-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathdns_stats.xml
46 lines (45 loc) · 1.42 KB
/
dns_stats.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
<group name="dnsstat,">
<rule id="100010" level="5">
<field name="integration">dnsstat</field>
<description>DNS Stats</description>
<options>no_full_log</options>
<group>dnsstat_alert,</group>
</rule>
<rule id="100011" level="5">
<if_sid>100010</if_sid>
<field name="dnsstat.alerts">LOW-FREQ-SCORES|SUSPECT-FREQ-SCORE</field>
<description>DNS Stats - Low Frequency Score in Queried Domain</description>
<mitre>
<id>T1071</id>
</mitre>
<options>no_full_log</options>
<group>dnsstat_alert,</group>
</rule>
<rule id="100012" level="5">
<if_sid>100010</if_sid>
<field name="dnsstat.alerts">YOUR-FIRST-CONTACT</field>
<description>DNS Stats - Domain Queried for the first time</description>
<mitre>
<id>T1071</id>
</mitre>
<options>no_full_log</options>
<group>dnsstat_alert,</group>
</rule>
<rule id="100013" level="5">
<if_sid>100010</if_sid>
<field name="dnsstat.category">NEW</field>
<description>DNS Stats - DNS Query to Recently Created Domain</description>
<mitre>
<id>T1071</id>
</mitre>
<options>no_full_log</options>
<group>dnsstat_alert,</group>
</rule>
<rule id="100014" level="5">
<if_sid>100010</if_sid>
<field name="dnsstat.error">\.+</field>
<description>DNS Stats - Error connecting to API</description>
<options>no_full_log</options>
<group>dnsstat_error,</group>
</rule>
</group>