Detecting DNS Exfiltration

ksremo · September 27, 2021, 2:21pm

Hello,
we ingest dns logs into Elasticsearch.
the format is
domain -> whole domain -> deeper.cdn.example.com
domain1 -> com
domain2 -> example
domain3 -> cdn
domain4 -> deeper

Now we want to create a siem detection alert if a unusual amount of (sub-)subdomains for a main (sub)domain is resolved.

Example:
6346436.evil.c2control.com
3523.evil.c2control.com
3524677.evil.c2control.com
352557.evil.c2control.com
436246463.evil.c2control.com

This should work on all level except for the first (x.com,y,com,and so on).

Any best practice for this usecase?
thanks

legoguy1000 · September 27, 2021, 2:47pm

See Security anomaly detection configurations | Machine Learning in the Elastic Stack [7.15] | Elastic for some built in options

system · October 25, 2021, 2:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
DNS Check Malware SIEM	9	667	August 3, 2020
Security Analytics Recipes - DNS Data Exfiltration Elasticsearch elastic-stack-machine-learning	11	1680	May 8, 2020
SIEM can't detect DNS activity to Internet SIEM	21	1411	July 15, 2020
[ URLHaus threat intelligence ]: create a new rule SIEM elastic-stack-alerting	18	1553	February 16, 2021
Elastic Security - Host No longer logging Alert SIEM	1	299	August 31, 2023

Detecting DNS Exfiltration

Related topics