kqlElastic-2.0from elastic/detection-rules

Abnormally Large DNS Response

Quality

FP risk

—

Forks

Views

ATT&CK techniques

T1210 T1499 T1499.004

Rule sourcerules/network/lateral_movement_dns_server_overflow.toml

((event.category:(network or network_traffic) and destination.port:53) 
      or network.protocol:"dns" 
      or data_stream.dataset:(network_traffic.dns or zeek.dns))
    and destination.bytes > 60000
    and event.type:("allowed" or "end" or "protocol" or "start")