Hello,
we ingest dns logs into Elasticsearch.
the format is
domain -> whole domain -> deeper.cdn.example.com
domain1 -> com
domain2 -> example
domain3 -> cdn
domain4 -> deeper
Now we want to create a siem detection alert if a unusual amount of (sub-)subdomains for a main (sub)domain is resolved.
Example:
6346436.evil.c2control.com
3523.evil.c2control.com
3524677.evil.c2control.com
352557.evil.c2control.com
436246463.evil.c2control.com
This should work on all level except for the first (x.com,y,com,and so on).
Any best practice for this usecase?
thanks