DNS Record Changed

Description

The search takes the DNS records and their answers results of the discovereddnsrecords lookup and finds if any records have changed by searching DNS response from the Network_Resolution datamodel across the last day.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

Adversary Tactics,

Alert Volume

The search takes the DNS records and their answers results of the discovered_dns_records lookup and finds if any records have changed by searching DNS response from the Network_Resolution datamodel across the last day.

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Techniques

Application Layer Protocol

DNS

MITRE Threat Groups

APT18
APT39
APT41
Cobalt Group
FIN7
Ke3chang
OilRig
Tropic Trooper

Kill Chain Phases

Command and Control

Data Sources

DNS

   Help

DNS Record Changed Help

To successfully implement this search you will need to ensure that DNS data is populating the Network_Resolution data model. It also requires that the discover_dns_record lookup table be populated by the included support search "Discover DNS record". \ Splunk>Phantom Playbook Integration\ If Splunk>Phantom is also configured in your environment, a Playbook called "DNS Hijack Enrichment" can be configured to run when any results are found by this detection search. The playbook takes in the DNS record changed and uses Geoip, whois, Censys and PassiveTotal to detect if DNS issuers changed. To use this integration, install the Phantom App for Splunk https://splunkbase.splunk.com/app/3411/, add the correct hostname to the "Phantom Instance" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active. \ (Playbook Link:https://my.phantom.us/4.2/playbook/dns-hijack-enrichment/).\

   Search

Open in Search