Skip to content

Domain Generation Algorithms🔗

The Domain Generation Algorithm (DGA) Detector is a machine learning classifier that has been trained with both known information on real domain names and on malicious domain names. The DGA Detector then applies that learning to the client’s streaming DNS data in order to find domains that potentially could be indicators of malicious activity.

DGA Detection Example

The DGA Detector classifies domains into two categories: good or bad. When it finds a bad domain, it sends it as a detection to the Secureworks® Taegis™ XDR Dashboard and the XDR Detection Database. Note that when a detection is added, it doesn’t indicate that the domain is intrinsically bad—but it can help you identify or confirm malicious activity in combination with other detections provided by the other detectors.

Requirements🔗

This detector requires the following data sources, integrations, or schemas:

  • DNS

Note

Taegis and Red Cloak™ Endpoint Agent DNS feed and any other source of DNS events that are ingested and normalized into the XDR data lake in real time with a typical latency of no more than an hour.

Inputs🔗

Detections are from the following normalized sources:

  • DNS

Outputs🔗

Detections from this detector are pushed to the XDR Detection Database and Detection Triage Dashboard.

Configuration Options🔗

This detector is enabled by default when the required data sources or integrations are available in the tenant.

Note

Event data related to detections produced by the Domain Generation Algorithm (DGA) detector may be delayed up to ten minutes after the detection appears in the XDR application.

MITRE ATT&CK Category🔗

  • MITRE Enterprise ATT&CK - Command And Control - Domain Generation Algorithms. For more information, see MITRE Technique T1568.002.

Detector Testing🔗

This detector does not have a supported testing method, though an Advanced Search will verify if detections originated with this detector.

Note

If no supported testing method is available, an Advanced Search will show you if any detections came from this detector if a qualifying event was observed. A search with no results does not indicate the detector is not working. A lack of search results for the detector may only indicate that the specific attack has not been observed in the tenant. However, it could indicate the underlying data is not available. Ensure the required schemas are provided in Data Sources along with the supported device type(s) for that schema.

FROM detection WHERE metadata.creator.detector.detector_id='app:detect:dga'

References🔗