DNS beacon attack is one of the most complicated techniques used in some C&Cs to check the C&C server and exfiltrate data. For detecting this attack, you must check the time request for domains and find a repetitive behavior within a specified time. We suggest this rule for detecting some beacons.
| fields timestamp,dnsdomainname,srcip
| streamstats last(timestamp) as last, first(timestamp) as first by dnsdomainname
| eval gap=(last – first)/1000
| stats avg(gap) as “avgbeacontime”,var(gap) as “variancebeacon” by dnsdomainname