Excessive DNS Failures

Description

This search identifies DNS query failures by counting the number of DNS responses that do not indicate success, and trigger on more than 50 occurrences.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

Command and Control

Alert Volume

Medium

Journey

Stage 4

MITRE ATT&CK Tactics

Exfiltration
Command and Control

MITRE ATT&CK Techniques

Exfiltration Over Alternative Protocol
Commonly Used Port

MITRE Threat Groups

APT18
APT19
APT28
APT29
APT3
APT37
Dragonfly 2.0
FIN7
FIN8
Lazarus Group
Magic Hound
Night Dragon
OilRig
TEMP.Veles
Threat Group-3390

Kill Chain Phases

Command and Control

Data Sources

DNS

   Help

Excessive DNS Failures Help

This search looks at DNS traffic with a reply code that is NOT indicative of a successful response. Numerous unsuccessful replies may be indicative of DNS protocol tampering or other malicious activity. If more than 50 of these unsuccessful responses are observed over the time frame of the search, a notable event will be generated.