legitimate any requests may trigger this search, however it is unusual to see a large volume of them under typical circumstances. you may modify the threshold in the search to better suit your environment.

t1498
T1498.002
dns servers
splunk

Techniques

T1498
T1498.002

Sample rules

Large Volume of DNS ANY Queries

source: splunk
technicques:
- T1498
- T1498.002

Description

The search is used to identify attempts to use your DNS Infrastructure for DDoS purposes via a DNS amplification attack leveraging ANY queries.

Detection logic


| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where nodename=DNS "DNS.message_type"="QUERY" "DNS.record_type"="ANY" by "DNS.dest" 
| `drop_dm_object_name("DNS")` 
| where count>200 
| `large_volume_of_dns_any_queries_filter`