DNS/DHCP
- Last UpdatedApr 14, 2025
- 6 minutes read
This section provides the following information for out-of-the-box policies available for Domain Name System (DNS)/Dynamic Host Configuration Protocol (DHCP).
- Prerequisites: Lists the attributes required to support all out-of-the-box policies for DNS/DHCP.
- Policy Overview: Lists the policy signature ID, description, criticality, and MITRE threat indicator.
- Detailed Policy Description: Lists detailed information for each policy such as policy status, policy criticality, policy category, MITRE mapping, violation entity, named list, vendor specific use case, and required attributes.
Prerequisites
Before you can use any out-of-the-box policies, ensure you have the information for required attributes. This section lists the attributes required to support all out-of-the-box use cases for DNS/DHCP.
You can refer to the Detailed Policy Description to view specified attributes required for a policy.
|
Labels |
Securonix Attributes |
|---|---|
|
SourceMacAddress |
sourcemacaddress |
|
DeviceAction |
deviceaction |
|
EventOutcome |
eventoutcome |
|
SourceAddress |
sourceaddress |
|
SourceAddress |
sourceaddress |
|
DestinationAddress |
destinationaddress |
|
SourceHostName |
sourcehostname |
|
RecordType |
devicecustomstring4 |
|
DeviceEventCategory |
deviceeventcategory |
|
DeviceEventCategory |
deviceeventcategory |
|
DestinationHostName |
destinationhostname |
|
SourceNtDomain |
sourcentdomain |
|
DestinationPort |
destinationport |
Policy Overview
This section lists out-of-the-box policies available for DNS/DHCP. The policies are categorized based on the following:
- Observables: Policies that need monitoring, as they might turn into a threat.
- Sandbox: Policies that must be tested and fine-tuned based on your requirements.
Observables
|
Signature |
Use case name |
Description |
Criticality |
MITRE Mapping |
|---|---|---|---|---|
|
DNS-ALL-804-BP |
Abnormal number of DHCP requests |
Indicates an attempt by a malicious entity to starve a DHCP server. Technique Used: Behavior anomaly on number of DHCP requests. |
None |
System Network Configuration Discovery |
|
DNS-ALL-808-BP |
Abnormal time for DHCP lease |
Indicates an attempt by a malicious entity to starve a DHCP server. Technique Used: Behavior anomaly on number of DHCP lease duration. |
None |
System Network Configuration Discovery |
|
DNS-ALL-803-TA |
Beaconing traffic to rare domains over DNS |
Indicates communication with a command and control server. Technique Used: Robotic pattern detection. |
Medium |
Application Layer Protocol |
|
DNS-ALL-801-ERR |
DHCP request from rare device |
Indicates a malicious entity attempting to gain access to the internal network. Technique Used: Behavior anomaly for rarity on network traffic. |
None |
System Network Configuration Discovery |
|
DNS-ALL-806-DB |
Excessive number of DNS NXDOMAIN responses |
Indicates a malicious entity attempting to avoid defense measures. Technique Used: Aggregated event analytics on number of NXDOMAIN connections. |
Low |
Application Layer Protocol |
|
DNS-ALL-807-DB |
Excessive number of DNS SERVFAIL responses |
Indicates a non responsive or suspicious DNS server being used. Technique Used: Aggregated event analytics on number of SERVFAIL connections. |
Low |
Application Layer Protocol |
|
DNS-ALL-800-DB |
Excessive number of failed DNS zone transfers |
Indicates a malicious entity attempting to communicate on DNS ports over Transmission Control Protocol (TCP). Technique Used: Aggregated event analytics on number of failed zone transfers. |
Low |
System Network Configuration Discovery |
|
DNS-ALL-802-TA |
Persistent traffic to rare non resolvable domain DNS responses |
Indicates a malicious entity attempting to circumvent control and communicate with a possible C2 server. Technique Used: Robotic pattern detection. |
Low |
Application Layer Protocol |
|
DNS-ALL-809-DB |
Possible fast flux domain detected |
Indicates a fast flux domain that is used by malicious actors to avoid defensive control. Technique Used: Aggregated event analytics on number of IPs resolved. |
Low |
Fast Flux DNS |
|
DNS-ALL-805-TA |
Randomly generated domain detected on DNS response |
Indicates a domain that could transfer malicious payload to an endpoint and can be used for evading defense mechanisms. Technique Used: Principal component analysis. |
Low |
Domain Generation Algorithms |
|
DNS-ALL-810-TA |
Rare DNS server used |
Indicates an unauthorized or misconfigured DNS server. Technique Used: Behavior anomaly on rare host for DNS traffic. |
None |
System Network Configuration Discovery |
Sandbox
|
Signature |
Use Case name |
Description |
Criticality |
MITRE Mapping |
|---|---|---|---|---|
|
DNS-ALL-801-ERR |
DHCP request from rare device |
Indicates a malicious entity attempting to gain access to the internal network. Technique Used: Behavior anomaly for rarity on network traffic. |
None |
System Network Configuration Discovery |
|
DNS-ALL-810-TA |
Rare DNS server used |
Indicates an unauthorized or misconfigured DNS server. Technique Used: Behavior anomaly on rare host for DNS traffic. |
None |
System Network Configuration Discovery |
Detailed Use Case Description
| Policy | Description |
|---|---|
| Policy Name | Abnormal number of DHCP requests |
| Description |
Indicates an attempt by a malicious entity to starve a DHCP server. Technique Used: Behavior Anomaly on number of DHCP requests. |
| Criticality | None |
| Category | Alert |
| MITRE Mapping | System Network Configuration Discovery |
| Violation Entity | Network Address |
|
Policy Type (Threat / Observables / Sandbox) |
Observable |
| Named List | NA |
| Vendor Specific Use Case | NA |
| Required Attributes |
|
| Policy | Description |
|---|---|
| Policy Name | Abnormal time for DHCP lease |
| Description |
Indicates an attempt by a malicious entity to starve a DHCP server. Technique Used: Behavior Anomaly on number of DHCP lease duration. |
| Criticality | None |
| Category | Alert |
| MITRE Mapping | System Network Configuration Discovery |
| Violation Entity | Network Address |
|
Policy Type (Threat / Observables / Sandbox) |
Observable |
| Named List | NA |
| Vendor Specific Use Case | NA |
| Required Attributes |
|
| Policy | Description |
|---|---|
| Policy Name | Beaconing traffic to rare domains over DNS |
| Description |
Indicates communication with a command and control server. Technique Used: Robotic pattern detection. |
| Criticality | Medium |
| Category | Malware |
| MITRE Mapping | Application Layer Protocol |
| Violation Entity | Network Address |
|
Policy Type (Threat / Observables / Sandbox) |
Observable |
| Named List | NA |
| Vendor Specific Use Case | NA |
| Required Attributes |
|
| Policy | Description |
|---|---|
| Policy Name | DHCP request from rare device |
| Description |
Indicates a malicious entity attempting to gain access to the internal network. Technique Used: Behavior Anomaly for rarity on network traffic. |
| Criticality | None |
| Category | SANDBOX-SNYPR |
| MITRE Mapping | System Network Configuration Discovery |
| Violation Entity | Network Address |
|
Policy Type (Threat / Observables / Sandbox) |
|
| Named List | NA |
| Vendor Specific Use Case | NA |
| Required Attributes |
|
| Policy | Description |
|---|---|
| Policy Name | Excessive number of DNS NXDOMAIN responses |
| Description |
Indicates a malicious entity attempting to avoid defense measures. Technique Used: Aggregated event analytics on number of NXDOMAIN connections. |
| Criticality | Low |
| Category | Alert |
| MITRE Mapping | Application Layer Protocol |
| Violation Entity | Network Address |
|
Policy Type (Threat / Observables / Sandbox) |
Observable |
| Named List | NA |
| Vendor Specific Use Case | NA |
| Required Attributes |
|
| Policy | Description |
|---|---|
| Policy Name | Excessive number of DNS SERVFAIL responses |
| Description |
Indicates a non responsive or suspicious DNS server being used. Technique Used: Aggregated event analytics on number of SERVFAIL connections. |
| Criticality | Low |
| Category | Alert |
| MITRE Mapping | Application Layer Protocol |
| Violation Entity | Network Address |
|
Policy Type (Threat / Observables / Sandbox) |
Observable |
| Named List | NA |
| Vendor Specific Use Case | NA |
| Required Attributes |
|
| Policy | Description |
|---|---|
| Policy Name | Excessive number of failed DNS zone transfers |
| Description |
Indicates a malicious entity attempting to communicate on DNS ports over TCP. Technique Used: Aggregated event analytics on number of failed zone transfers. |
| Criticality | Low |
| Category | Alert |
| MITRE Mapping | System Network Configuration Discovery |
| Violation Entity | Network Address |
|
Policy Type (Threat / Observables / Sandbox) |
Observable |
| Named List | NA |
| Vendor Specific Use Case | NA |
| Required Attributes |
|
| Policy | Description |
|---|---|
| Policy Name | Persistent traffic to rare non resolvable domain dns responses |
| Description |
Indicates a malicious entity attempting to circumvent control and communicate with a possible C2 server. Technique Used: Robotic pattern detection. |
| Criticality | Low |
| Category | Malware |
| MITRE Mapping | Application Layer Protocol |
| Violation Entity | Network Address |
|
Policy Type (Threat / Observables / Sandbox) |
Observable |
| Named List | NA |
| Vendor Specific Use Case | NA |
| Required Attributes |
|
| Policy | Description |
|---|---|
| Policy Name | Possible fast flux domain detected |
| Description |
Indicates a fast flux domain that can be used by malicious actors to avoid defensive control. Technique Used: Aggregated event analytics on number of IPs resolved. |
| Criticality | Low |
| Category | Malware |
| MITRE Mapping | Fast Flux DNS |
| Violation Entity | Network Address |
|
Policy Type (Threat / Observables / Sandbox) |
Observable |
| Named List | NA |
| Vendor Specific Use Case | NA |
| Required Attributes |
|
| Policy | Description |
|---|---|
| Policy Name | Randomly generated domain detected on dns response |
| Description |
Identifies domains that could be used to transfer malicious payload to an endpoint and can be used for evading defense mechanisms. Technique Used: Principal component analysis. |
| Criticality | Low |
| Category | Malware |
| MITRE Mapping | Domain Generation Algorithms |
| Violation Entity | Network Address |
|
Policy Type (Threat / Observables / Sandbox) |
Observable |
| Named List | NA |
| Vendor Specific Use Case | NA |
| Required Attributes |
|
| Policy | Description |
|---|---|
| Policy Name | Rare DNS server used |
| Description |
Indicates an unauthorized or misconfigured DNS server. Technique Used: Behavior Anomaly on rare host for DNS traffic. |
| Criticality | None |
| Category | SANDBOX-SNYPR |
| MITRE Mapping | System Network Configuration Discovery |
| Violation Entity | Network Address |
|
Policy Type (Threat / Observables / Sandbox) |
|
| Named List | NA |
| Vendor Specific Use Case | NA |
| Required Attributes |
|