Suspicious DNS Activity
The Suspicious DNS Activity detectors identify attempts by threat actors to steal data by exfiltration over existing command and control channels. This detector monitors DNS activity for sequences and patterns indicative of possible DNS exfiltration or C2 communication over DNS to an attacker machine from a compromised host.
Suspicious DNS Activity Alert
Requirements ⫘
This detector requires the following data sources, integrations, or schemas:
- DNS
Inputs ⫘
Detections are from the following normalized sources:
- DNS
Outputs ⫘
Alerts from this detector are pushed to the XDR Alert Database and Alert Triage Dashboard.
Configuration Options ⫘
This detector is enabled by default when the required data sources or integrations are available in the tenant.
MITRE ATT&CK Category ⫘
- MITRE Enterprise ATT&CK - Exfiltration - Exfiltration Over C2 Channel. For more information, see MITRE Technique T1041.
- MITRE Enterprise ATT&CK - Command and Control - Application Layer Protocol: DNS. For more information, see MITRE Technique T1071.004.
Detector Testing ⫘
This detector does have a supported testing method.
See DNS Query Detector Testing.
FROM alert WHERE metadata.creator.detector.detector_id='app:detect:suspicious-dns'
References ⫘
- Schemas