security-content/detections/dns_record_changed.yml at develop · jwindley-splunk/security-content · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
asset_type: Endpoint
baselines:
  - id: c096f721-8842-42ce-bfc7-74bd8c72b7c3
    name: Discover DNS records
    type: splunk
confidence: medium
creation_date: '2019-02-14'
data_metadata:
  data_models:
    - Network_Resolution
  data_source:
    - DNS
  providing_technologies:
    - Splunk Stream
    - Bro
description: The search takes the DNS records and their answers results of the discovered_dns_records
  lookup and finds if any records have changed by searching DNS response from the
  Network_Resolution datamodel across the last day.
detect:
  splunk:
    correlation_rule:
      lookups:
        - discovered_dns_records
      macros:
        - dns_record_changed_output_filter
      notable:
        nes_fields: src
        rule_description: The table represents a list of DNS records and their responses
          for corporate domains that have recently changed
        rule_title: DNS record changed
      risk:
        risk_object: src
        risk_object_type:
          - system
        risk_score: 40
      schedule:
        cron_schedule: 0 * * * *
        earliest_time: -70m@m
        latest_time: -10m@m
      search: '| inputlookup discovered_dns_records.csv | rename answer as discovered_answer
        | join domain[|tstats `security_content_summariesonly` count values(DNS.record_type) as
        type, values(DNS.answer) as current_answer values(DNS.src) as src from datamodel=Network_Resolution
        where DNS.message_type=RESPONSE DNS.answer!="unknown" DNS.answer!="" by DNS.query
        | rename DNS.query as query | where query!="unknown" | rex field=query "(?<domain>\w+\.\w+?)(?:$|/)"]
        | makemv delim=" " answer |  makemv delim=" " type | sort -count | table count,src,domain,type,query,current_answer,discovered_answer
        | makemv current_answer  | mvexpand current_answer | makemv discovered_answer
        | eval n=mvfind(discovered_answer, current_answer) | where isnull(n) | `dns_record_changed_output_filter`'
      suppress:
        suppress_fields: src
        suppress_period: 28800s
eli5: Using a lookup `discover_dns_records` generated by support search "Discover
  DNS records" we check previous network traffic and make sure the responses have
  not changed.
entities:
  - src
  - dest
how_to_implement: "To successfully implement this search you will need to ensure that\
  \ DNS data is populating the `Network_Resolution` data model. It also requires that\
  \ the `discover_dns_record` lookup table be populated by the included support search\
  \ \"Discover DNS record\". \\\n **Splunk>Phantom Playbook Integration**\\\nIf Splunk>Phantom\
  \ is also configured in your environment, a Playbook called \"DNS Hijack Enrichment\"\
  \ can be configured to run when any results are found by this detection search.\
  \ The playbook takes in the DNS record changed and uses Geoip, whois, Censys and\
  \ PassiveTotal to detect if DNS issuers changed. To use this integration, install\
  \ the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, add the\
  \ correct hostname to the \"Phantom Instance\" field in the Adaptive Response Actions\
  \ when configuring this detection search, and set the corresponding Playbook to\
  \ active. \\\n(Playbook Link:`https://my.phantom.us/4.2/playbook/dns-hijack-enrichment/`).\\\
  \n"
id: 44d3a43e-dcd5-49f7-8356-5209bb369065
investigations:
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd72
    name: Get DNS Server History for a host
    type: splunk
  - id: c096f721-8842-42ce-bfc7-74bd9a72c712
    name: DNS Hijack Enrichment
    type: phantom
known_false_positives: Legitimate DNS changes can be detected in this search. Investigate,
  verify and update the list of provided current answers for the domains in question
  as appropriate.
maintainers:
  - company: Splunk
    email: jhernandez@splunk.com
    name: Jose Hernandez
mappings:
  cis20:
    - CIS 1
    - CIS 3
    - CIS 8
    - CIS 12
  kill_chain_phases:
    - Command and Control
  mitre_attack:
    - Exfiltration
    - Command and Control
    - Defense Evasion
  nist:
    - ID.AM
    - PR.DS
    - PR.IP
    - DE.AE
    - DE.CM
modification_date: '2020-01-16'
name: DNS record changed
original_authors:
  - company: Splunk
    email: jhernandez@splunk.com
    name: Jose Hernandez
responses: []
security_domain: network
spec_version: 2
type: splunk
version: '2.0'