Abnormally Large DNS Response

About

Tags

Use Case: Threat DetectionTactic: Lateral MovementTactic: ImpactUse Case: VulnerabilityData Source: PAN-OSData Source: Network TrafficLanguage: kuery

Severity

medium

Risk Score

47

MITRE ATT&CK™

Lateral Movement (TA0008)(external, opens in a new tab or window)

↳ Exploitation of Remote Services (T1210)(external, opens in a new tab or window)

Impact (TA0040)(external, opens in a new tab or window)

↳ Endpoint Denial of Service (T1499)(external, opens in a new tab or window)

False Positive Examples

Environments that leverage DNS responses over 60k bytes will result in false positives - if this traffic is predictable and expected, it should be filtered out. Additionally, this detection rule could be triggered by an authorized vulnerability scan or compromise assessment.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type

Query (Kibana Query Language)

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

logs-network_traffic.*logs-panw.panos*

Related Integrations

network_traffic(external, opens in a new tab or window)

panw(external, opens in a new tab or window)

Query

✄𐘗
text code block:
✄𐘗((event.category:(network or network_traffic) and destination.port:53) 
      or network.protocol:"dns" 
      or data_stream.dataset:(network_traffic.dns or zeek.dns))
    and destination.bytes > 60000
    and event.type:("allowed" or "end" or "protocol" or "start")