DNS Traffic Insights using Domain Stats and Wazuh EDR

Intro

Despite being a key part in threat hunting, DNS queries are oftentimes overlooked, if not disregarded, when it comes to analyzing telemetry from the end point and spotting malicious activity.

Domain Stats

This tool was created by Mark Baggett (SANS instructor). It uses RDAP by default (Registration Data Access Protocol) and is a log enhancement utility that is intended help you find threats in your environment. It will identify the following possible threats in your environment:

  • Domains that no one in your organization has ever visited before
  • Domains with hostnames that appear to be random characters

Domain Stats & Wazuh SIEM Integration

Requirements:

  • Wazuh manager with custom integration as described in our GitHub repo.
  • Wazuh Agents with Sysmon (info in our GitHub repo).
  • This integration (Python script) will call the DNS Stats API and will evaluate its response:
  • “First time seen” domains / Low Frequency domains / New created domains will generate an alert.
  • This new alert will activate an active response script in the agent, who in turn, will make an API call to AlienVault’s OTX passing the queried hostname as parameter.
  • If IoCs are found for the specific domain, the agent will insert an alert in its active responses log.

SOCFortress: Domain Stats & Wazuh Integration

Domain Stats — Categories and Events per agent

Domain Stats & Wazuh (I)
Domain Stats & Wazuh (II)
Domain Stats & Wazuh (III)

--

--

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).