legitimate dns activity can be detected in this search. investigate, verify and update the list of authorized dns servers as appropriate.

t1071.004
endpoint
splunk

Techniques

T1071.004

Sample rules

DNS Query Requests Resolved by Unauthorized DNS Servers

source: splunk
technicques:
- T1071.004

Description

This search will detect DNS requests resolved by unauthorized DNS servers. Legitimate DNS servers should be identified in the Enterprise Security Assets and Identity Framework.

Detection logic


| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where DNS.dest_category != dns_server AND DNS.src_category != dns_server by DNS.src DNS.dest 
| `drop_dm_object_name("DNS")` 
| `dns_query_requests_resolved_by_unauthorized_dns_servers_filter`