Detection rules › Kusto Query Language
Detect DNS queries reporting multiple errors from different clients - Static threshold based (ASIM DNS Solution)
'This rule creates an alert when multiple clients report errors for the same DNS query. This helps in identifying possible similar C2 communications originating from different clients. It utilizes ASIM normalization and is applied to any source that supports the ASIM DNS schema.'
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Command & Control | T1008 Fallback Channels, T1568 Dynamic Resolution, T1573 Encrypted Channel |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 22 | DNSEvent (DNS query) |
Stages and Predicates
Stage 1: source
_Im_Dns
Stage 2: where
EventResultDetails match "errors"
Stage 3: summarize
Stage 4: where
macro "(array_length(SrcIPs) >= threshold)"
Stage 5: extend
Stage 6: extend
Stage 7: mv-expand
Stage 8: extend
Stage 9: mv-expand
Stage 10: extend
Stage 11: mv-expand
Stage 12: extend
Stage 13: extend
Stage 14: summarize
Stage 15: extend
Stage 16: extend
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventResultDetails | match |
|