Potential DGA Activity | Elastic Security Solution [8.9]

IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

› ›

« Machine Learning Detected DGA activity using a known SUNBURST DNS domain Machine Learning Detected a DNS Request With a High DGA Probability Score »

Potential DGA Activityedit

A population analysis machine learning job detected potential DGA (domain generation algorithm) activity. Such activity is often used by malware command and control (C2) channels. This machine learning job looks for a source IP address making DNS requests that have an aggregate high probability of being DGA activity.

Rule type: machine_learning

Rule indices: None

Severity: low

Risk score: 21

Runs every: 15m

Searches indices from: now-45m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Use Case: Domain Generation Algorithm Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Command and Control

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guideedit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
Technique:
- Name: Dynamic Resolution
- ID: T1568
- Reference URL: https://attack.mitre.org/techniques/T1568/

« Machine Learning Detected DGA activity using a known SUNBURST DNS domain Machine Learning Detected a DNS Request With a High DGA Probability Score »