Detection of DNS Requests to AI-Related Domains
This query identifies DNS requests to domains listed in the AI-Domains.csv lookup. It filters out browser-initiated traffic from Chrome and Edge. The result highlights which hosts and processes are generating the most DNS requests to those domains.
EDRhunting
FDR intermediatepor ByteRay (cql-hub.com) 1 min read
Query
#event_simpleName=DnsRequest event_platform=Win
| match(file="generative-ai-domains.csv", field=[DomainName],column=domain,ignoreCase=true,mode=glob)
| !in(field=ContextBaseFileName, values=[msedge.exe,chrome.exe],ignoreCase=true)
| SourceProcess := ContextBaseFileName
| groupBy([DomainName, ComputerName,SourceProcess],function=count(as=Count))
| sort(field=Count,type=number,order=desc)Explicación
Importado desde cql-hub.com. Agrega explicación de pipes aquí.
Variables a ajustar
Revisa y ajusta los valores según tu entorno.