Name:Clients Connecting to Multiple DNS Servers id:74ec6f18-604b-4202-a567-86b2066be3ce version:5 date:2024-10-17 author:David Dorsey, Splunk status:deprecated type:TTP Description:This search allows you to identify the endpoints that have connected to more than five DNS servers and made DNS Queries over the time frame of the search. Data_source:
search:| tstats `security_content_summariesonly` count, values(DNS.dest) AS dest dc(DNS.dest) as dest_count from datamodel=Network_Resolution where DNS.message_type=QUERY by DNS.src | `drop_dm_object_name("Network_Resolution")` |where dest_count > 5 | `clients_connecting_to_multiple_dns_servers_filter`
how_to_implement:This search requires that DNS data is being ingested and populating the `Network_Resolution` data model. This data can come from DNS logs or from solutions that parse network traffic for this data, such as Splunk Stream or Bro.
This search produces fields (`dest_count`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):
* **Label:** Distinct DNS Connections, **Field:** dest_count
Detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` known_false_positives:It's possible that an enterprise has more than five DNS servers that are configured in a round-robin rotation. Please customize the search, as appropriate. References: drilldown_searches:
: tags: analytic_story: - 'DNS Hijacking' - 'Suspicious DNS Traffic' - 'Host Redirection' - 'Command And Control' asset_type:Endpoint confidence:50 impact:50 message:tbd mitre_attack_id: - 'T1048.003' observable: name:'src' type:'Hostname' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'DNS.dest' - 'DNS.message_type' - 'DNS.src' risk_score:25 security_domain:network
