Overview
SOC Analytics provides security operations centers with powerful threat hunting and incident response capabilities. Features include IOC correlation, behavioral analytics, SIEM integration, and MITRE ATT&CK mapping. Requires Commercial tier ($349/month) or higher.
1. IOC Correlation
Search and correlate Indicators of Compromise across DNS data.
GET
/api/v2/soc/ioc/search?indicator={value}&type={type}
Supported IOC Types
domain- Domain namesip- IP addresseshash- File hashes (correlation)email- Email addresses
Example
curl "https://www.dnsscience.io/api/v2/soc/ioc/search?indicator=malware.com&type=domain" \
-H "X-API-Key: YOUR_API_KEY"Response
{
"indicator": "malware.com",
"type": "domain",
"matches": [
{
"source": "passive_dns",
"first_seen": "2024-01-15",
"last_seen": "2024-11-20",
"related_ips": ["192.0.2.1"],
"tags": ["malware", "c2"]
}
],
"mitre_techniques": ["T1071.004", "T1568.002"]
}2. Behavioral Analytics
Detect anomalous DNS behavior patterns.
GET
/api/v2/soc/behavioral/anomalies?hours={hours}
Detected Anomaly Types
| Type | Description | MITRE ATT&CK |
|---|---|---|
| DNS Tunneling | High entropy/long subdomains | T1048.003 |
| DGA Activity | Algorithmically generated domains | T1568.002 |
| Fast Flux | Rapid IP rotation | T1568.001 |
| Beaconing | Periodic C2 communication | T1071.004 |
3. SIEM Integration
Export events in SIEM-compatible formats.
GET
/api/v2/soc/siem/events?format={format}&hours={hours}
Supported Formats
cef- Common Event Format (ArcSight)leef- Log Event Extended Format (QRadar)json- JSON (Splunk, Elastic)
Example
curl "https://www.dnsscience.io/api/v2/soc/siem/events?format=cef&hours=24" \
-H "X-API-Key: YOUR_API_KEY"4. MITRE ATT&CK Mapping
Get technique mappings for detected threats.
GET
/api/v2/soc/mitre/techniques?domain={domain}
Mapped Techniques
| Technique ID | Name | Tactic |
|---|---|---|
| T1071.004 | Application Layer Protocol: DNS | Command and Control |
| T1568.002 | Dynamic Resolution: DGA | Command and Control |
| T1048.003 | Exfiltration Over DNS | Exfiltration |
| T1568.001 | Fast Flux DNS | Command and Control |
5. Threat Hunting Queries
Pre-built queries for common threat hunting scenarios.
GET
/api/v2/soc/hunt/queries
POST
/api/v2/soc/hunt/execute
API Endpoints Summary
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/v2/soc/ioc/search |
IOC correlation search |
| GET | /api/v2/soc/behavioral/anomalies |
Behavioral anomaly detection |
| GET | /api/v2/soc/siem/events |
SIEM event export |
| GET | /api/v2/soc/mitre/techniques |
MITRE ATT&CK mapping |
| GET | /api/v2/soc/hunt/queries |
List hunting queries |
| POST | /api/v2/soc/hunt/execute |
Execute hunting query |