Monitor DNS query results where subsequent connections use derived or unusual port numbers not explicitly resolved, especially when tied to suspicious processes. Correlate Sysmon DNS logs (Event ID 22) with process creation and socket activity.
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=22 |
| Process Creation (DC0032) | WinEventLog:Security | EventCode=1 |
| Field | Description |
|---|---|
| PortDeviationThreshold | Deviation from common service ports (e.g., >1024 when DNS resolved service expects 80/443) |
| TimeWindow | Correlation window between DNS response and network connection (e.g., 5 minutes) |
Inspect resolver and audit logs for processes initiating outbound connections to ports calculated from DNS response IPs. Abnormal ephemeral port usage shortly after DNS queries can indicate DNS calculation behavior.
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | auditd:SYSCALL | connect |
| Network Traffic Content (DC0085) | linux:syslog | DNS response IPs followed by connections to non-standard calculated ports |
| Field | Description |
|---|---|
| EphemeralPortRange | Configured ephemeral port ranges per environment to reduce false positives |
| ResolverWhitelist | Exclude trusted resolvers or internal services from analysis |
Use unified logs to detect unusual DNS responses correlated with subsequent connections to calculated or non-standard ports. Monitor non-browser apps making repeated outbound connections that deviate from expected patterns.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | macos:unifiedlog | DNS responses followed by connections to ports outside standard ranges |
| Process Creation (DC0032) | macos:unifiedlog | Unexpected processes making network calls based on DNS-derived ports |
| Field | Description |
|---|---|
| ProcessAllowlist | Expected processes allowed to open non-standard ports (e.g., developer tools) |
| ConnectionVolumeThreshold | Volume of unusual connections needed before flagging as suspicious |
Analyze ESXi syslogs for management agents or VMs making outbound connections to dynamically calculated ports derived from DNS responses. Cross-check with VM traffic baselines to identify anomalies.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Flow (DC0078) | esxi:syslog | DNS resolution events leading to outbound traffic on unexpected ports |
| Field | Description |
|---|---|
| ManagementPlaneIPs | Known trusted ESXi management plane IPs to exclude from alerts |
| DomainReputationFeed | Integrate external feeds for reputation context on DNS-derived domains |