Name:DNS Query Requests Resolved by Unauthorized DNS Servers id:1a67f15a-f4ff-4170-84e9-08cf6f75d6f6 version:6 date:2024-11-14 author:Bhavin Patel, Splunk status:deprecated type:TTP Description:This search will detect DNS requests resolved by unauthorized DNS servers. Legitimate DNS servers should be identified in the Enterprise Security Assets and Identity Framework. Data_source:
search:| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where DNS.dest_category != dns_server AND DNS.src_category != dns_server by DNS.src DNS.dest | `drop_dm_object_name("DNS")` | `dns_query_requests_resolved_by_unauthorized_dns_servers_filter`
how_to_implement:To successfully implement this search you will need to ensure that DNS data is populating the Network_Resolution data model. It also requires that your DNS servers are identified correctly in the Assets and Identity table of Enterprise Security. known_false_positives:Legitimate DNS activity can be detected in this search. Investigate, verify and update the list of authorized DNS servers as appropriate. References: drilldown_searches:
: tags: analytic_story: - 'DNS Hijacking' - 'Suspicious DNS Traffic' - 'Host Redirection' - 'Command And Control' asset_type:Endpoint mitre_attack_id: - 'T1071.004' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:network
