Elastic Security Detection Rules

Potential DGA Activity

Last updated 9 months ago on 2025-01-15

Created 2 years ago on 2023-09-14

About

A population analysis machine learning job detected potential DGA (domain generation algorithm) activity. Such activity is often used by malware command and control (C2) channels. This machine learning job looks for a source IP address making DNS requests that have an aggregate high probability of being DGA activity.

Tags

Use Case: Domain Generation Algorithm DetectionRule Type: MLRule Type: Machine LearningTactic: Command and Control

Severity

low

Risk Score

21

MITRE ATT&CK™

Command and Control (TA0011)(opens in a new tab or window)

↳ Dynamic Resolution (T1568)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type

Machine Learning

Integration Pack

Prebuilt Security Detection Rules

Related Integrations

dga(opens in a new tab or window)

endpoint(opens in a new tab or window)

network_traffic(opens in a new tab or window)

Query

Install detection rules in Elastic Security

Detect Potential DGA Activity in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).