Sample rules
DNS Query Length Outliers - MLTK
- source: splunk
- technicques:
- T1071.004
- T1071
Description
This search allows you to identify DNS requests that are unusually large for the record type being requested in your environment.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as start_time max(_time) as end_time values(DNS.src) as src values(DNS.dest) as dest from datamodel=Network_Resolution by DNS.query DNS.record_type
| search DNS.record_type=*
| `drop_dm_object_name(DNS)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| eval query_length = len(query)
| apply dns_query_pdfmodel threshold=0.01
| rename "IsOutlier(query_length)" as isOutlier
| search isOutlier > 0
| sort -query_length
| table start_time end_time query record_type count src dest query_length
| `dns_query_length_outliers___mltk_filter`
SMB Traffic Spike - MLTK
- source: splunk
- technicques:
- T1021.002
- T1021
Description
This search uses the Machine Learning Toolkit (MLTK) to identify spikes in the number of Server Message Block (SMB) connections.
Detection logic
| tstats `security_content_summariesonly` count values(All_Traffic.dest_ip) as dest values(All_Traffic.dest_port) as port from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=1h, All_Traffic.src
| eval HourOfDay=strftime(_time, "%H")
| eval DayOfWeek=strftime(_time, "%A")
| `drop_dm_object_name(All_Traffic)`
| apply smb_pdfmodel threshold=0.001
| rename "IsOutlier(count)" as isOutlier
| search isOutlier > 0
| sort -count
| table _time src dest port count
| `smb_traffic_spike___mltk_filter`