Detecting DNS Exfiltration

we ingest dns logs into Elasticsearch.
the format is
domain -> whole domain ->
domain1 -> com
domain2 -> example
domain3 -> cdn
domain4 -> deeper

Now we want to create a siem detection alert if a unusual amount of (sub-)subdomains for a main (sub)domain is resolved.


This should work on all level except for the first (,y,com,and so on).

Any best practice for this usecase?

See Security anomaly detection configurations | Machine Learning in the Elastic Stack [7.15] | Elastic for some built in options

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.