DGA — High-Entropy Subdomain Pattern (Domain Generation Algorithm)
04 DNS DGA High Entropy
Query
ASimDnsActivityLogs
| where TimeGenerated > ago(1h)
| extend SLD = tostring(split(DnsQuery, ".")[-2])
| where strlen(SLD) between (10 .. 40)
| extend
SLDLen = strlen(SLD),
HasDigits = SLD matches regex @"\d",
ConsonantCount = countof(SLD, "b") + countof(SLD, "c") + countof(SLD, "d")
+ countof(SLD, "f") + countof(SLD, "g") + countof(SLD, "h")
+ countof(SLD, "j") + countof(SLD, "k") + countof(SLD, "l")
+ countof(SLD, "m") + countof(SLD, "n") + countof(SLD, "p")
+ countof(SLD, "q") + countof(SLD, "r") + countof(SLD, "s")
+ countof(SLD, "t") + countof(SLD, "v") + countof(SLD, "w")
+ countof(SLD, "x") + countof(SLD, "y") + countof(SLD, "z")
| extend ConsonantRatio = todouble(ConsonantCount) / todouble(SLDLen)
| where ConsonantRatio > 0.65
and HasDigits == true
| summarize
DgaLikeDomains = dcount(DnsQuery),
QueryCount = count(),
SampleDomains = make_set(DnsQuery, 15),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by SrcIpAddr, SrcHostname
| where DgaLikeDomains > 10Explanation
This query is designed to detect suspicious network activity that might indicate the presence of malware using Domain Generation Algorithms (DGA). DGAs are used by malware to generate a large number of domain names in hopes of connecting to a command and control (C2) server. Here's a simple breakdown of what the query does:
-
Data Source: It analyzes DNS activity logs from Windows DNS systems.
-
Time Frame: It looks at DNS queries made in the last hour.
-
Domain Analysis:
- It focuses on the second-level domain (SLD) of queried domains.
- It checks if the SLD is between 10 and 40 characters long, which is typical for DGA-generated domains.
- It calculates the ratio of consonants in the SLD. A high ratio (>65%) suggests randomness, as real words usually have a lower consonant ratio.
- It checks if the SLD contains digits, which is uncommon in legitimate brand names.
-
Detection Criteria:
- The query identifies domains that meet the above criteria and have been queried successfully (i.e., they resolved to an IP address).
- It flags IP addresses or hostnames that have queried more than 10 such suspicious domains within the hour.
-
Output:
- It summarizes the number of suspicious domains queried, the total number of queries, and provides a sample of up to 15 domains.
- It records the first and last time these queries were seen.
-
Alerting:
- If the criteria are met, it generates an alert indicating potential DGA activity, including details about the source hostname and IP address, and a sample of the queried domains.
This query helps identify potential malware activity by detecting patterns typical of DGA-generated domains, even if the domains successfully resolve, which might be missed by other detection methods focusing only on failed queries.
Details

David Alonso
Released: March 26, 2026
Tables
Keywords
Operators
Severity
HighTactics
MITRE Techniques
Frequency: 1h
Period: 1h