Searching for DNS anomalies with the Top 1 Million
Categories: [Security]
Recently, Cisco started publishing a list of the top 1 million DNS requests received by their servers, updated daily. @SwiftOnSecurity had the great idea to enrich EDR or SIEM data with the results. We're using Sentinel, so I put together a query to report on the anomalies. Results vary depending on user location; I found our users in Europe had far more requests that aren't on the Cisco list than US users. This can find a lot of misconfigurations, so be prepared to either fix them if you can.
let DomainList = externaldata(Rank: int, Domain: string)[@"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip"] with (format="csv");
DnsEvents
| join kind=leftanti (DomainList)
on
$left.Name == $right.Domain
| where Name !contains ".yourcompany.com"
| where Name contains "."
| where Name !endswith ".local"
| summarize num=count() by Name, ClientIP
| order by reverse(Name) ascThis assumes you're parsing logs from an internal DNS server:
- You'll want to filter out ".yourcompany.com" for all the internal queries
- Make sure the name contains at least one dot to filter out short names
Some other hosts/domains may need filtering; for example, AV and security clients may not use a host in the top 1 million list.
I plan to also create a query using Cisco's Top Domains list (rather than top hosts), which may be more useful.