Configuring and Using Microsoft DNS DGA Connector for Threat Hunting

over 2 years ago
In this article, I'm going to explain steps for configuring Microsoft DNS DGA SmartConnector, tuning, extracting domain information and detecting malicious activity by using the logs.
After installing the connector, you should see a "dga_whitelist.txt" file under $ARCSIGHT_HOME\current\user\agent directory. This file is used for pre-filtering the events based on the domain. For example, if you don't want to collect DNS logs for *, you need to enter ""(without quotes). All entries should be entered line by line. There is a mistake in the connector documentation as it says the file should be comma separated. So, be careful about this. 
Example dga_whitelist.txt file:
Following files under map folder should not be renamed because it breaks the functionality:,,,
In order to extract host and domain information (for example, "compute-1" and "" from we need to create 2 map files (you can do it with one map file if you want). the domain part):
"__regexToken(destinationHostName,"".*?\.(. )"")" the host part):
"__regexToken(destinationHostName,""(\S ?)\.\S "")"



In order to optimize license usage, you can perform a top destinationDnsDomain search, copy the result and analyze them. After selecting some normal domains, for example,, you can add them to dga_whitelist.txt file. 


I highly recommend following blog post from Red Canary for understanding the importance of DNS logs and analyzing them.

Microsoft DNS DGA SmartConnector adds extra information for the queries to show if it's a normal looking query name or DGA query name. If deviceCustomNumber1=1, it means that the query looks like DGA, indicating a suspicious behavior (example: If deviceCustomNuber1=0 it means that the query looks like a normal(example:
By using this information, you can create rules, dashboards, reports, etc.  Following are some example for dashboards:

Top hosts performing DNS lookup(hint: look for abnormally high counts)

top sources.jpg

Top queried domains( (hint: look for abnormally high counts for exfiltration activity):

top queried domains.jpg

Short Tail Analysis of DNS queries (look for rare occurrences of queries for dropper activity; malware is downloaded only once):

1. Create an event query (pay attention to ORDER BY section)

rare dns queries-query fields.jpgdns event queries-query.jpg

2. Create a Query Viewer

rare dns queries-query viewer.jpgrare dns queries - query viewer2.jpg

3. Create a Dashboard

rare dns queries.jpg


How To-Best Practice
Comment List
  • If I may propose here is the slightly different version of the regex'es for the domain name and host name: the domain part):

    "__regexToken(destinationHostName,"".+(?=\.(.+\..+))"")" the host part):


    The original regex'es will not work properly for the XXX.XXX.XXX.XXX.IN-ADDR.ARPA types of records.

Related Discussions