AnsweredAssumed Answered

Advanced EPL Rule DNS Enumeration

Question asked by Craig Cameron-Weir on Oct 9, 2018
Latest reply on Oct 17, 2018 by Craig Cameron-Weir

Looking for some help with an EPL rule.


The goal is to detect when a single client requests more than 275 unique A records for hosts in my AD domain within 5 minutes. The custom meta key dns_qtype is populated by an app rule that acts on logs produced by our name servers.


@RSAAlert(oneInSeconds = 0)
FROM Event(
dns_qtype.toLowerCase() IN ('dns a') AND
matchLike(alias_host, "%domain.local") AND
ip_src IS NOT NULL


This expression matches all of the events (DNS A record queries for domain.local). What I don't know is how to achieve the threshold and grouping by source IP with only unique alias_host values (ie what combination of views is required). Note that alias_host is an array as well - I'm not sure if that changes the behavior of std:unique.


I've tried this a few different ways and none of them have worked - would appreciate some assistance.