22972d7f0d65
name: Get Risk Modifiers For Endpoint
type: splunk
- id: bc91a8cf-35e7-4bb2-8140-e756cc06fd74
name: Get User Information from Identity Table
type: splunk
known_false_positives: It's possible there can be long domain names that are legitimate.
maintainers:
- company: Splunk
email: bpatel@splunk.com
name: Bhavin Patel
mappings:
cis20:
- CIS 8
- CIS 12
kill_chain_phases:
- Command and Control
mitre_attack:
- Command and Control
- Exfiltration
- Commonly Used Port
nist:
- PR.PT
- DE.AE
- DE.CM
modification_date: '2017-09-18'
name: DNS Query Length With High Standard Deviation
original_authors:
- company: Splunk
email: bpatel@splunk.com
name: Bhavin Patel
references: []
security_domain: network
spec_version: 2
type: splunk
version: '2.0'