Navigation :

DNS Query Length With High Standard Deviation

Description

This search allows you to identify DNS requests and compute the standard deviation on the length of the names being resolved, then filter on two times the standard deviation to show you those queries that are unusually large for your environment.

Content Mapping

This content is not mapped to any local saved search. Add mapping

Use Case

Advanced Threat Detection

Alert Volume

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Techniques

Application Layer Protocol

DNS

MITRE Threat Groups

APT18

APT39

APT41

Cobalt Group

FIN7

Ke3chang

OilRig

Tropic Trooper

Kill Chain Phases

Command and Control

Data Sources

DNS

Help
DNS Query Length With High Standard Deviation Help To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model.

Help

DNS Query Length With High Standard Deviation Help

To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model.

Search
\| tstats `security_content_summariesonly` count from datamodel=Network_Resolution by DNS.query DNS.record_type \| `drop_dm_object_name("DNS")` \| eval query_length = len(query) \| table query query_length record_type count \| eventstats stdev(query_length) AS stdev avg(query_length) AS avg p50(query_length) AS p50\| where query_length>(avg+stdev*2) \| eval z_score=(query_length-avg)/stdev \| `dns_query_length_with_high_standard_deviation_filter` Open in Search

Search

| tstats `security_content_summariesonly` count from datamodel=Network_Resolution by DNS.query DNS.record_type |  `drop_dm_object_name("DNS")` | eval query_length = len(query) | table query query_length record_type count | eventstats stdev(query_length) AS stdev avg(query_length) AS avg p50(query_length) AS p50| where query_length>(avg+stdev*2) | eval z_score=(query_length-avg)/stdev | `dns_query_length_with_high_standard_deviation_filter`

Open in Search