Correlate high-frequency or anomalous DNS query activity with processes that do not normally generate network requests (e.g., Office apps, system utilities). Detect pseudo-random or high-entropy domain lookups indicative of domain generation algorithms (DGAs).
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=22 |
| Process Creation (DC0032) | WinEventLog:Security | EventCode=1 |
| Field | Description |
|---|---|
| EntropyThreshold | Adjust based on environment to differentiate DGAs from legitimate CDNs |
| TimeWindow | Interval for correlating bursts of DNS queries from the same process |
Monitor /var/log/audit/audit.log and DNS resolver logs for repeated failed lookups or connections to high-entropy domain names. Correlate suspicious DNS queries with process lineage (e.g., Python, bash, or unusual system daemons).
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Flow (DC0078) | auditd:SYSCALL | socket/connect |
| Network Traffic Content (DC0085) | linux:syslog | Query to suspicious domain with high entropy or low reputation |
| Field | Description |
|---|---|
| DomainReputationFeed | Whitelist/blacklist tuned with external threat intel sources |
| ProcessWhitelist | Known safe daemons that frequently query domains |
Inspect unified logs for anomalous DNS resolutions triggered by non-network applications. Flag repeated connections to newly registered or algorithmically generated domains. Correlate with endpoint process telemetry.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | macos:unifiedlog | DNS query with pseudo-random subdomain patterns |
| Process Creation (DC0032) | macos:unifiedlog | Unexpected applications generating outbound DNS queries |
| Field | Description |
|---|---|
| NewDomainThreshold | Age of domain registration considered suspicious (e.g., < 30 days) |
| DNSQueryVolume | Number of queries per process per time window |
Monitor esxcli and syslog records for DNS resolver changes or repeated queries to unusual external domains by management agents. Detect unauthorized changes to VM or host network settings that redirect DNS lookups.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Flow (DC0078) | esxi:syslog | esxcli network vswitch or DNS resolver configuration updates |
| Field | Description |
|---|---|
| ResolverConfigPaths | Expected resolvers or DNS forwarders in ESXi configurations |
| ExternalDomainWhitelist | Set of trusted external domains expected for ESXi host activity |