KQL Search

Query Details

HomeAI ToolsDevice Query

Detect Unusualsuspicious TTL Values Based On DNS Answers

Query

**Detect unusual/suspicious TTL values based on DNS Answers**

**Description:** Time to live (TTL) values in DNS responses provide valuable threat-hunting insights, including:

- Fast-flux botnets (rotating IPs with low TTLs). 
- Malware C2 detection (extremely low TTLs). ( | where TTLs < 10 )
- DNS tunneling (high TTLs or changing TTLs). ( | where TTLs > 86400 )
- Fake domains mimicking real services (TTL anomalies).
- Evasive infrastructure constantly changing TTL values.

```
 DeviceNetworkEvents
| extend TTLs = todynamic(tostring(parse_json(AdditionalFields).TTLs))
| mv-expand TTLs
| extend answers = todynamic(tostring(parse_json(AdditionalFields).answers))
| extend answersext = todynamic(tostring(parse_json(AdditionalFields).answers))
| extend query = (tostring(parse_json(AdditionalFields).query))
| mv-expand answers
| extend Type =
    case(
        answers matches regex @"^(\d{1,3}\.){3}\d{1,3}$", "IPv4",  
        answers matches regex @"^([a-fA-F0-9:]+)$", "IPv6",        
        answers contains ".", "URL",                               
        "Unknown"                                                 
    )
| where Type has "IPv4"
| extend tostring(answers)
| extend Geo_info_answer = tostring(geo_info_from_ip_address(answers).country)
| extend Geo_info_RemoteIP = tostring(geo_info_from_ip_address(RemoteIP).country)
| where TTLs > 86400
| project   DeviceName, RemoteIP,answers,Geo_info_RemoteIP, Geo_info_answer, TTLs
```

Explanation

This query is designed to detect unusual or suspicious Time to Live (TTL) values in DNS responses, which can be indicative of various security threats. Here's a simplified breakdown of what the query does:

  1. Extract TTL Values: It starts by extracting TTL values from DNS response data in the DeviceNetworkEvents table.

  2. Expand TTLs: The query expands these TTL values to handle multiple entries.

  3. Extract DNS Answers: It also extracts DNS answers (like IP addresses or URLs) from the same data.

  4. Determine Answer Type: The query identifies the type of DNS answer:

    • IPv4 address
    • IPv6 address
    • URL
    • Unknown type

  5. Filter for IPv4: It specifically focuses on answers that are IPv4 addresses.

  6. Geolocation Information: The query retrieves geolocation information for both the DNS answer and the remote IP address, identifying the countries associated with each.

  7. Filter for High TTLs: It filters the results to only include entries where the TTL is greater than 86400 seconds (24 hours), which can be a sign of DNS tunneling or other suspicious activity.

  8. Project Relevant Information: Finally, it selects and displays specific fields: the device name, remote IP, DNS answer, and their respective geolocation information, along with the TTL value.

In summary, this query is looking for DNS responses with unusually high TTL values, which could indicate potential security threats like DNS tunneling or evasive infrastructure.

Details

Sergio Albea profile picture

Sergio Albea

Released: March 14, 2025

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsGeoInfoRemoteIP

Operators

DeviceNetworkEventsextendtodynamictostringparse_jsonmv-expandcasematches regexcontainshasgeo_info_from_ip_addresswhereproject

Actions