Configuring and Using Microsoft DNS DGA Connector for Threat Hunting
facebook.com kaspersky-labs.com googleapis.com akamaitechnologies.com compute-1.amazonaws.com geo.kaspersky.com apple.com search.msn.com microsoft.com gstatic.com
map.2.properties, map.3.properties, map.4.properties, map.5.properties.
map.0.properties(extract the domain part):
set.expr(destinationHostName).event.destinationDnsDomain "__regexToken(destinationHostName,"".*?\.(.+)"")"map.1.properties(extract the host part):
LICENSE USAGE OPTIMIZATION:
In order to optimize license usage, you can perform a top destinationDnsDomain search, copy the result and analyze them. After selecting some normal domains, for example, facebook.com, you can add them to dga_whitelist.txt file.
DETECTING SUSPICIOUS ACTIVITY:
I highly recommend following blog post from Red Canary for understanding the importance of DNS logs and analyzing them.
Microsoft DNS DGA SmartConnector adds extra information for the queries to show if it's a normal looking query name or DGA query name. If deviceCustomNumber1=1, it means that the query looks like DGA, indicating a suspicious behavior (example: asjdhajkhda.xyz.com). If deviceCustomNuber1=0 it means that the query looks like a normal(example: www.google.com).
By using this information, you can create rules, dashboards, reports, etc. Following are some example for dashboards:
Top hosts performing DNS lookup(hint: look for abnormally high counts)
Top queried domains( (hint: look for abnormally high counts for exfiltration activity):
Short Tail Analysis of DNS queries (look for rare occurrences of queries for dropper activity; malware is downloaded only once):
1. Create an event query (pay attention to ORDER BY section)
2. Create a Query Viewer
3. Create a Dashboard