DNS Tunneling

 1[metadata]
 2creation_date = "2020/03/25"
 3integration = ["endpoint", "network_traffic"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/07/27"
 8
 9[rule]
10anomaly_threshold = 50
11author = ["Elastic"]
12description = """
13A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often
14used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity.
15For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel
16data.
17"""
18false_positives = [
19    """
20    DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger
21    this alert and such parent domains can be excluded.
22    """,
23]
24from = "now-45m"
25interval = "15m"
26license = "Elastic License v2"
27machine_learning_job_id = "packetbeat_dns_tunneling"
28name = "DNS Tunneling"
29references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
30risk_score = 21
31rule_id = "91f02f01-969f-4167-8f66-07827ac3bdd9"
32severity = "low"
33tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"]
34type = "machine_learning"
35
36[[rule.threat]]
37framework = "MITRE ATT&CK"
38[[rule.threat.technique]]
39id = "T1572"
40name = "Protocol Tunneling"
41reference = "https://attack.mitre.org/techniques/T1572/"
42
43
44[rule.threat.tactic]
45id = "TA0011"
46name = "Command and Control"
47reference = "https://attack.mitre.org/tactics/TA0011/"