Detection rules › Kusto Query Language
Excessive NXDOMAIN DNS Queries (ASIM DNS Schema)
'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses ASIM and supports any built-in or custom source that supports the ASIM DNS schema'
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Command & Control | T1008 Fallback Channels, T1568 Dynamic Resolution |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 22 | DNSEvent (DNS query) |
Stages and Predicates
Stage 1: source
_Im_Dns
Stage 2: where
DnsResponseCodeName is_not_null
Stage 3: summarize
Stage 4: where
count_ gt "threshold"
Stage 5: join
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
count_ | gt |
|