Name:DNS Query Requests Resolved by Unauthorized DNS Servers id:1a67f15a-f4ff-4170-84e9-08cf6f75d6f6 version:5 date:2024-10-17 author:Bhavin Patel, Splunk status:deprecated type:TTP Description:This search will detect DNS requests resolved by unauthorized DNS servers. Legitimate DNS servers should be identified in the Enterprise Security Assets and Identity Framework. Data_source:
search:| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where DNS.dest_category != dns_server AND DNS.src_category != dns_server by DNS.src DNS.dest | `drop_dm_object_name("DNS")` | `dns_query_requests_resolved_by_unauthorized_dns_servers_filter`
how_to_implement:To successfully implement this search you will need to ensure that DNS data is populating the Network_Resolution data model. It also requires that your DNS servers are identified correctly in the Assets and Identity table of Enterprise Security. known_false_positives:Legitimate DNS activity can be detected in this search. Investigate, verify and update the list of authorized DNS servers as appropriate. References: drilldown_searches:
: tags: analytic_story: - 'DNS Hijacking' - 'Suspicious DNS Traffic' - 'Host Redirection' - 'Command And Control' asset_type:Endpoint confidence:50 impact:50 message:tbd mitre_attack_id: - 'T1071.004' observable: name:'dest' type:'Hostname' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'DNS.dest_category' - 'DNS.src_category' - 'DNS.src' - 'DNS.dest' risk_score:25 security_domain:network
