LoFP / if you are seeing more results than desired, you may consider reducing the value for threshold in the search. you should also periodically re-run the support search to re-build the ml model on the latest data.

• T1021
• T1021.002

Sample rules

DNS Query Length Outliers - MLTK

• source: splunk
• technicques:
  • T1071.004
  • T1071

Description

The following analytic identifies DNS requests with unusually large query lengths for the record type being requested. It leverages the Network_Resolution data model and applies a machine learning model to detect outliers in DNS query lengths. This activity is significant because unusually large DNS queries can indicate data exfiltration or command-and-control communication attempts. If confirmed malicious, this activity could allow attackers to exfiltrate sensitive data or maintain persistent communication channels with compromised systems.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as start_time max(_time) as end_time values(DNS.src) as src values(DNS.dest) as dest from datamodel=Network_Resolution by DNS.query DNS.record_type 
| search DNS.record_type=* 
|  `drop_dm_object_name(DNS)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| eval query_length = len(query) 
| apply dns_query_pdfmodel threshold=0.01 
| rename "IsOutlier(query_length)" as isOutlier 
| search isOutlier > 0 
| sort -query_length 
| table start_time end_time query record_type count src dest query_length 
| `dns_query_length_outliers___mltk_filter`

SMB Traffic Spike - MLTK

• source: splunk
• technicques:
  • T1021.002
  • T1021

Description

The following analytic identifies spikes in the number of Server Message Block (SMB) connections using the Machine Learning Toolkit (MLTK). It leverages the Network_Traffic data model to monitor SMB traffic on ports 139 and 445, applying a machine learning model to detect anomalies. This activity is significant because sudden increases in SMB traffic can indicate lateral movement or data exfiltration attempts by attackers. If confirmed malicious, this behavior could lead to unauthorized access, data theft, or further compromise of the network.

Detection logic

| tstats `security_content_summariesonly` count values(All_Traffic.dest_ip) as dest values(All_Traffic.dest_port) as port from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=1h, All_Traffic.src 
| eval HourOfDay=strftime(_time, "%H") 
| eval DayOfWeek=strftime(_time, "%A") 
| `drop_dm_object_name(All_Traffic)` 
| apply smb_pdfmodel threshold=0.001 
| rename "IsOutlier(count)" as isOutlier 
| search isOutlier > 0 
| sort -count 
| table _time src dest port count 
| `smb_traffic_spike___mltk_filter`