Unusual DNS Activity
editUnusual DNS Activity
editA machine learning job detected a rare and unusual DNS query that indicate network activity with unusual DNS domains. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon domain. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.
Rule type: machine_learning
Machine learning job: packetbeat_rare_dns_question
Machine learning anomaly threshold: 50
Severity: low
Risk score: 21
Runs every: 15 minutes
Searches indices from: now-45m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Network
- Threat Detection
- ML
- Command and Control
Version: 5 (version history)
Added (Elastic Stack release): 7.7.0
Last modified (Elastic Stack release): 8.4.0
Rule authors: Elastic
Rule license: Elastic License v2
Potential false positives
editA newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert. Network activity that occurs rarely, in small quantities, can trigger this alert. Possible examples are browsing technical support or vendor networks sparsely. A user who visits a new or unique web destination may trigger this alert. ==== Threat mapping
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
-
Technique:
- Name: Application Layer Protocol
- ID: T1071
- Reference URL: https://attack.mitre.org/techniques/T1071/
Rule version history
edit- Version 5 (8.4.0 release)
-
- Formatting only
- Version 4 (7.12.0 release)
-
- Formatting only
- Version 3 (7.10.0 release)
-
- Formatting only
- Version 2 (7.9.0 release)
-
- Formatting only