Suspicious DNS Activity๐
The Suspicious DNS Activity detectors identify attempts by threat actors to steal data by exfiltration over existing command and control channels. This detector monitors DNS activity for sequences and patterns indicative of possible DNS exfiltration or C2 communication over DNS to an attacker machine from a compromised host.
Requirements๐
This detector requires the following data sources, integrations, or schemas:
- DNS
Inputs๐
Detections are from the following normalized sources:
- DNS
Outputs๐
Detections from this detector are pushed to the XDR Detection Database and Detection Triage Dashboard.
Configuration Options๐
This detector is enabled by default when the required data sources or integrations are available in the tenant.
MITRE ATT&CK Category๐
- MITRE Enterprise ATT&CK - Exfiltration - Exfiltration Over C2 Channel. For more information, see MITRE Technique T1041.
- MITRE Enterprise ATT&CK - Command and Control - Application Layer Protocol: DNS. For more information, see MITRE Technique T1071.004.
Detector Testing๐
This detector does have a supported testing method.
See DNS Query Detector Testing.
References๐
- Schemas