Detection rules › Splunk
DNS Query Length With High Standard Deviation
The following analytic identifies DNS queries with unusually large lengths by computing the standard deviation of query lengths and filtering those exceeding two times the standard deviation. It leverages DNS query data from the Network_Resolution data model, focusing on the length of the domain names being resolved. This activity is significant as unusually long DNS queries can indicate data exfiltration or command-and-control communication attempts. If confirmed malicious, this activity could allow attackers to stealthily transfer data or maintain persistent communication channels within the network.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Exfiltration | T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 22 | DNSEvent (DNS query) |
Stages and Predicates
Stage 1: tstats
tstats WHERE NOT DNS.record_type IN ("PTR", "Pointer", "SOA", "SRV") DNS.query!="*." BY DNS.answer, DNS.answer_count, DNS.query, DNS.query_count, DNS.reply_code_id, DNS.src, DNS.vendor_product, DNS.dest, DNS.record_type
Stage 2: search
search
Stage 3: search
search
Stage 4: search
search
Stage 5: eval
eval ... using (query)
Stage 6: eval
eval ... using (tlds)
Stage 7: eval
eval ... using (tld)
Stage 8: search
search tld_len<=20
Stage 9: eval
eval ... using (query)
Stage 10: table
table count, dest, firstTime, lastTime, query, query_length, record_type, src
Stage 11: eventstats
eventstats avg(query_length) AS avg, avg(query_length) AS p50
Stage 12: where
where query_length>
Stage 13: eval
eval ... using (avg, query_length, stdev)
Stage 14: stats
stats BY src
Stage 15: search
search `macro`
Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | dns.answers.type | in | "PTR", "Pointer", "SOA", "SRV" |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
DNS.query | ne |
|
tld_len | le |
|