Checking for a threefold increase or more of Full Name lookup per ClientIP for today based on daily average for the previous week. This can potentially identify excessive traffic to a given location that could be indicative of data transfer out of your network.
Source: Github - Microsoft
MITRE ATT&CK Tactics
Command and Control
It is recommended to review the Firewall\Webproxy logs in relation to the ClientIP making the WannaCry requests.
Quarantine suspected host and perform a full antimalware scan.