it's possible that an enterprise has more than five dns servers that are configured in a round-robin rotation. please customize the search, as appropriate.

t1048.003
endpoint
splunk

Techniques

T1048.003

Sample rules

Clients Connecting to Multiple DNS Servers

source: splunk
technicques:
- T1048.003

Description

This search allows you to identify the endpoints that have connected to more than five DNS servers and made DNS Queries over the time frame of the search.

Detection logic


| tstats `security_content_summariesonly` count, values(DNS.dest) AS dest dc(DNS.dest) as dest_count from datamodel=Network_Resolution where DNS.message_type=QUERY by DNS.src 
| `drop_dm_object_name("Network_Resolution")` 
|where dest_count > 5 
| `clients_connecting_to_multiple_dns_servers_filter`