Suspicious DNS

Hello -

I know that the suspicious DNS rule is often the one that creates the most noise on the network and what I am looking for is to find the best option for writing this rule.
Currently this rule will generate a ton of traffic.

Where as this specific rule generates no traffic at all.

The first rule is generating its information using event groups and the second is generating from events and I am not sure if that is the cause of the noise.
If there is a more efficient way of searching for DNS traffic in the SEM and rule I would gladly take that as well.

Thank You

Find more posts tagged with

false positives

rules

rule configuration

dns

Accepted answers

All comments

npatterson

Honestly, I would start by doing a search in historical events for port 53 and add more conditions and search until the results are manageable this will point out which condition is messing up the results. It's time-consuming yes but you can match the create a Sus DNS entry and see what have it differs in SEM from normal traffic.