You want to monitor your network for changes in resource type behavior, which can be an early sign of data exfiltration.
This sample search uses Stream DNS data. You can replace this source with any other DNS data used in your organization.
Run the following search. You can optimize it by specifying an index and adjusting the time range.
eventtype="stream_dns" message_type="Query" | timechart span=1h count BY record_type
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Search only Stream DNS events.
Search for queries.
| timechart span=1h count BY record_type
Display a table that shows the types of DNS records accessed during one hour increments over the time span you set the search for.
Examine the results for changes in types of records being queried. Both A records and TXT records should be observed carefully as these are commonly used in command and control or exfiltration activity. If you have already identified a suspicious IP address, you can add it to the search to see if it is correlated with the changes in record types queried. You can also use the results to build a baseline or set thresholds for alerts.
Finally, you might be interested in other processes associated with the Monitoring a network for DNS exfiltration use case.