Managed Sentinel – Alert 026
| Alert ID | MS-A026 |
| Alert Name | DNS Full Name anomalous lookup increase (Outlier) |
| Description | Checking for a threefold increase or more of Full Name lookup per ClientIP for today based on daily average for the previous week. This can potentially identify excessive traffic to a given location that could be indicative of data transfer out of your network. Source: Github - Microsoft |
| Severity Level | Informational |
| Threat Indicator | Data Theft |
| MITRE ATT&CK Tactics | Command and Control Exfiltration |
| Log sources | DNS Logs |
| False Positives | Unknown |
| Recommendations | It is recommended to review the Firewall\Webproxy logs in relation to the ClientIP making the WannaCry requests. Quarantine suspected host and perform a full antimalware scan. |